{"id":16863,"date":"2025-04-08T15:46:44","date_gmt":"2025-04-08T13:46:44","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=16863"},"modified":"2026-03-30T17:59:42","modified_gmt":"2026-03-30T15:59:42","slug":"utah-consumer-privacy-act-ucpa","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/utah-consumer-privacy-act-ucpa\/","title":{"rendered":"Utah Consumer Privacy Act (UCPA): An Overview"},"content":{"rendered":"\n<p>The Utah Consumer Privacy Act (UCPA) went into effect on December 31, 2023. Utah was the fourth US state to pass a data privacy law, and the legislation drew on earlier states\u2019 efforts, like Virginia and Colorado. Utah\u2019s data privacy law is considered one of the more \u201cbusiness-friendly\u201d regulations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-utah-consumer-privacy-act-ucpa\">What is the Utah Consumer Privacy Act (UCPA)?<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/le.utah.gov\/~2022\/bills\/static\/SB0227.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Utah Consumer Privacy Act (UCPA)<\/a> protects the privacy rights of residents of Utah and establishes data privacy and protection responsibilities for companies that process the personal data of Utah residents.<br><\/p>\n\n\n\n<p>The UCPA covers the sale of personal data, and defines a sale as any <em>\u201cexchange of personal data for monetary consideration by a controller to a third party.\u201d<\/em><\/p>\n\n\n\n<p>The UCPA uses an opt-out model for consent, like all of the other US state-level privacy laws to date. This means that personal data can be collected without first requiring consumers\u2019 consent, but with some exceptions, consent must be obtained before the data can be sold.<\/p>\n\n\n\n<p>The UCPA does not require prior consent for the processing of data categorized as sensitive, which is unusual among US state-level privacy laws. Companies just need to notify consumers about collection and use and provide an opt-out option.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-has-to-comply-with-the-utah-consumer-privacy-act\">Who has to comply with the Utah Consumer Privacy Act?<\/h2>\n\n\n\n<p>The UCPA applies to for-profit companies that operate in Utah,<strong> <\/strong>either by conducting business there or by offering a product or service to consumers who reside in the state, as well as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Meet the annual earnings and data processing thresholds, meaning they report revenue of USD 25 million, and either<\/li>\n\n\n\n<li>Control or process the data of 100,000 consumers<\/li>\n<\/ul>\n\n\n\n<p>or<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Derive more than 50 percent of gross revenue from the sale or control of personal data of 25,000 or more consumers<\/li>\n<\/ul>\n\n\n\n<p>The revenue threshold excludes smaller SMBs from being required to comply, and this requirement has not been included in a number of the more recently passed state-level privacy laws.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-exemptions-to-utah-consumer-privacy-act-compliance\">Exemptions to Utah Consumer Privacy Act compliance<\/h3>\n\n\n\n<p>There is a variety of exemptions to the UCPA\u2019s compliance requirements, centered around type of entity, types of data, and other factors.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-organizational-exemptions\">Organizational exemptions<\/h4>\n\n\n\n<p>In addition to organizations that fall below the revenue or data processing volume thresholds, the UCPA exempts a number of other entities, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Institutions of higher education<\/li>\n\n\n\n<li>Nonprofit organizations<\/li>\n\n\n\n<li>Government organizations and contractors<\/li>\n\n\n\n<li>Indigenous groups<\/li>\n\n\n\n<li>Air carriers<\/li>\n\n\n\n<li>Organizations covered by the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\">Health Insurance Portability and Accountability Act (HIPAA)<\/a><\/li>\n\n\n\n<li>Financial institutions governed by the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/glba-compliance\/\">Gramm-Leach-Bliley Act (GLBA)<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-data-exemptions\">Data exemptions<\/h4>\n\n\n\n<p>The UCPA does not apply to personal data that is already subject to any of the following regulations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Driver\u2019s Privacy Protection Act (DPPA)<\/li>\n\n\n\n<li>Fair Credit Reporting Act (FCRA)<\/li>\n\n\n\n<li>Family Educational Rights and Privacy Act (FERPA)<\/li>\n\n\n\n<li>Farm Credit Act (FCA)<\/li>\n\n\n\n<li>Gramm-Leach-Bliley Act (GLBA)<\/li>\n\n\n\n<li>Health Insurance Portability and Accountability Act (HIPAA)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-employment-exemptions\">Employment exemptions<\/h4>\n\n\n\n<p>The UCPA exempts personal data that is processed or maintained during the course of an individual\u2019s employment.