Utah Consumer Privacy Act Explained: Rights, Rules, and Fines

The Utah Consumer Privacy Act (UCPA) explained: who must comply, consumer rights, sensitive data rules, penalties, and why it is the most business-friendly US state privacy law.


by Riad Us Salehin • 4 July 2026


The Utah Consumer Privacy Act (UCPA) is Utah's comprehensive data-privacy law, in effect since December 31, 2023. It gives Utah residents rights over their personal data and sets duties for large businesses. It is widely seen as the most business-friendly of the early US state privacy laws, with the narrowest scope of any of them.

This page covers who the UCPA applies to and the five consumer rights it grants. It also explains how Utah treats sensitive data, its penalties, and how it compares to the CCPA and GDPR for your site's cookies.

What Is the Utah Consumer Privacy Act (UCPA)?

The Utah Consumer Privacy Act (UCPA), codified as S.B. 227 at Utah Code section 13-61-101 et seq., creates personal-data rights for Utah consumers and compliance duties for the businesses that process their data. Utah was the fourth US state to pass a comprehensive privacy law, following California, Virginia, and Colorado.

Utah residents sometimes call it "Utah's version of GDPR and CCPA." That shorthand captures the basic shape. It is a state law that gives consumers data rights and makes larger businesses disclose how they use that data. The UCPA governs private businesses only. It is one entry in a broader wave of US state privacy laws now covering most of the country. Utah's entry is one of the narrowest in scope.

When Did the Utah Consumer Privacy Act Take Effect?

The UCPA took effect December 31, 2023. Governor Spencer Cox signed the bill into law on March 24, 2022, giving businesses roughly 21 months to prepare.

  • March 24, 2022: Governor Spencer Cox signs S.B. 227 into law.
  • December 31, 2023: The UCPA becomes effective and enforceable.
  • 2025: The Utah Legislature enacts HB 418, adding a consumer right to correct inaccurate personal data and new social-media data-sharing requirements.
  • July 1, 2026: The HB 418 right-to-correct provision takes effect.

As of this writing, the right to correct is in effect. Businesses that were tracking the UCPA only against its original 2023 rights list now need to account for correction requests too.

Who Has to Comply with the Utah Consumer Privacy Act?

A business must clear a hard $25 million revenue gate and a data-volume test before the UCPA applies to it. Both layers are required, which makes the UCPA's applicability the narrowest among the early comprehensive state privacy laws.

A controller or processor is covered if it:

  • Conducts business in Utah or produces a product or service targeted to Utah residents
  • Has annual revenue of $25,000,000 or more
  • AND either controls or processes the personal data of 100,000 or more Utah consumers during a calendar year, or derives more than 50% of its gross revenue from selling personal data while controlling or processing the data of 25,000 or more consumers

All three conditions must apply together. The California Consumer Privacy Act uses the same $25 million revenue figure, but a business meets the CCPA simply by clearing that one threshold. The UCPA requires the revenue threshold and a second, separate data-volume test. So a company with $30 million in revenue but a small, low-volume customer base can sit outside the UCPA entirely. That answers the real question most small and midsize businesses have. Most fall outside the law because they never clear the second gate, even after clearing the first.

Who Is Exempt from the UCPA?

Beyond the revenue and data thresholds, the UCPA carves out several categories of businesses, data, and entities.

  • Businesses below both thresholds: any controller or processor that does not clear the $25 million revenue gate and one of the two data-volume tests
  • Government entities: state and local government bodies are exempt from the UCPA; their data-handling obligations instead fall under the separate Utah Government Data Privacy Act (GDPA), signed into law in 2024, and the Government Records Access and Management Act (GRAMA)
  • Federally regulated data: information already governed by HIPAA, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Driver's Privacy Protection Act (DPPA), along with patient-identifying information and human clinical research subject data
  • Employment and B2B data: personal data collected in an employment context or in a business-to-business relationship

The government exemption trips people up most often. A Utah resident asking a state agency to delete their data is not invoking the UCPA. The state itself is not a business, so state and local agencies answer to the GDPA and GRAMA instead.

What Rights Does the UCPA Give Utah Consumers?

Utah residents have five core rights under the UCPA, and a covered business must act on a verified request within 45 days.

  • Confirm and access: confirm whether a controller is processing the consumer's personal data, and access that data
  • Delete: request deletion of personal data the consumer provided to the controller (this right does not reach data the business generated or inferred, unlike some peer laws)
  • Data portability: obtain a copy of the consumer's provided personal data in a portable, readily usable format
  • Correct: request correction of inaccurate personal data a controller holds, effective July 1, 2026 under the HB 418 amendment
  • Opt out: opt out of the sale of personal data and of its use for targeted advertising

One right is notably missing. Unlike Colorado and California, the UCPA gives consumers no right to opt out of profiling. Profiling is the automated processing used to evaluate or predict someone's behavior, preferences, or characteristics. A business can profile a Utah consumer for marketing or risk-scoring without offering an opt-out for that use. It must still honor the sale and targeted-advertising opt-outs above.

