Overview
The Utah Consumer Privacy Act (UCPA) is considered the most business-friendly comprehensive state privacy law in the United States. It provides consumer rights while maintaining streamlined compliance requirements and focusing on practical business implementation.
Full Name and Description
Utah Consumer Privacy Act (UCPA): Signed into law on March 24, 2022, and effective December 31, 2023, the UCPA establishes consumer data rights for Utah residents while providing clear, predictable compliance obligations for businesses.
Enforcement Date
- Effective Date: December 31, 2023
- Cure Period: 30 days (no sunset provision)
Governing Body
- Utah Attorney General: Exclusive enforcement authority
- Utah Division of Consumer Protection: May investigate and refer violations
- No Private Right of Action: Consumers cannot sue directly
Primary Purpose
The UCPA aims to:
- Provide Utah consumers control over their personal data
- Create a balanced, business-friendly regulatory framework
- Establish clear obligations without excessive regulatory burden
- Maintain a permanent cure period for good-faith compliance efforts
Applicability
Who Needs to Comply?
The UCPA applies to controllers and processors that:
- Conduct business in Utah OR target products/services to Utah consumers, AND
- Have annual revenue of $25,000,000 or more, AND
- Meet one of the following thresholds:
- Control or process personal data of 100,000+ Utah consumers per year, OR
- Derive over 50% of gross revenue from the sale of personal data AND control or process data of 25,000+ Utah consumers
Key Differences in Thresholds
Utah is the only comprehensive state privacy law that includes a revenue floor ($25M). This exempts many small and medium businesses from compliance.
Key Exemptions
Entity-Level Exemptions:
- Government entities
- Third parties under government contract (limited scope)
- Financial institutions subject to GLBA
- HIPAA-covered entities
- Nonprofit organizations
- Higher education institutions
- Tribes
Data-Level Exemptions:
- Employment data
- B2B contact information
- Data subject to HIPAA, GLBA, FCRA, FERPA, COPPA, DPPA
- Publicly available information
- De-identified or aggregated consumer information
What the UCPA Governs
Types of Data Covered
Personal Data - Information that is linked or reasonably linkable to an identified or identifiable individual.
Sensitive Data (requires opt-in consent):
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Medical history, mental health, or physical health condition
- Genetic data
- Biometric data
- Specific geolocation data
Note: Utah does not classify data from known children as a separate sensitive data category (unlike other states).
Consumer Rights Under UCPA
Utah residents have four core rights (notably fewer than other states):
- Right to Access: Confirm whether a controller processes their personal data and access that data
- Right to Delete: Request deletion of personal data they provided to the controller
- Right to Portability: Obtain a copy of data in a portable format
- Right to Opt-Out: Decline:
- Sale of personal data
- Targeted advertising
Key Omission: No Right to Correct
Unlike California, Virginia, Colorado, and Connecticut, Utah does not grant consumers a right to correct inaccurate personal data. This reduces compliance burden for businesses.
Compliance Requirements
Key Obligations for Controllers
1. Privacy Notice Requirements
Controllers must provide a privacy notice that includes:
- Categories of personal data processed
- Purposes for processing personal data
- How consumers may exercise rights
- Categories of personal data shared with third parties
- Categories of third parties with whom data is shared
- How to submit a complaint to the AG or Division of Consumer Protection
2. Purpose Limitation
- Process personal data only for purposes reasonably necessary and compatible with disclosed purposes
- Provide consumers with notice before processing data for purposes not initially disclosed
3. Security Requirements
- Establish, implement, and maintain reasonable security practices
- Security should be appropriate to the volume and sensitivity of personal data
4. Consumer Request Handling
| Requirement | Timeframe |
|---|---|
| Initial Response | 45 days |
| Extension (if reasonably necessary) | Additional 45 days |
| Notice of Extension | Required |
5. Opt-In Consent for Sensitive Data
Controllers must obtain consent before processing sensitive data. Consent must be:
- Clear and conspicuous
- A clear affirmative act
- Specific to the sensitive data processing
What Utah Does NOT Require
The UCPA is notable for what it doesn't require:
- No Right to Correct: Unlike other states
- No Data Protection Assessments: Unlike Virginia, Colorado, Connecticut
- No Universal Opt-Out Recognition: Unlike Colorado
- No Appeals Process: Unlike Colorado, Connecticut
- Permanent Cure Period: Unlike other states where cure periods sunset
Consequences of Non-Compliance
Enforcement Process
- Referral: Division of Consumer Protection may investigate and refer to AG
- Notice of Violation: AG provides written notice of alleged violation
- Cure Period: Controller has 30 days to cure (permanent, no sunset)
- Enforcement: Civil action if violation not cured within 30 days
Penalties and Fines
- Up to $7,500 per violation
- Investigative costs may be recovered
- Reasonable attorney fees may be awarded
- Injunctive relief available
The Permanent Cure Period Advantage
Utah's cure period has no expiration date, unlike:
- Virginia: Cure period sunsets January 1, 2025
- Colorado: Cure period sunsets January 1, 2025
- Connecticut: Cure period sunsets December 31, 2024
This provides ongoing protection for businesses making good-faith compliance efforts.