<\/p>\n\n\n\n<p>This includes instances when an individual is applying for a job, or when they are \u201cacting as an employee, agent, or independent contractor of a controller, processor, or third party,\u201d provided that the data is \u201ccollected and used within the context of that role.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-consumers-rights-under-the-utah-consumer-privacy-act\">What are consumers\u2019 rights under the Utah Consumer Privacy Act?<\/h2>\n\n\n\n<p>Utah residents have fairly consistent rights under the UCPA compared to many other US state-level privacy laws in terms of what they can request and have done with their data:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Right to access <\/strong>-<strong> <\/strong>confirm whether a controller is processing their data, and the ability to request and receive that data<\/li>\n\n\n\n<li><strong>Right to deletion of personal data <\/strong>- if the data subject directly provided the data to the controller<\/li>\n\n\n\n<li><strong>Right to portability <\/strong>-<strong> <\/strong>obtain a copy of their personal data from the controller, in a format that is:\n<ul class=\"wp-block-list\">\n<li>Portable to a technically reasonable extent<\/li>\n\n\n\n<li>Readily usable to a practical extent<\/li>\n\n\n\n<li>Enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Right to opt out of certain processing <\/strong>- Specifically for the sale of the personal data or the purposes of targeted advertising<\/li>\n<\/ul>\n\n\n\n<p>Companies are also prohibited from discriminating against individuals for exercising their data privacy rights under the UCPA, which gives consumers that additional right.<\/p>\n\n\n\n<p>The UCPA does not give consumers the right to appeal refusals of their requests to companies, or the right to have incorrect or outdated personal data about them that a company has corrected.<\/p>\n\n\n\n<p>The Utah privacy law also does not allow for a private right of action, which is an individual\u2019s ability to sue a controller for violating the law, e.g. in the case of a data breach. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.<\/p>\n\n\n\n<p>The UCPA does not require data controllers to recognize \u201cuniversal opt-out signals\u201d as a mechanism for consumers to opt out of data processing. This excludes <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/global-privacy-control\/\">global privacy control (GPC)<\/a> measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-consumer-requests-under-the-ucpa\">Consumer requests under the UCPA<\/h2>\n\n\n\n<p>Companies must fulfill consumer requests free of charge to the consumer, unless the request is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The second or subsequent request within the same 12-month period<\/li>\n\n\n\n<li>\u201cExcessive, repetitive, technically infeasible, or manifestly unfounded\u201d<\/li>\n\n\n\n<li>Reasonably believed by the controller to have the primary purpose of \u201csomething other than exercising a right\u201d<\/li>\n\n\n\n<li>Intended to harass, disrupt, or impose undue burden on the resources of the controller\u2019s business<\/li>\n<\/ul>\n\n\n\n<p>Controllers must notify the consumer of their actions in response to a request within 45 days of receiving it. If the controller cannot or will not respond to or fulfill the consumer\u2019s request, e.g. if the company is dealing with a high volume of requests or the consumer\u2019s identity cannot be reasonably verified, they must communicate this during that same 45-day period.<\/p>\n\n\n\n<p>However, the response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex and involves a lot of data. Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.<\/p>\n\n\n\n<p>As noted, the UCPA does not have an appeal process for consumers whose requests are denied.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Privacy protection in Utah and across the U.S.                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Manage evolving U.S. privacy laws right out of the box. Start for free with Cookiebot \u2014 no code or lawyers needed.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"a3d2cda8-64d4-497d-a25f-65e08e323d41\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"_blank\">\n<span>Start free<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-companies-responsibilities-under-the-utah-privacy-law\">What are companies\u2019 responsibilities under the Utah privacy law?