Guides

Utah Consumer Privacy Act: 101 – What You Need to Know

Scott Dooley
4 min read · Jan 7, 2026 Last updated: January 1, 2026

Utah became the fourth US state to enact consumer privacy legislation when Governor Spencer Cox signed the Utah Consumer Privacy Act in March 2022. The law took effect on December 31 2023 and takes a notably business-friendly approach compared to other state privacy laws.

What Is the UCPA?

The Utah Consumer Privacy Act (UCPA) grants Utah residents certain rights over their personal data and establishes obligations for covered businesses. The law is often described as the most business-friendly of the state privacy laws, with higher applicability thresholds and fewer requirements than laws like California’s CCPA.

Enforcement is handled by the Utah Attorney General. There is no private right of action.

Does It Apply to Your Business?

The UCPA has the most restrictive applicability thresholds of any state privacy law. A business must meet ALL of the following criteria:

Requirement 1: Conduct business in Utah or produce products or services targeted to Utah residents.

Requirement 2: Have annual revenue of $25,000,000 or more.

Requirement 3: Meet at least one of these data thresholds:

  • Control or process the personal data of 100,000 or more Utah consumers annually, OR
  • Control or process the personal data of 25,000 or more Utah consumers AND derive over 50% of gross revenue from selling personal data.

This dual requirement for both a revenue threshold and a data volume threshold is unique among state privacy laws. Many smaller businesses that would be covered under other state laws are exempt in Utah.

Exemptions

Several categories are exempt from the UCPA:

  • Government entities
  • Nonprofit organizations
  • HIPAA-covered entities and business associates
  • Higher education institutions
  • Data protected by FERPA
  • GLBA-regulated entities and data
  • Consumer reporting agencies
  • Employment-related information

Key Consumer Rights

Utah residents have the following rights:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to delete their personal data
  • Right to obtain a portable copy of their data
  • Right to opt out of the sale of personal data
  • Right to opt out of targeted advertising

Notable absences: Unlike most other state privacy laws, Utah does not provide consumers with a right to correct inaccurate information or a right to opt out of profiling.

Business Obligations

Covered businesses must:

  • Provide clear and reasonably accessible privacy notices
  • Implement reasonable data security practices
  • Respond to consumer requests within 45 days
  • Provide clear notice and an opportunity to opt out before processing sensitive data

Sensitive data approach: Unlike most state laws that require consent before processing sensitive data, Utah only requires notice and an opt-out opportunity. This is a less restrictive standard.

Sensitive data under the UCPA includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data
  • Health conditions
  • Precise geolocation

Enforcement and Penalties

The Utah Attorney General has exclusive enforcement authority. The law includes a 30-day cure period for alleged violations.

Penalties include:

  • Actual damages to consumers
  • Up to $7,500 per violation in civil penalties

Each affected consumer can count as a separate violation.

Key Dates

  • March 24 2022: UCPA signed into law
  • December 31 2023: UCPA took effect

Where to Find Official Resources

Getting Started

Utah’s UCPA has the highest bar for applicability among state privacy laws. The requirement to meet both a $25 million revenue threshold and a data volume threshold means many businesses covered by other state laws are exempt in Utah.

If your business does meet all the requirements, compliance is relatively straightforward compared to other states. The lack of a correction right, the opt-out rather than consent approach to sensitive data, and the absence of profiling opt-out rights all reduce the compliance burden.

Review your privacy notices to ensure they meet Utah’s disclosure requirements, implement opt-out mechanisms for data sales and targeted advertising, and ensure you provide notice and opt-out opportunities before processing sensitive data.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know
  2. Connecticut Data Privacy Act: 101 – What You Need to Know
  3. Indiana Consumer Data Protection Act: 101 – What You Need to Know
  4. Oregon Consumer Privacy Act: 101 – What You Need to Know
  5. Iowa Consumer Data Protection Act: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR