Utah Consumer Privacy Act
The UCPA is Utah's comprehensive privacy law and the most business-friendly of the early US state laws, granting limited consumer rights with an opt-out model and no data protection assessment requirement. It is enforced by the Utah Attorney General.
The Utah Consumer Privacy Act (UCPA) is a comprehensive state consumer privacy law signed in March 2022 and effective December 31, 2023. It is the fourth comprehensive privacy law in the United States and is generally considered the most business-friendly of the early state laws. It uses the controller and processor framework but grants narrower consumer rights and imposes fewer obligations than the California, Virginia, Colorado, and Connecticut laws.
The UCPA is enforced by the Utah Attorney General and the Utah Division of Consumer Protection. There is no private right of action.
Who It Applies To
The UCPA applies to controllers and processors that conduct business in Utah or target Utah residents, have annual revenue of at least USD 25 million, and meet one of two data thresholds: controlling or processing the personal data of 100,000 or more consumers in a year, or controlling or processing the personal data of 25,000 or more consumers while deriving over 50 percent of gross revenue from the sale of personal data. Both the revenue and a data threshold must be met. It protects consumers acting in an individual or household context.
Key Requirements
Consumers have the rights to access, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising and the sale of personal data. Notably, the UCPA does not grant a right to correct data and does not grant a right to opt out of profiling. For sensitive data, the UCPA requires that controllers provide notice and an opportunity to opt out, rather than requiring opt-in consent as other states do. Controllers must publish a privacy notice, maintain reasonable data security, and enter into contracts with processors. The UCPA does not require data protection assessments.
Penalties for Non-Compliance
The Utah Attorney General can seek actual damages to consumers and civil penalties of up to USD 7,500 per violation. There is a 30-day cure period before enforcement. Complaints are first handled by the Division of Consumer Protection.
How to Comply
Determine whether you meet the revenue and data thresholds. Publish a clear privacy notice covering data categories, purposes, sharing, and rights. Build channels for access, deletion, and portability requests, and for opt-out of targeted advertising and sale of data. Provide notice and an opt-out before processing sensitive data. Maintain reasonable data security and sign contracts with processors. Although assessments are not required, documenting your processing remains good practice.