Utah Consumer Privacy Act (UCPA): A Compliance Guide for Businesses

The Utah Consumer Privacy Act (UCPA) became enforceable on December 31, 2023, making Utah the fourth U.S. state to enact a comprehensive consumer data privacy law. 

Signed into law on March 24, 2022, the UCPA draws on earlier state frameworks, particularly the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), while adopting a narrower, more business-oriented scope. It does have a revenue-based threshold, unlike a number of other state laws, such as the Connecticut Data Privacy Act (CTDPA).

For companies that process the personal data of Utah residents and meet the law's revenue and data-volume thresholds, the UCPA creates concrete obligations around transparency, consumer rights, data security, and third-party contracts. 

Businesses that are already managing compliance across multiple U.S. state privacy laws will find the UCPA's structure broadly familiar, but several key differences, including its treatment of sensitive data and its absence of a right to correct (which changes July 1, 2026), require careful attention.

This guide explains what the UCPA requires, who it covers, what Utah consumers can demand of the companies that hold their data, and how Cookiebot by Usercentrics can help businesses build and maintain compliant consent workflows.

At a Glance

• Effective date: December 31, 2023 (Utah was the fourth U.S. state to enact a comprehensive consumer data privacy law; amended annually since 2024)
• Scope: Applies to for-profit businesses operating in Utah with at least USD 25 million annual revenue that process data from at least 100,000 consumers, or derive more than 50 percent of gross revenue from data sales and process data from at least 25,000 consumers.
• Consent model: Opt-out, so businesses may collect personal data without prior consent (in most cases) but must notify consumers and honor opt-out requests for data sales and targeted advertising.
• Consumer rights: Access, deletion (of self-provided data), portability, opt-out, and right to correct inaccuracies as of July 1, 2026.
• Enforcement: Utah Attorney General (AG) has sole enforcement authority; fines up to USD 7,500 per violation; no private right of action; permanent 30-day cure period.
• First enforcement action: The AG filed suit against Snap, Inc. in June 2025.

What Is the Utah Consumer Privacy Act?

The UCPA (Utah Code § 13-61-101 et seq.) is the state's primary data privacy statute. It gives Utah residents defined rights over their personal data and requires businesses that meet the law's applicability thresholds to honor those rights, protect data through reasonable security measures, and disclose their data practices in plain language.

Unlike the GDPR or California's CPRA, the UCPA does not impose data minimization requirements on businesses. The law does not limit what data a company may collect or how it may use that data, provided it notifies consumers and offers them an opt-out where required. The burden of exercising privacy rights rests largely with the consumer.

How the UCPA Defines Key Terms

The UCPA uses a controller-processor framework borrowed from the GDPR and adopted in several other U.S. state privacy laws.

Sensitive Data Under the UCPA

The UCPA defines a specific category of sensitive personal data. Unlike most comparable state laws, it does not require businesses to obtain opt-in consent before processing sensitive data. Notice and an opt-out opportunity are sufficient. The sensitive categories are:

• Racial or ethnic origin (with an exception for video communication services and licensed healthcare providers)
• Religious beliefs
• Sexual orientation
• Citizenship or immigration status
• Medical history, mental or physical health condition, or medical treatment or diagnosis
• Genetic or biometric data processed to identify a specific individual
• Geolocation data processed to identify a specific individual

This treatment of sensitive data is one of the UCPA's most significant departures from other state privacy laws. Businesses operating across multiple states should take care not to assume that their sensitive data consent processes for states like Colorado or Connecticut automatically satisfy Utah's separate (and less demanding) framework.

Who Must Comply with the UCPA?

The UCPA applies to for-profit entities that conduct business in Utah or offer products or services to Utah residents, and that meet the following thresholds:

• Annual revenue of at least USD 25 million, and either
• Control or process the personal data of 100,000 or more consumers during a calendar year, or
• Derive more than 50 percent of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers

The dual-threshold structure, which requires both a revenue floor and a data-volume condition, is more restrictive than many of the state privacy laws passed after Utah's. 

