Utah Consumer Privacy Act takes effect
January 8, 2024
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Utah Consumer Privacy Act Takes Effect
Utah’s comprehensive privacy law, the Utah Consumer Privacy Act (UCPA), which was enacted in March 2022, went into effect December 31, 2023, making Utah the fifth state (after California, Virginia, Colorado and Connecticut) with an active comprehensive privacy law.
The UCPA is the least restrictive of the five active state laws, most closely resembling Virginia’s VCDPA.
Notably, enforcement under the Utah law requires overcoming a number of procedural hurdles not present in the other laws.
The Utah law also expressly allows businesses to apply different prices, rates, levels, quality or selection of goods or services if a consumer opts out of targeted advertising and does not require completion of data protection assessments.
Consumer rights are also more limited, with no right to correct inaccuracies or to opt out of profiling.
New Hampshire SB 255 On Deck for Passage
The New Hampshire House passed an amended version of SB 255, a comprehensive privacy bill that has already passed through the state’s Senate.
The Senate is expected to approve the amended version in mid January. If passed, the law will take effect January 1, 2025 and New Hampshire will become the thirteenth state to pass a comprehensive privacy law.
SB 255 is largely identical to Connecticut’s privacy law, with some differences, including lower consumer data processing thresholds for application of the law to businesses.
Like Connecticut and over half of the comprehensive privacy laws enacted so far, the New Hampshire law would require recognition of universal opt-out preference signals.
Colorado AG Officially Approves GPC as a universal Opt-out mechanism
After announcing a shortlist of three universal opt-out mechanisms (UOOMs) in December 2023, the Colorado Attorney General’s Office officially selected only one approved UOOM: Global Privacy Control (GPC).
Companies subject to the Colorado Privacy Act will therefore be required, beginning July 1, 2024, to recognize GPC signals as a valid opt out of the Sale of Personal Data or use for Targeted Advertising.
Although several states have enacted laws requiring the recognition of UOOMs, or as some states call them, opt-out preference signals (OOPSs), the Colorado requirement will be only the second after California to take effect.
Colorado is also the only state so far to implement an official application and selection process for approved UOOMs.
The two UOOMs that made the shortlist but not the final list were OptOut Code, which would have applied beyond web to IOT and other devices, and OptOut Machine, which was email based.
The AG’s office announcement noted that it will periodically accept new applications and update the list.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
California Attorney General Bonta announced a settlement with Doordash based on...
Explore the intricate landscape of Consent or Pay models...
A blog post from the FTC reminded companies that simply changing...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.