The Utah Consumer Privacy Act took effect on December 31 2023, making it one of the earlier US state privacy laws to become operative. The law’s high applicability thresholds and business-friendly provisions have resulted in a relatively quiet enforcement environment.
How UCPA Enforcement Works
The Utah Attorney General has exclusive enforcement authority under the UCPA. Consumers cannot bring private lawsuits for violations.
The law includes a 30-day cure period for alleged violations. When the Attorney General identifies a potential violation, businesses receive notice and have 30 days to address the issue before enforcement proceeds.
Penalties include:
- Actual damages to affected consumers
- Up to $7,500 per violation in civil penalties
Enforcement Status
As of January 2026, the Utah Attorney General has not publicly announced enforcement actions or fines under the UCPA. The law has been in effect for over two years.
Several factors contribute to the limited enforcement activity:
High thresholds. Utah’s dual requirement for both $25 million in revenue and meeting data volume thresholds means fewer businesses are covered compared to other states. Fewer covered entities means fewer potential violations.
Business-friendly provisions. The UCPA’s opt-out approach to sensitive data (rather than requiring consent) and the absence of correction and profiling opt-out rights creates fewer compliance obligations that could be violated.
30-day cure period. The cure period allows many potential violations to be resolved before formal enforcement, reducing the number of public enforcement actions.
Enforcement Expectations
Despite limited activity to date, businesses should not assume enforcement will remain minimal. Potential focus areas include:
Privacy notice requirements. Privacy notices must clearly describe data categories, processing purposes, consumer rights, and third-party sharing. Incomplete or inaccurate notices are relatively easy to identify.
Opt-out mechanisms. Consumers have the right to opt out of data sales and targeted advertising. Non-functional opt-out mechanisms or failure to honor requests could trigger enforcement.
Sensitive data notice. Before processing sensitive data, businesses must provide clear notice and an opt-out opportunity. Processing sensitive data without this notice is a potential violation.
Data security. The UCPA requires reasonable administrative, technical, and physical security measures. A data breach could expose security deficiencies that constitute UCPA violations.
Comparison to Other States
Utah’s enforcement environment differs from more active states:
California has issued multi-million dollar fines through the CPPA, with hundreds of active investigations.
Texas filed its first lawsuit within six months of the TDPSA taking effect, targeting a major corporation.
Colorado ended its cure period in January 2025, enabling more aggressive enforcement.
Utah’s higher thresholds and more limited consumer rights mean there is simply less to enforce. Businesses that meet Utah’s requirements are typically larger organizations that also face obligations under California, Virginia, Colorado, and other state laws.
What This Means for Your Organization
If your business meets Utah’s dual threshold requirements, you are likely already subject to multiple state privacy laws with more stringent requirements. Compliance with California’s CCPA or Colorado’s CPA will generally satisfy Utah’s requirements.
Focus areas for Utah-specific compliance:
- Ensure privacy notices meet Utah’s disclosure requirements
- Implement working opt-out mechanisms for data sales and targeted advertising
- Provide notice and opt-out opportunities before processing sensitive data
- Maintain documentation of consumer request responses
The 30-day cure period provides a buffer for addressing any identified issues, but proactive compliance remains the best approach.
