Overview
The Utah Consumer Privacy Act (UCPA), signed into law in March 2022 and effective December 31, 2023, is Utah's comprehensive data privacy law. The UCPA is widely considered the most business-friendly of the US state privacy laws enacted to date, reflecting Utah's pro-business regulatory philosophy. It establishes consumer rights and business obligations while keeping compliance costs manageable for organizations.
The UCPA was the fourth comprehensive state privacy law in the United States, following California, Virginia, and Colorado. Its streamlined approach has made it a reference point for states seeking to balance consumer protection with economic growth.
Who Does It Apply To?
The UCPA applies to a controller or processor that:
- Conducts business in Utah or produces a product or service targeted to Utah consumers
- Has annual revenue of $25 million or more
- Meets one of the following thresholds:
- Controls or processes the personal data of 100,000 or more Utah consumers during a calendar year, or
- Derives over 50% of gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers
The UCPA does not apply to:
- State and local government entities
- Tribes
- Institutions of higher education
- Nonprofit corporations
- Financial institutions and data subject to the Gramm-Leach-Bliley Act
- Covered entities and business associates under HIPAA
- Data processed in an employment or business-to-business context
The $25 million revenue threshold excludes many small businesses from the UCPA's requirements, making it less burdensome than laws without revenue floors.
Key Requirements
Privacy Notice
Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes:
- The categories of personal data the controller processes
- The purposes for processing personal data
- How consumers can exercise their rights under the UCPA
- The categories of personal data the controller shares with third parties
- The categories of third parties with whom data is shared
Consent for Sensitive Data
Processing sensitive data requires the consumer's opt-in consent. Sensitive data under the UCPA includes:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Medical history, mental or physical health condition, or medical treatment
- Genetic or biometric data processed to identify a specific individual
- Personal data of a known child under 13
Data Security
Controllers and processors must implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data. These practices must be appropriate to the volume and nature of the data at issue.
Processor Contracts
Controllers must enter into contracts with processors that specify the processing instructions, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
Individual Rights
Utah consumers have the following rights under the UCPA:
- Right to know: Confirm whether a controller is processing their personal data and access that data
- Right to delete: Request deletion of personal data the consumer has provided to the controller
- Right to data portability: Obtain a copy of personal data previously provided to the controller in a portable and readily usable format
- Right to opt out: Opt out of the processing of personal data for targeted advertising or the sale of personal data
Notable Differences from Other State Laws
The UCPA has several notable differences from other state privacy laws:
- No right to correct: Unlike Virginia, Colorado, and Connecticut, the UCPA does not include a right for consumers to correct inaccurate personal data
- Narrower deletion right: The right to delete only applies to data the consumer has provided to the controller, not all data the controller holds about the consumer
- No data protection assessments: The UCPA does not require controllers to conduct data protection impact assessments
- No opt-out for profiling: The right to opt out does not extend to profiling, only targeted advertising and data sales
Response Timelines
Controllers must respond to consumer requests within 45 days, with one 45-day extension available when reasonably necessary. The response must be provided free of charge, once per consumer per year.
Enforcement and Penalties
The Utah Attorney General has exclusive enforcement authority:
- Cure period: Before taking enforcement action, the Attorney General must give the controller or processor a 30-day notice and opportunity to cure the alleged violation. Unlike some other state laws, this cure period does not have an expiration date.
- Civil penalties: Violations are enforced under the Utah Consumer Sales Practices Act, with penalties of up to $7,500 per violation
- Investigative powers: The Attorney General's Division of Consumer Protection investigates complaints and potential violations
- No private right of action: Individual consumers cannot sue businesses directly under the UCPA
The permanent cure period is one of the most business-friendly aspects of the UCPA, as it gives organizations an ongoing opportunity to remedy compliance issues before facing penalties.
How Apidly Helps
Apidly simplifies UCPA compliance with focused tools:
- Consumer rights management automates the handling of access, deletion, portability, and opt-out requests within the 45-day response timeline, accounting for the UCPA's narrower scope of rights compared to other state laws
- Sensitive data consent tracking identifies where sensitive data categories are processed and ensures opt-in consent is obtained and recorded before processing begins
- Privacy notice generation creates compliant privacy notices that include all UCPA-required disclosures and are tailored to your specific data processing activities
- Opt-out mechanism integration provides tools for consumers to opt out of targeted advertising and data sales, including integration with universal opt-out signals
- Multi-state compliance mapping shows how your UCPA compliance measures overlap with obligations under other state privacy laws, helping you identify where a single control satisfies multiple requirements