Utah Consumer Privacy Act: What Businesses Should Know
Utah's UCPA explained for small businesses: the most business-friendly state privacy law with thresholds, rights, enforcement, and compliance steps.
Last updated: 2026-02-08
Utah's Consumer Privacy Act (UCPA) holds a distinctive position in the state privacy law landscape: it is widely considered the most business-friendly comprehensive privacy law in the United States. Signed into law on March 24, 2022, and effective since December 31, 2023, the UCPA provides consumer privacy protections while deliberately minimizing the compliance burden on businesses. If you are a business owner trying to navigate the expanding web of state privacy laws, Utah's approach is worth understanding -- both for what it requires and for what it does not.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Utah Consumer Privacy Act (SB 227, 2022), codified at Utah Code §§ 13-61-101 et seq., as of the date of publication.
The UCPA was the fourth state privacy law enacted in the country, following California, Virginia, and Colorado. But unlike those predecessors, Utah took a decidedly lighter-touch approach. This guide walks through the law in plain language: who it covers, what it requires, and why it is different from the laws you may be hearing about from other states.
Does This Law Apply to Your Business?
Like Tennessee's TIPA, the UCPA uses a dual threshold requiring both a revenue minimum and a consumer data minimum. A business must meet all of the following to be covered:
Revenue requirement: The business must have annual revenue of $25 million or more.
Conduct business in Utah or target products/services to Utah consumers.
Plus one of the following:
- Control or process the personal data of 100,000 or more Utah consumers during a calendar year.
- Control or process the personal data of at least 25,000 Utah consumers and derive more than 50% of gross revenue from the sale of personal data.
This dual threshold significantly narrows the UCPA's reach. Most small businesses will not meet both the $25 million revenue requirement and the consumer data threshold simultaneously. The law was intentionally designed to target larger businesses and data-intensive operations while leaving smaller operations unaffected.
Example: A regional tech company based in Salt Lake City generates $40 million in annual revenue and has 120,000 Utah residents in its customer database. This company meets both thresholds and must comply with the UCPA.
Example: A growing e-commerce startup generates $8 million in revenue and processes data on 200,000 Utah consumers. Despite exceeding the consumer threshold, it does not meet the $25 million revenue requirement. The UCPA does not apply.
Example: A national retailer with $100 million in revenue has only 50,000 Utah consumer records and does not earn 50%+ from data sales. It does not meet either consumer data threshold. The UCPA does not apply.
Exemptions. The UCPA exempts government entities, tribes, higher education institutions, nonprofits, entities subject to HIPAA and GLBA (at the entity level, not just data level), and data governed by FCRA, FERPA, the Driver's Privacy Protection Act, and several other federal statutes. Employee data and B2B contact data are excluded from the definition of "consumer."
What Rights Do Consumers Have?
The UCPA grants a narrower set of consumer rights than most other state privacy laws. Notably, it does not include a right to correction, does not include an opt-out of profiling, and does not require businesses to provide a consumer appeal process.
Right to Access. Consumers can confirm whether a business is processing their personal data and access that data.
Right to Deletion. Consumers can request deletion of personal data they have provided to the business. Note the narrower scope here: the right covers data "provided by" the consumer, not all data "about" the consumer that the business may have collected from other sources.
Right to Data Portability. Consumers can obtain a copy of their personal data in a portable, readily usable format.
Right to Opt Out of Sale. Consumers can direct a business to stop selling their personal data.
Right to Opt Out of Targeted Advertising. Consumers can opt out of processing for targeted advertising purposes.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and access personal data |
| Correction | ❌ | Not included in the UCPA |
| Deletion | ✅ | Limited to data provided by the consumer |
| Data Portability | ✅ | Obtain data in a portable format |
| Opt-Out of Targeted Ads | ✅ | Consumer can opt out of targeted advertising |
| Opt-Out of Data Sales | ✅ | Consumer can opt out of sale of personal data |
| Opt-Out of Profiling | ❌ | Not included in the UCPA |
| Appeal Process | ❌ | Not required under the UCPA |
| Right to Non-Discrimination | ✅ | Cannot discriminate against consumers exercising rights |
Businesses must respond to consumer requests within 45 days, with the option to extend by an additional 45 days when reasonably necessary, provided the consumer is notified of the extension.
The absence of a correction right, profiling opt-out, and required appeal process makes the UCPA meaningfully less burdensome for businesses than laws like Virginia's VCDPA or Colorado's CPA.
What Your Business Must Do
Compliance with the UCPA, while lighter than most state privacy laws, still requires several concrete steps.
Provide a privacy notice. Your privacy notice must include the categories of personal data you process, the purposes of processing, how consumers can exercise their rights, the categories of third parties with whom you share data, and whether you sell personal data or use it for targeted advertising. This is standard across state privacy laws.
Build consumer request processes. You need workflows for access, deletion, portability, and opt-out requests. The UCPA does not require a correction workflow or an appeal mechanism, which reduces the operational scope compared to other states. However, if you operate in multiple states, you will likely need those processes anyway. For guidance, see our DSAR workflow guide.
Obtain consent for sensitive data. The UCPA uses an opt-in consent model for sensitive data, which includes racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health or mental health data, genetic or biometric data, personal data of known children, and precise geolocation data. Before processing any of these categories, you must obtain the consumer's clear, affirmative consent.
Implement data processing agreements. Contracts with processors must define processing instructions, data types, duration, confidentiality obligations, and security requirements. This is consistent with other state laws.
