Utah Consumer Privacy Act takes effect

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Utah Consumer Privacy Act Takes Effect

Utah’s comprehensive privacy law, the Utah Consumer Privacy Act (UCPA), which was enacted in March 2022, went into effect December 31, 2023, making Utah the fifth state (after California, Virginia, Colorado and Connecticut) with an active comprehensive privacy law. 

TAKEAWAY

The UCPA is the least restrictive of the five active state laws, most closely resembling Virginia’s VCDPA.

Notably, enforcement under the Utah law requires overcoming a number of procedural hurdles not present in the other laws.

The Utah law also expressly allows businesses to apply different prices, rates, levels, quality or selection of goods or services if a consumer opts out of targeted advertising and does not require completion of data protection assessments.

Consumer rights are also more limited, with no right to correct inaccuracies or to opt out of profiling. 

Read more:

Utah’s data privacy law: what you need to know

Guide to US State Privacy Laws

New Hampshire SB 255 On Deck for Passage

The New Hampshire House passed an amended version of SB 255, a comprehensive privacy bill that has already passed through the state’s Senate.

The Senate is expected to approve the amended version in mid January. If passed, the law will take effect January 1, 2025 and New Hampshire will become the thirteenth state to pass a comprehensive privacy law.

TAKEAWAY

SB 255 is largely identical to Connecticut’s privacy law, with some differences, including lower consumer data processing thresholds for application of the law to businesses.

Like Connecticut and over half of the comprehensive privacy laws enacted so far, the New Hampshire law would require recognition of universal opt-out preference signals. 

Colorado AG Officially Approves GPC as a universal Opt-out mechanism

After announcing a shortlist of three universal opt-out mechanisms (UOOMs) in December 2023, the Colorado Attorney General’s Office officially selected only one approved UOOM: Global Privacy Control (GPC).

Companies subject to the Colorado Privacy Act will therefore be required, beginning July 1, 2024, to recognize GPC signals as a valid opt out of the Sale of Personal Data or use for Targeted Advertising. 

TAKEAWAY

Although several states have enacted laws requiring the recognition of UOOMs, or as some states call them, opt-out preference signals (OOPSs), the Colorado requirement will be only the second after California to take effect.

Colorado is also the only state so far to implement an official application and selection process for approved UOOMs.

The two UOOMs that made the shortlist but not the final list were OptOut Code, which would have applied beyond web to IOT and other devices, and OptOut Machine, which was email based.

The AG’s office announcement noted that it will periodically accept new applications and update the list. 

Read more:

What is Global Privacy Control? Frequently Asked Questions

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.