How Does the UCPA Handle Sensitive Data?

The UCPA requires a business to give consumers clear notice and an opportunity to opt out before processing sensitive data. It does not require opt-in consent, which sets Utah apart from Virginia, Colorado, and the GDPR.

That single design choice is the clearest signal of the UCPA's business-friendly posture. Virginia's and Colorado's laws require affirmative consent before a business can process sensitive data at all. Utah instead lets the business proceed by default, as long as it discloses the practice and gives consumers a working way to say no.

Sensitive data under the UCPA includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Sexual orientation
  • Citizenship or immigration status
  • Medical or health information
  • Genetic or biometric data used to identify a specific individual
  • Precise geolocation data
  • A known child's personal data, which is handled through the federal Children's Online Privacy Protection Act (COPPA) rather than a UCPA-specific consent rule

What Does the UCPA Require Businesses to Do?

Covered controllers carry a focused set of compliance duties centered on disclosure, security, and opt-out mechanics.

  • Publish a privacy notice: a reasonably accessible, clear notice describing what personal data the business collects, how it uses that data, and with which third parties it shares the data, much like the notice obligations covered in the GDPR's cookie consent rules
  • Honor consumer requests within 45 days: respond to confirm, access, delete, portability, and correction requests inside the statutory window
  • Offer opt-outs for sale and targeted advertising: provide a working mechanism for consumers to stop both practices
  • Give notice and an opt-out before processing sensitive data: disclose the practice and let consumers decline
  • Maintain reasonable data security: implement administrative, technical, and physical safeguards appropriate to the data being processed
  • Avoid discrimination: a business cannot deny goods or services, or charge a different price, because a consumer exercised a UCPA right

The UCPA notably does not require what several peer laws do. There is no mandatory data protection assessment before high-risk processing, and there is no requirement to recognize universal opt-out signals such as Global Privacy Control. Both are standard obligations under Colorado's and, in some cases, Virginia's laws.

Why Is the UCPA Considered the Most Business-Friendly State Privacy Law?

The UCPA is widely described by privacy practitioners as the lightest-touch comprehensive privacy law among the early US state statutes. Four design choices explain that reputation.

  1. The narrowest applicability test: the $25 million revenue floor plus a separate data-volume gate excludes far more businesses than a single-threshold law like the CCPA
  2. Opt-out sensitive data, not opt-in consent: businesses can process sensitive data by default with notice and an opt-out, instead of collecting consent first
  3. No profiling opt-out: consumers cannot demand an opt-out from automated profiling specifically, only from sale and targeted advertising
  4. No data protection assessments or universal opt-out mandate: the UCPA skips two of the more operationally demanding requirements found in Colorado's and Virginia's laws

None of this makes the UCPA toothless. The Attorney General still enforces real penalties, and a business still has to publish a notice and honor five distinct consumer rights. The framing is comparative. Among the states, Utah asks the least of a covered business, while still requiring the core disclosure-and-opt-out architecture every comprehensive privacy law shares.

How Is the Utah Consumer Privacy Act Enforced? (Fines and the Attorney General)

The Utah Attorney General has the exclusive authority to enforce the UCPA. The law gives consumers no private right of action to sue a business directly.

Enforcement runs in two steps. The Division of Consumer Protection receives and investigates consumer complaints first. It then refers a matter to the Attorney General when it has reasonable cause to believe substantial evidence of a violation exists. Before the Attorney General can bring an action, the office must give the business 30 days' written notice identifying the alleged violation. If the business cures the violation inside that window and confirms it in writing, the Attorney General cannot proceed. Unlike some peer states, this cure right is permanent under the UCPA and does not sunset after a set number of years.

The penalty applies if a business fails to cure, or violates the same provision again after curing it once. In that case the Attorney General can recover the consumer's actual damages plus a civil penalty of up to $7,500 per violation. When multiple controllers or processors share fault for one violation, the statute splits liability by comparative fault rather than holding each fully liable.

How Is the UCPA Different from the CCPA and GDPR?

The UCPA, CCPA, and GDPR share one goal: consumer control over personal data. They diverge sharply on consent model, scope, and enforcement.

UCPACCPA/CPRAGDPR
Consent modelOpt-out, including for sensitive dataOpt-out for sale/sharing; opt-in only for minors under 16Opt-in by default for all processing
TerminologyController / processor (VCDPA-style)Business / service providerController / processor
Applicability$25M revenue AND a data-volume testAny ONE of three thresholds (revenue, data volume, or data-sale revenue share)Any organization processing EU residents' data
Private right of actionNoneLimited, for certain data breachesNot applicable (regulator-driven)
Profiling opt-outNoneLimited, tied to automated decision-making rulesYes, under specific conditions

The CCPA applies to a business that meets any single one of its three thresholds. More companies clear that bar than under the UCPA's stacked test. The GDPR standard requires opt-in consent by default for nearly all processing, the opposite of Utah's opt-out design even for sensitive data.