Small and mid-sized businesses below the USD 25 million revenue mark are not covered, even if they process large volumes of consumer data. Unlike in California, the revenue threshold has not been adjusted for inflation.

Organizations that already comply with the CCPA or CPRA will likely have a UCPA footprint if they also do business in Utah.

Organizational Exemptions

The following entity types are exempt from the UCPA regardless of revenue or data volumes:

• Institutions of higher education
• Nonprofit organizations
• Government bodies and government contractors
• Indigenous tribes and tribal entities
• Air carriers
• Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) 
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)

Data Exemptions

Data already regulated by the following federal laws is outside the UCPA's scope:

• Driver's Privacy Protection Act (DPPA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Farm Credit Act (FCA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)

Employment Data Exemptions

Personal data collected and used in an employment context is exempt. This covers job applicants, employees, agents, and independent contractors, provided the data is collected and used within the scope of that employment or contractual relationship.

Consumer Rights Under the UCPA

Utah residents have four statutory rights over their personal data, and with the legislative amendment taking effect July 1, 2026, the fifth right to correct inaccurate data will be added. Consumers will be able to request that a controller correct inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing. 

What the UCPA Does Not Provide

Compared with laws like those in California or Colorado, the UCPA's consumer rights framework is relatively lean. Notably absent are:

• A right to appeal a controller's denial of a consumer request
• Recognition of universal opt-out signals such as Global Privacy Control (GPC)
• A private right of action (the ability for individual consumers to sue a controller for noncompliance or a data breach)

It is worth noting that while more than 20 states now have comprehensive data privacy laws, California remains the only one to provide a private right of action — and only under limited conditions following a data breach. Consumers also cannot use a UCPA violation to support a claim under other Utah laws. Enforcement authority rests exclusively with the state Attorney General.

How Businesses Must Handle Consumer Requests

Controllers must establish a clear process through which consumers can submit requests and exercise their rights. The UCPA sets the following procedural requirements.

Response Timeline

Controllers must take action on a request — or inform the consumer that they will not — within 45 days of receiving it. This initial period may be extended by an additional 45 days if the request is complex or the controller is handling a high volume of requests. Any extension must be communicated to the consumer within the original 45-day window, along with the reason for the delay. 

Costs

Consumer requests must be fulfilled at no charge, except where the request is the consumer's second or subsequent request within a 12-month period. Controllers may also charge a fee where a request is excessive, repetitive, technically infeasible, or manifestly unfounded, including where the controller has reasonable grounds to believe the request is not genuinely aimed at exercising a privacy right, or where it would impose an undue burden on the business.

Identity Verification

Controllers may decline to respond or fulfill a request if they cannot reasonably verify the consumer's identity, but they must communicate this during the 45-day response window. Unlike several other state laws, the UCPA provides no appeal mechanism for consumers whose requests are denied.

Business Obligations Under the UCPA

The UCPA imposes four main categories of obligation on controllers and processors: transparency, data security, third-party contracting, and child data protection.

Transparency and Privacy Notices

Controllers must provide consumers with a privacy notice that is reasonably accessible and written clearly. The notice must be available before data collection begins, typically on the business's website, and must cover:

• Categories of personal data the controller processes
• Categories of personal data shared with third parties
• Categories of third parties that receive that data
• A clear description of how consumers can exercise their rights, including opt-out
• Clear and conspicuous disclosure if personal data is sold or used for targeted advertising

Cookiebot by Usercentrics automatically scans websites and apps to detect all cookies and trackers in use, populates cookie banners with accurate disclosure language, and keeps notices current as the technology stack changes. This supports the "reasonably accessible and clear" standard the UCPA requires.

Data Security

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce the risk of harm to consumers. These obligations apply equally to any processors or subprocessors the controller engages.

The UCPA does not specify which security measures are required, leaving controllers to determine what is appropriate for the type and volume of data they process. Unlike the VCDPA and CPA, the UCPA does not require businesses to conduct data protection assessments, though doing so remains good practice, particularly for high-risk processing activities.