Practice data minimization. The UCPA requires that data collection be limited to what is adequate, relevant, and reasonably necessary. This is a principle most businesses should be following regardless of legal requirements.
Provide clear opt-out mechanisms. If you sell personal data or process it for targeted advertising, you must provide a clear and conspicuous way for consumers to opt out. Utah does not require universal opt-out mechanism recognition (such as Global Privacy Control), which simplifies implementation compared to states like California or Colorado.
Security measures. The UCPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume, scope, and nature of the personal data processed.
One notable omission: the UCPA does not require businesses to conduct data protection assessments. This is a significant departure from Virginia, Colorado, Connecticut, and most other state privacy laws, and it further reduces the compliance burden.
How Is It Enforced?
The UCPA is enforced by the Utah Attorney General and the Utah Division of Consumer Protection. This dual-enforcement structure is somewhat unique -- while the Attorney General handles formal enforcement actions, the Division of Consumer Protection serves as an initial point of contact for complaints and investigations.
There is no private right of action. Consumers cannot sue businesses directly for UCPA violations.
The enforcement process works in two stages. First, the Division of Consumer Protection may investigate complaints and refer matters to the Attorney General. The Attorney General must then provide a 30-day cure period before bringing any enforcement action. If the business cures the violation within 30 days, no further action is taken.
Critically, the UCPA's 30-day cure period has no sunset date. It remains in place permanently. This is the most forgiving enforcement structure of any state privacy law. In contrast, Virginia's cure period sunset in 2025, Colorado's sunset in 2025, and most newer state laws include sunset provisions.
Penalties can reach up to $7,500 per violation under Utah's consumer protection enforcement authority. The Attorney General can also seek injunctive relief and recover investigation costs.
The combination of a permanent cure period, dual-agency enforcement, no data protection assessment requirement, and narrower consumer rights makes the UCPA the most business-friendly comprehensive state privacy law currently in effect.
How This Compares to Other State Laws
Utah's business-friendly approach is clear when compared to other states:
| Feature | Utah (UCPA) | California (CCPA/CPRA) | Colorado (CPA) |
|---|---|---|---|
| Effective Date | Dec 31, 2023 | Jan 1, 2020 (CPRA: Jan 2023) | Jul 1, 2023 |
| Revenue Threshold | $25M+ | $25M+ (or alt. thresholds) | None |
| Consumer Threshold | 100K or 25K + 50% data sales | 100K consumers (or alt.) | 100K or 25K + data sales revenue |
| Right to Correction | No | Yes | Yes |
| Opt-Out of Profiling | No | Yes (limit use of sensitive data) | Yes |
| Data Protection Assessments | Not required | Required (risk assessments) | Required |
| Universal Opt-Out (GPC) | Not required | Required | Required |
| Cure Period | 30 days (permanent) | None (CPPA discretion) | 60 days (sunset 2025) |
| Private Right of Action | No | Yes (data breaches only) | No |
| Appeal Process | Not required | Not required (but CPPA complaint option) | Required |
| Max Penalty | $7,500/violation | $2,500-$7,500/violation | $20,000/violation |
The contrast with California is stark. California's CCPA/CPRA has no cure period (the CPPA has discretion), requires data protection assessments, mandates universal opt-out recognition, and provides a private right of action for data breaches. Colorado similarly requires assessments and had a higher per-violation penalty ceiling. Utah's approach offers businesses significantly more flexibility and fewer proactive obligations. However, businesses operating in multiple states should build compliance programs around the strictest applicable law -- which typically means California's requirements -- and will satisfy Utah by default.
Action Checklist for Small Businesses
-
Check both thresholds. Confirm whether your business exceeds $25 million in annual revenue AND meets a consumer data threshold (100K consumers or 25K + 50% data sale revenue). If you do not meet both, the UCPA does not apply.
-
Map your data practices. Identify what personal data you collect from Utah consumers, where it comes from, how it is stored, and who receives it.
-
Update your privacy notice. Ensure it includes all UCPA-required disclosures: data categories, processing purposes, third-party sharing, consumer rights, and opt-out information.
-
Build request workflows. Implement processes for access, deletion, portability, and opt-out requests. No correction or appeal process is required under the UCPA specifically. See our how to respond to a DSAR guide.
-
Set up opt-out mechanisms. Provide clear, accessible methods for consumers to opt out of data sales and targeted advertising.
-
Implement sensitive data consent. Ensure you have opt-in consent workflows for all sensitive data categories before processing.
-
Review vendor contracts. Ensure data processing agreements meet UCPA requirements.
-
Maintain reasonable security. Implement and maintain security practices proportionate to the data you handle. Document your security measures.
Key Dates
- March 24, 2022: UCPA signed into law (SB 227).
- December 31, 2023: UCPA takes effect. Full compliance required.
- No sunset on cure period: The 30-day cure period is permanent.
References
- Utah Consumer Privacy Act: Utah Code §§ 13-61-101 et seq. (SB 227, 2022). Full text on Utah Legislature website
- California Consumer Privacy Act / CPRA: Cal. Civ. Code §§ 1798.100-1798.199.100.
- Colorado Privacy Act (CPA): Colo. Rev. Stat. §§ 6-1-1301 through 6-1-1313 (SB 21-190, 2021).
- NIST Privacy Framework: NIST Privacy Framework Version 1.0
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need a simple DSAR process that works across states? Our DSAR Compliance Guide provides a practical framework that covers Utah's streamlined requirements along with stricter state laws -- so you can handle consumer requests confidently regardless of jurisdiction.