Why the UCPA Exists
Historical Background
- 2022 Legislative Session: Utah legislature drafts business-friendly privacy bill
- March 24, 2022: Governor Cox signs UCPA into law
- December 31, 2023: UCPA takes effect
Design Philosophy
Utah explicitly designed the UCPA to be business-friendly:
- Higher thresholds: $25M revenue floor excludes small businesses
- Fewer consumer rights: No correction right, no appeals process
- No data protection assessments: Reduces compliance burden
- Permanent cure period: Provides ongoing compliance flexibility
Comparison with Other State Laws
| Feature | UCPA | VCDPA | CPA | CTDPA | CCPA/CPRA |
|---|---|---|---|---|---|
| Revenue Threshold | $25M | None | None | None | $25M |
| Right to Correct | No | Yes | Yes | Yes | Yes |
| DPA Required | No | Yes | Yes | Yes | Yes |
| Appeals Process | No | No | Yes | Yes | No |
| Cure Period | Permanent | Until 2025 | Until 2025 | Until 2024 | None |
| Universal Opt-Out | No | No | Yes | No | Yes (CPRA) |
Implementation & Best Practices
How to Become Compliant
Step 1: Threshold Assessment
First, determine if you meet all three requirements:
- Annual revenue ≥ $25 million
- Conduct business in Utah or target Utah consumers
- Process data of 100K+ Utah consumers OR (25K+ consumers AND 50%+ revenue from data sales)
If you don't meet all three, you're exempt.
Step 2: Data Inventory
- Identify all personal data from Utah consumers
- Classify sensitive data categories
- Document processing purposes
- Map third-party data sharing
Step 3: Privacy Notice
- Create or update privacy notice with required disclosures
- Include clear instructions for exercising rights
- Provide contact information for AG and Division of Consumer Protection
Step 4: Consumer Rights Infrastructure
- Implement request intake mechanism
- Create 45-day response workflow
- Train staff on handling procedures
- Document all requests and responses
Step 5: Opt-Out Mechanisms
- Provide opt-out for sale of personal data
- Provide opt-out for targeted advertising
- Ensure mechanisms are easy to use and accessible
Step 6: Sensitive Data Consent
- Identify all sensitive data processing
- Implement opt-in consent mechanisms
- Maintain consent records
Simplified Compliance Compared to Other States
Because Utah doesn't require:
- Data Protection Assessments
- Right to Correct infrastructure
- Appeals processes
- Universal opt-out recognition
Compliance is generally simpler and less resource-intensive than other states.
Ongoing Compliance Maintenance
- Annual Privacy Notice Review: Ensure accuracy
- Consumer Request Tracking: Monitor response times
- Vendor Agreements: Verify processor compliance
- Security Practice Updates: Maintain reasonable protections
Additional Resources
Official Documentation
- Utah Consumer Privacy Act (SB 227)
- Utah Attorney General's Office
- Utah Division of Consumer Protection
Comparison Resources
- State Privacy Law Threshold Comparison
- Utah vs. California Privacy Law Analysis
- Business-Friendly Privacy Compliance Frameworks
Related Regulations
- CCPA/CPRA Compliance Guide - California's privacy framework
- Virginia VCDPA Compliance - Virginia's privacy law
- Colorado CPA Compliance - Colorado's privacy law
- Connecticut CTDPA Compliance - Connecticut's privacy law
- GLBA Compliance - Financial services privacy
Conclusion
The Utah Consumer Privacy Act represents the most business-friendly approach to comprehensive state privacy legislation. With its $25 million revenue threshold, permanent cure period, reduced consumer rights scope, and absence of data protection assessment requirements, Utah has created a framework that prioritizes practical compliance over expansive regulation.
Organizations already compliant with other state privacy laws will find Utah requirements to be a subset of their existing obligations. Those subject only to Utah law benefit from streamlined compliance with fewer procedural requirements.