Third-Party Data Processing Contracts

Where a controller uses a processor to handle personal data, a written contract must be in place. That contract must specify:

• The nature and purpose of the processing
• The type of personal data to be processed
• The duration of processing
• The rights and obligations of both parties, including a duty of confidentiality
• A requirement that any subcontractor the processor engages must be bound by equivalent obligations under a separate written contract

Controllers under the UCPA are also not required to mandate that processors submit to data privacy audits initiated by the controller. This is in contrast with some other state frameworks. These lighter contractual requirements reflect the UCPA's generally business-friendly orientation.

Children's Data

The one area where the UCPA requires opt-in consent, rather than merely notice and opt-out, is the processing of children's personal data. A child is defined as an individual known to be under 13 years of age. 

Controllers must obtain verifiable parental or guardian consent before processing, and handle that data in compliance with COPPA.

Non-Discrimination

Controllers may not discriminate against consumers who exercise their privacy rights, including by denying them goods or services, charging different prices, or providing a lower quality of service. 

However, controllers may offer different prices or proportionate benefits to consumers who voluntarily participate in a loyalty program, or in connection with a consumer's opt-out from targeted advertising, provided this is disclosed.

How the UCPA Compares to Other Privacy Laws

Businesses operating across jurisdictions frequently need to assess where the UCPA sits in the broader landscape of privacy regulation. Since Utah enacted the UCPA in 2022, the number of U.S. states with comprehensive privacy laws has grown to more than 20. The comparisons below focus on the frameworks most likely to affect the same businesses.

UCPA vs. GDPR

The structural differences between the UCPA and the EU's General Data Protection Regulation are substantial.

The GDPR applies to any organization processing the personal data of EU residents, regardless of size, revenue, or where the organization is based. It requires a lawful basis for every processing activity, mandates data minimization and purpose limitation, requires privacy by design and by default, and imposes data protection impact assessments for high-risk processing. Consumer rights under the GDPR include access, correction, erasure, restriction, and objection. Violations can trigger fines of up to 4 percent of global annual turnover.

The UCPA applies only to businesses above defined revenue and data-volume thresholds, imposes no data minimization requirements, uses an opt-out rather than opt-in model for most processing, and caps civil penalties at USD 7,500 per violation.

For organizations subject to both, GDPR compliance does not automatically satisfy the UCPA. The consent models, exemption structures, and enforcement mechanisms differ. In practice, though, the GDPR's more demanding requirements mean that a genuinely GDPR-compliant program will substantially exceed what the UCPA demands.

UCPA vs. CCPA/CPRA

California's CCPA and its successor framework, the CPRA, share the UCPA's opt-out model for data sales but diverge significantly in scope and enforcement.

The CCPA/CPRA is enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA), which can initiate investigations and audits independently of consumer complaints. 

The CPRA adds data minimization and purpose limitation requirements, mandates recognition of Global Privacy Control (GPC) signals as a valid opt-out, and includes a limited private right of action for certain data breaches. 

California also adjusts its monetary thresholds for CPI inflation on a biennial basis — the revenue threshold (USD 25 million in the law’s text) is at USD 26.6 million and will be updated in 2027, while Utah's USD 25 million figure is fixed in statute.

One structural difference worth noting: the UCPA defines "sale" as an exchange for monetary consideration only. The CCPA extends the concept to non-monetary exchanges of value with third parties, which can capture data-sharing arrangements that would fall outside Utah's framework entirely.

UCPA vs. Virginia VCDPA and Texas TDPSA

The UCPA's closest structural relatives among U.S. state laws are Virginia's Consumer Data Protection Act (VCDPA) and the Texas Data Privacy and Security Act (TDPSA). Both share the UCPA's controller-processor framework and opt-out consent model for standard processing.

