As the page turns to a new year, a new U.S. state data protection law will take effect in Utah. The last two years have seen sustained growth of U.S. state data protection laws with five taking effect this year, five coming into effect over the course of 2024, two coming into effect 2025, and one coming into effect in 2026. In all, there are now 13 U.S. state data protection laws—growing from one in 2018.
Currently, California, Colorado, Connecticut and Virginia have data protection laws on the books, requiring in-scope businesses to post comprehensive and transparent privacy notices, adhere to consumer data privacy rights, conduct audits and cybersecurity reviews, flow through contractual provisions on vendors, and more.
Utah now joins that list.
Utah’s data protection law is more “business-friendly” than others in some respects. Mainly in requiring businesses to only provide consumers opt-out options with regard to the collection and use of sensitive personal information (e.g., race, religion, sexual orientation, financial account logins, social security numbers, etc.). Many states now require prior, opt-in consent for the collection and use of sensitive personal information.
However, even if more “business-friendly” in some respects, the same principles of data protection hold true in Utah’s law as they do in all U.S. state data protection laws thus far.
Under the Utah data protection law, Utah consumers will have data privacy rights such as access, deletion, and correction, on top of opt-out rights to stop businesses from selling information, using personal information for targeted advertising, and using or collecting sensitive personal information. These have become common across all U.S. state data protection laws.
In-scope businesses will need to make comprehensive privacy notices available at or before the time of data collection, so consumers are educated on the business’s data collection and use practices as well as the consumer rights they have over their personal information. Further, in-scope businesses will be bound by a principle of data minimization, which requires businesses to collect the least amount of personal information, for specific purposes (e.g., those identified in the applicable privacy notice), and to only retain such personal information for the minimum period of time necessary.
Utah—as with all other states with data protection laws in place—will require much more from in-scope businesses. See Benesch’s and Data Meets World’s new, interactive U.S. State Privacy Laws website page for a high level overview of (1) what U.S. states have data protection laws on the books; and (2) of what such data protection laws cover and will require.
Check out the below information for more information on states with data protection laws on the books and when they took effect or will take effect.
U.S. States with Data Protection Laws; Effective Dates
2023:
- California: January 1, 2023
- Colorado: July 1, 2023
- Connecticut: July 1, 2023
- Utah: December 31, 2023
- Virginia: January 1, 2023
2024:
- Florida: July 1, 2024
- Montana: October 1, 2024
- Oregon: July 1, 2024
- Tennessee: July 1, 2024
- Texas: July 1, 2024
2025:
- Delaware: January 1, 2025
- Iowa: January 1, 2025
2026:
Conclusion
This year saw U.S. states continue in a trend of expanding data protection laws across the board. More and more frequently, businesses will find themselves facing a patch work of laws—overlapping and contradictory at times. Businesses, no matter the jurisdiction, will need to build out robust data protection compliance programs in order to do business in the U.S.
The privacy policy and notice requirements are often what businesses first think of, and first build out compliance for, with regard to U.S. state data protection laws. However, the privacy policies and notices are but the first step towards compliance.
In order to be fully compliant with U.S. state data protection laws, businesses will need to dive deeper into the layered, complicated, and sometimes contradictory depths of this burgeoning body of law. Compliance programs will need to span, yes, those privacy policies and notices, but also to procurement and sales teams to handle vendor management, internal customer relation teams to handle data privacy right requests, web developer teams in order to build out Global Privacy Control compliance, and all departments and teams of a business to understand how data is being collected and used.
Check out the Benesch Data Protection team’s two recent alert diving into both the commonly thought of data protection law compliance topics, and those topics that are too often afterthoughts in compliance programs.
As the page turns to 2024, expect even more states to push for new state data protection laws.
