Listen to this post

This year has been active on the state “comprehensive” privacy law front. Seven states passed new laws in 2023 (Delaware, Iowa, Indiana, Tennessee, Montana, Florida, and Oregon). These states joined California, Connecticut, Colorado, and Virginia with laws already in effect. Soon, Utah will join the “active” law list when its privacy law comes into effect on December 31.

For companies complying with the laws already in effect, little additional steps need be taken for Utah. That said, with each new law going into effect, companies would be well-served to review key components of the privacy program to help ensure that existing programs and processes are reflective of the then-requirements. This includes:

  • Confirming Applicability. Each time a law goes into effect, companies should re-assess which of the US laws apply (or not) to it. These laws primarily apply based on revenue and/or volume of personal information processed – two factors that may have changed since last evaluated. Our blog post here helps summarize the thresholds and criteria for when a law may apply or not.
  • Review Notice Obligations. Best practice is to review a privacy policy at least annually, or during any new data collection activity. As part of this process, it would also help to double-check that the current privacy policy checks the boxes of the state content requirements (as we summarize here).
  • Choice and Rights. Like a privacy policy, the process for handling individual rights may also require some elements of continual evaluation and improvement. Assessing how current practices are mapping to the statutory requirements may shed light on the need for additional updates or modifications.
  • Vendor Contracts. By now, many are familiar with updating standard privacy and cybersecurity contractual terms due to changing legal requirements. As part of overall house-keeping companies should verify that its templates similarly adhere to state requirements.

Putting it into Practice. Even if your organization is not subject to Utah’s privacy law, now is a good time to access how compliance with state privacy laws is going. And, while Utah’s law was generally viewed as more “business friendly” when passed, Utah is signaling itself to be a state with more interest in matters involving privacy and cyber, which may impact the enforcement level of this law. For example, Utah created a “Cyber Center” and enacted a law aimed and social media and minors.