The most significant difference is the treatment of sensitive data. Both the VCDPA and the TDPSA (along with most other U.S. state laws) require opt-in consent before processing sensitive personal data, which is a meaningfully higher bar than Utah's notice-and-opt-out approach. The VCDPA and TDPSA also include consumer appeal rights for denied requests, which the UCPA does not provide.

On scope, the VCDPA has no revenue threshold — applicability turns entirely on data-processing volumes — making it broader than the UCPA for mid-sized businesses with large consumer datasets. 

The TDPSA takes a different approach, substituting the Small Business Association's "small business" definition for a specific revenue figure, which means compliance obligations vary considerably depending on a company's industry and headcount.

One area where the UCPA is notably more restrictive than both Texas and Virginia. Virginia's VCDPA does not require recognition of GPC signals. Texas adopted that requirement in January 2025. Utah does not require GPC recognition at all.

UCPA vs. Colorado CPA

Colorado's Privacy Act shares the UCPA's general structure but imposes meaningfully stronger obligations. The CPA requires opt-in consent for sensitive data processing, mandates data protection assessments for high-risk activities, and requires recognition of universal opt-out signals including GPC.

Colorado's cure period expired in January 2025, making enforcement there more immediate once a violation is identified, while Utah’s is permanent.

For businesses already managing CPA compliance, the UCPA will generally require less, but the differences in sensitive data consent and the absence of a GPC mandate in Utah mean the two frameworks cannot simply be treated as identical.

Cookies, Tracking Technologies, and the UCPA

The UCPA does not reference cookies or tracking technologies by name, but its provisions have direct implications for how websites and apps collect data from Utah residents.

Cookies, pixels, device fingerprints, and similar trackers frequently collect personal data as the UCPA defines it. This information is linked or reasonably linkable to an identified or identifiable individual. IP addresses, device identifiers, and behavioral profiles can all meet this definition, particularly when aggregated. 

Where that data is then used for targeted advertising or shared with third parties for monetary consideration, the UCPA's opt-out and disclosure requirements apply directly.

In practice, this means that covered businesses need to know what tracking technologies are active on their digital properties, keep disclosure language in their privacy notices current, and provide Utah consumers with a clear and accessible opt-out mechanism for data sales and targeted advertising. Cookiebot by Usercentrics automates the detection, categorization, and disclosure of cookies and trackers, and keeps consent records as the technology stack evolves.

UCPA Enforcement

The Utah Attorney General holds exclusive enforcement authority under the UCPA. The Division of Consumer Protection handles incoming consumer complaints and may investigate potential violations, but only the Attorney General can initiate formal enforcement proceedings.

The Enforcement Process

When the Division of Consumer Protection finds reasonable cause to believe a violation has occurred, it refers the matter to the Attorney General. If the AG's office decides to pursue the case, it must first issue a written notice to the controller or processor. 

The offending party then has 30 days to cure the violation and provide the AG with a written statement confirming that the violation has been resolved and will not recur.

Unlike most other U.S. state privacy laws, the UCPA's 30-day cure period is permanent. It does not sunset and become discretionary as it has in a number of other states.

Penalties

If a controller or processor fails to cure a violation within 30 days, or repeats a violation after providing a written statement that it has been resolved, the Attorney General may seek actual damages and civil fines of up to USD 7,500 per violation. 

Because each affected consumer can constitute a separate violation, penalties can accumulate significantly: a single violation affecting 100 consumers could result in fines up to USD 750,000. Enforcement proceeds are deposited into a dedicated Consumer Privacy Restricted Account used to fund Division investigations and consumer education.

First Enforcement Action: The Snap Lawsuit

After receiving 32 consumer complaints in approximately 18 months of the law's operation, the Division of Consumer Protection referred one matter to the AG. In May 2025, the Attorney General issued its first enforcement notice under the UCPA. 

In June 2025, the Division and the AG filed a civil lawsuit against Snap, Inc., which was the first UCPA enforcement litigation. The complaint included claims related to the platform's AI chatbot and other consumer protection statutes, and followed coordinated state actions against Meta and TikTok. The case signals that Utah's enforcement apparatus, while less active than California's, is operational.