<\/h2>\n\n\n\n<p>The UCPA requires companies to be transparent about their data processing operations, respond promptly to requests, take reasonable care to protect data they have collected, and other functions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ucpa-transparency-requirements\">UCPA transparency requirements<\/h3>\n\n\n\n<p>Controllers make information available to consumers that is \u201creasonably accessible and clear.\u201d This notice would typically appear on a business\u2019s website, like in a privacy policy, and must include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Categories of personal data processed by the controller<\/li>\n\n\n\n<li>Categories of personal data the controller shares with third parties<\/li>\n\n\n\n<li>Categories of third parties with whom the controller shares personal data<\/li>\n\n\n\n<li>A clear explanation of how consumers can exercise their rights, including the right to opt out<\/li>\n\n\n\n<li>\u201cClear and conspicuous\u201d disclosure if personal data is sold to a third party or used for targeted advertising<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent-solution\/\">Cookiebot consent management platform (CMP)<\/a> can streamline meeting these requirements. It enables companies to generate an accurate, comprehensive, and up to date privacy policy and keep users up to date on data processing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ucpa-requirements-for-data-security\">UCPA requirements for data security<\/h3>\n\n\n\n<p>Controllers must \u201cestablish, implement, and maintain reasonable administrative, technical, and physical data security practices\u201d that have been \u201cdesigned to protect the confidentiality and integrity of personal data.\u201d<\/p>\n\n\n\n<p>This applies both to the controller and any third parties they have contracted to perform processing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ucpa-requirements-for-third-party-data-processing\">UCPA requirements for third-party data processing<\/h3>\n\n\n\n<p>Companies are required to have contracts in place with any third parties they use for data processing. The contract must include instructions for data processing, as well as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nature and purpose of the processing<\/li>\n\n\n\n<li>Type of data to be processed<\/li>\n\n\n\n<li>Duration of processing<\/li>\n\n\n\n<li>All parties\u2019 rights and obligations, including a duty of confidentiality<\/li>\n\n\n\n<li>A provision that requires the processor to have a written contract with any subcontractor engaged to process personal data that mirrors the obligations on the processor<\/li>\n<\/ul>\n\n\n\n<p>Controllers don\u2019t have to evaluate the risks of their data processing activities via data protection assessments, which is a requirement included in a number of other states\u2019 privacy laws. A contract between a controller and processor also does not need to stipulate that the processor must comply with any reasonable <a href=\"https:\/\/usercentrics.com\/data-privacy-audit\/\">data privacy audits<\/a> set in motion by the data controller.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ucpa-requirements-for-processing-children-s-personal-data\">UCPA requirements for processing children\u2019s personal data<\/h3>\n\n\n\n<p>The only activity for which the UCPA requires prior and explicit consent is the processing of children\u2019s personal data. The law defined a child to be an individual who is known to be under 13 years of age.<\/p>\n\n\n\n<p>Controllers have to obtain verifiable parental or guardian\u2019s consent prior to processing and process the data in accordance with the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/childrens-online-protection-act-coppa\/\">Children\u2019s Online Privacy Protection Act (COPPA)<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ucpa-prohibition-on-discrimination\">UCPA prohibition on discrimination<\/h3>\n\n\n\n<p>As noted, controllers may not discriminate against any consumer who exercises their privacy rights, e.g. opts out of allowing sale of their data. Examples of potential discrimination include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Denying goods or services<\/li>\n\n\n\n<li>Charging a different price or rate for goods or services<\/li>\n\n\n\n<li>Providing a different level of quality for goods or services<\/li>\n<\/ul>\n\n\n\n<p>Controllers are allowed to offer \u201ca different price, rate, level, quality, or selection of a good or service to a consumer\u201d if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller\u2019s loyalty program.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-enforcement-and-penalties-under-the-utah-consumer-privacy-act\">Enforcement and penalties under the Utah Consumer Privacy Act<\/h2>\n\n\n\n<p>The Utah attorney general has full enforcement authority of UCPA. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-penalties-and-fines-under-the-ucpa\">Penalties and fines under the UCPA<\/h3>\n\n\n\n<p>In cases where punitive action is required, such as if the controller or processor fails to resolve or repeats a violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action. This includes damages and fines up to USD 7,500 per violation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-investigations-and-cure-period\">Investigations and cure period<\/h3>\n\n\n\n<p>Where regulatory authorities find reasonable cause or evidence of a violation under the UCPA, it\u2019s referred to the Attorney General. If the Attorney General pursues the investigation, their office must provide the data controller or data processor with a written notice about the violation.<\/p>\n\n\n\n<p>The UCPA provides the offending party with a 30-day \u201ccure\u201d period. The controller has 30 days to rectify any violation and provide a statement to the Attorney General about what has been done to resolve the violation and ensure it won\u2019t be repeated. There is no sunset date on the UCPA\u2019s cure period.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-updates-to-the-ucpa\">Updates to the UCPA<\/h2>\n\n\n\n<p>On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The <a href=\"https:\/\/le.utah.gov\/~2024\/bills\/static\/SB0149.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Utah Artificial Intelligence Policy Act (UAIP)<\/a>, which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business.<\/p>\n\n\n\n<p>The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI.<\/p>\n\n\n\n<p>It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it\u2019s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.<\/p>\n\n\n\n<p>The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-utah-consumer-privacy-act-and-consent-management\">Utah Consumer Privacy Act and consent management<\/h2>\n\n\n\n<p>The UCPA requires companies to provide clear notification about data processing and rights in all cases, obtain prior consent for access to children\u2019s data, and enable consumers to opt out of usage of their data.<\/p>\n\n\n\n<p>To provide clear information about data processing, companies need to know what kinds of tracking they\u2019re doing on websites and apps at all times.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent-solution\/\">Cookiebot CMP<\/a> automatically scans sites and apps to detect all cookies and trackers in use. This list can also be automatically categorized and used to populate the cookie banner and the privacy policy. It\u2019s also kept up to date for you as technologies in use and data processing changes, to give you compliance peace of mind.<\/p>\n\n\n\n<p>Utah\u2019s data privacy law has been in effect long enough that it has already been updated, which is expected to continue as technologies and the business and legal landscapes change.&nbsp;<\/p>\n\n\n\n<p>Usercentrics helps customers stay up to date with regulatory requirements with solutions like Cookiebot CMP\u2122.<\/p>\n\n\n\n<p>As more states pass data privacy laws, the likelihood that businesses will need to comply with more state-level laws, and even international privacy laws, continues to grow. Usercentrics has the solutions you need to achieve and maintain data privacy compliance, protect your revenue, and build trust and long-term engagement with your audience.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Learn how easy privacy compliance can be                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Start your 14-day free trial today and get powerful automated features, extensive customization, and privacy compliance peace of mind.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"aee62e88-79c6-4b42-b545-adeef6115b5f\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"\">\n<span>Start free<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Utah Consumer Privacy Act (UCPA) went into effect on December 31, 2023. Utah was the fourth US state to pass a data privacy law, and the legislation drew on earlier states\u2019 efforts, like Virginia and Colorado. Utah\u2019s data privacy law is considered one of the more \u201cbusiness-friendly\u201d regulations. What is the Utah Consumer Privacy [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":16864,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/04\/UCPA_main_image_900x450_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/16863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=16863"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/16863\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/16864"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=16863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=16863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=16863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}