A privacy program built for CCPA compliance transfers to Utah with light adjustment, since both use an opt-out core. A program built only for GDPR needs a second, opt-out-based track for Utah and other US state laws.

What the Utah Consumer Privacy Act Means for Your Website and Cookies

A UCPA-covered site needs a working opt-out path for data sales and targeted-advertising cookies, plus the disclosures the law requires.

  • Post a clear, accessible privacy notice describing what data your cookies and trackers collect and how you use or share it
  • Give Utah visitors a way to opt out of targeted-advertising cookies and the sale of their data, the practical cookie-banner hook the UCPA creates
  • Present notice and an opt-out before any tracking that processes sensitive data, such as precise geolocation scripts
  • Honor and log opt-out requests within the 45-day response window
  • Keep records of consent and opt-out choices in case the Division of Consumer Protection or the Attorney General asks for proof

A site under the $25 million threshold has no UCPA obligation. Many businesses still build one opt-out banner that covers Utah alongside California and other US state laws at once. That single banner beats maintaining a patchwork of state-specific ones. The UCPA is one entry in a much larger set of data protection laws most US-facing sites now navigate. The same banner-and-records discipline you use to get your site GDPR compliant carries over here, even though the consent model is opt-out instead of opt-in.

How Consently Helps You Meet Utah's Opt-Out and Notice Requirements

Consently supports the consumer-facing side of UCPA compliance: an opt-out banner for Utah visitors, region-based display, and an audit trail of consent choices.

Consently shows Utah and other US visitors a CCPA and US state-law opt-out tools banner built on the UCPA's opt-out model. Visitors get controls to decline data sales and targeted advertising. Automatic geotargeting displays that opt-out banner to US visitors while showing the GDPR opt-in model to EU visitors on the same site, from one account.

Two features back the disclosure and record-keeping side of the law. Consent logs with export give a timestamped record of who opted out and when. That record helps if the Division of Consumer Protection or the Attorney General ever requests proof of compliance. The cookie, privacy, and terms-and-conditions policy generators produce the clear, accessible privacy notice the UCPA requires. Each is built from your actual cookie and data practices, not a generic template.

One requirement Consently does not handle automatically: honoring a visitor's browser-level Global Privacy Control signal. The UCPA does not mandate universal opt-out signal recognition, so this is not a compliance gap under Utah's law specifically. It is a separate obligation in states that do require it. Consently's banner, region-based display, and consent logs support the disclosure and opt-out tasks above. A policy generator provides compliance assistance, not a legal guarantee of UCPA compliance.

Try Consently free to see the opt-out banner and consent log running on your own site.

FAQs

What is the Utah Consumer Privacy Act in simple terms?

The Utah Consumer Privacy Act is a Utah law that gives residents rights over their personal data. Covered businesses must honor opt-out requests and post clear privacy notices. It applies only to businesses that clear a $25 million revenue threshold plus a data-volume test.

When did the Utah Consumer Privacy Act take effect?

The UCPA took effect December 31, 2023. Governor Spencer Cox signed it into law on March 24, 2022. The 2025 HB 418 amendment added a right to correct, effective July 1, 2026.

Who has to comply with the Utah Consumer Privacy Act?

A business must have $25,000,000 or more in annual revenue. It must also clear a second test. That means processing 100,000 or more Utah consumers a year, or deriving over 50% of revenue from data sales while processing 25,000 or more consumers.

Does the Utah Consumer Privacy Act apply to small businesses?

Usually not. A business must clear $25 million in annual revenue and a separate data-volume test. Most small businesses fall outside the UCPA even if they process some Utah residents' data.

What are the penalties for violating the Utah Consumer Privacy Act?

Violations can carry actual damages to the consumer plus a civil penalty of up to $7,500 per violation. That penalty applies only after a 30-day cure window in which the business can fix the issue and avoid the penalty entirely.

Who enforces the Utah Consumer Privacy Act?

The Utah Attorney General has exclusive enforcement authority. The Division of Consumer Protection receives and investigates complaints first, then refers substantiated cases to the Attorney General.

Is there a private right of action under the UCPA?

No. Consumers cannot sue a business directly for a UCPA violation. Only the Utah Attorney General can bring an enforcement action.

How is the Utah Consumer Privacy Act different from the CCPA?

The UCPA uses controller and processor terminology and requires a stacked revenue-and-data threshold instead of the CCPA's single-threshold test. It also gives consumers no right to opt out of profiling. Both laws share an opt-out consent model.

Does the UCPA require a cookie consent banner?

The statute does not name cookie banners specifically. A covered site running targeted-advertising or data-sale cookies needs a working opt-out mechanism. An opt-out banner is the standard way to deliver that notice and choice.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.