Recent UCPA Updates and Legislative Developments

The UCPA has been amended several times since enactment, and a formal legislative review process built into the original law produced a detailed evaluation report in 2025.

Utah Artificial Intelligence Policy Act (UAIP)

On March 13, 2024, Utah became the first U.S. state to enact AI-focused consumer protection legislation. The Utah Artificial Intelligence Policy Act (UAIP), effective May 1, 2024, modifies the UCPA and imposes disclosure requirements on businesses using generative AI. 

Regulated-industry businesses (those requiring a state license or certificate to operate) must proactively disclose when customers are interacting with generative AI or AI-generated content. Businesses in non-regulated sectors must make this disclosure if a customer asks. 

The UAIP also established an Office of Artificial Intelligence Policy and an Artificial Intelligence Learning Laboratory Program to support AI governance and regulatory development within the state.

The UAIP also amended the UCPA's definition of personal data to explicitly exclude synthetic data — defined as data generated by computer algorithms or statistical models that contain no personal data — classifying it as a form of de-identified data. This provides businesses using AI training data with a clearer legal basis for treating such datasets as outside the UCPA's scope.

Right to Correct Amendment

A 2025 legislative amendment adds a right to correct personal data inaccuracies, effective July 1, 2026. The UCPA was the only early comprehensive state privacy law that lacked this right, an omission flagged in the 2025 Attorney General evaluation report. The amendment brings Utah's consumer rights framework into closer alignment with the majority of other state privacy laws. 

Separately, the 2025 Digital Choice Act (Utah Code § 13-81) expands the UCPA's definition of personal data to include a social media user's 'social graph' — meaning their social connections, content, and interactions with other users — and grants consumers the full set of UCPA rights over that data from social media services. This also takes effect July 1, 2026.

Vehicle Data Amendment

Utah's 2026 legislative session included House Bill 357 — now enacted — clarifies that vehicle manufacturers are subject to the UCPA and requires clear, accessible in-vehicle privacy notices and consumer controls. A delayed implementation date targeting 2030 applies to in-vehicle controls on newly manufactured vehicles, to allow the industry time to comply.

The amendment explicitly extends UCPA rights, which include notice, data category disclosure, and the right to deletion, to manufacturers processing data collected through connected vehicles. 

A delayed implementation date targeting 2030 is proposed for in-vehicle controls on newly manufactured vehicles, to allow the industry time to comply. 

2025 Attorney General Evaluation Report

Utah Code § 13-61-404 required the Attorney General and the Division of Consumer Protection to jointly evaluate the UCPA's effectiveness and report to the legislature by July 1, 2025. 

The resulting report noted that while enforcement activity had been limited, the law's bifurcated enforcement structure, which requires complaints to pass from the Division to the AG before action can be taken, impeded the AG's ability to join multistate investigations efficiently. 

The report recommended streamlining this process. It also observed that the majority of U.S. state privacy laws enacted after Utah's provide meaningfully stronger consumer protections, suggesting further amendments are likely.

UCPA Compliance and Consent Management

The UCPA's opt-out consent model means businesses are not required to obtain a consumer's permission before collecting personal data — with the important exception of children's data. However, they are required to notify consumers about data processing before or at the point of collection, make opt-out mechanisms clearly accessible, and maintain accurate records of consumer choices.

A consent management platform (CMP) is well-suited to meeting these requirements in a scalable, automated way. For UCPA compliance, a CMP should be able to scan and inventory all cookies and tracking technologies active on a website or app, generate and maintain current privacy notices and cookie declarations, surface an opt-out mechanism for data sales and targeted advertising, and document consent records over time.

Cookiebot by Usercentrics handles all of these functions and supports compliance across the growing body of U.S. state privacy laws simultaneously. As more states enact privacy regulations, businesses that manage their digital consent infrastructure through a single, continuously updated platform reduce both compliance overhead and the risk of gaps when laws change.