Utah Data Privacy Laws: UCPA Consumer Rights Guide (2026)

Utah has established itself as a state that balances consumer data protection with a business-friendly regulatory approach. The Utah Consumer Privacy Act (UCPA) was signed into law in March 2022 and took effect on December 31, 2023. It was the fourth comprehensive state consumer data privacy law in the country, following California, Virginia, and Colorado.

Alongside the UCPA, Utah maintains the Protection of Personal Information Act (Utah Code 13-44), which governs data breach notification requirements. Together, these statutes create the framework for data privacy rights and obligations in the state.

This guide covers every major provision of Utah data privacy law, including consumer rights, business obligations, enforcement mechanisms, penalties, and the data breach notification process.

Utah Consumer Privacy Act (UCPA) Overview

The UCPA was enacted through Senate Bill 227 during the 2022 General Session and is codified at Utah Code Title 13, Chapter 61. The law establishes rights for Utah consumers regarding their personal data and imposes obligations on businesses that collect and process that data.

The UCPA was deliberately designed to be less burdensome on businesses than comparable laws in California, Colorado, and Connecticut. It has been widely described as the most business-friendly comprehensive state privacy law enacted in the United States.

The Utah Division of Consumer Protection within the Department of Commerce and the Utah Attorney General share responsibility for administering and enforcing the law.

Who the UCPA Applies To

The UCPA applies to any controller or processor that meets all three of the following criteria under Section 13-61-102:

Conducts business in Utah or produces a product or service that is targeted to Utah residents.

Has annual revenue of $25,000,000 or more.

Meets one of two data processing thresholds. The business must either control or process personal data of 100,000 or more consumers during a calendar year, or derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

All three criteria must be met. A business that operates in Utah but does not meet the revenue threshold is not subject to the UCPA. Similarly, a large company that meets the revenue threshold but does not process enough consumer data falls outside the law's scope.

Exempt Entities

The UCPA provides broad entity-level exemptions under Section 13-61-102. The following types of organizations are not subject to the law:

• Government entities and third-party contractors acting on their behalf
• Federally recognized tribes
• Institutions of higher education
• Nonprofit corporations
• Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Consumer reporting agencies, furnishers, and users regulated under the Fair Credit Reporting Act (FCRA)
• Entities subject to the Driver's Privacy Protection Act
• Entities subject to the Family Educational Rights and Privacy Act (FERPA)
• Entities under the Farm Credit Act
• Air carriers
• Individuals processing personal data for purely personal or household purposes

Exempt Data Categories

Beyond entity-level exemptions, certain categories of data are excluded from the UCPA regardless of who holds them:

• Protected health information under HIPAA
• Patient identifying information governed by 42 CFR Part 2
• Data collected for human subjects research meeting federal standards
• Health care quality improvement data
• Patient safety work product
• De-identified health information as defined by 45 CFR 164
• Information used for public health activities
• Employment and payroll data processed in the employment context

Consumer Rights Under the UCPA

Section 13-61-201 grants Utah consumers the following rights over their personal data.

Right to Confirm and Access

You can ask a business to confirm whether it is processing your personal data. If it is, you have the right to access that data.

Right to Delete

You can request that a controller delete personal data that you provided to the controller. This is narrower than the deletion rights in some other states because it applies only to data the consumer provided, not all data the business holds about the consumer.

Right to Data Portability

You can obtain a copy of your personal data in a format that is, to the extent technically feasible, portable and readily usable. The format must allow you to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Right to Opt Out of Data Sales

You can direct a controller to stop selling your personal data to third parties. Under the UCPA, a "sale" means the exchange of personal data for monetary consideration. This is a narrower definition than laws like the CCPA, which also includes exchanges for "other valuable consideration."

Right to Opt Out of Targeted Advertising

You can opt out of the processing of your personal data for purposes of targeted advertising. If a controller engages in targeted advertising or sells personal data, the controller must clearly and conspicuously disclose that fact and provide a way for consumers to opt out.

Right to Correct (Effective July 1, 2026)

Beginning July 1, 2026, Utah consumers will also have the right to request that a controller correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing. This right was added through a 2025 legislative amendment.

How to Exercise Your Rights

Consumers can exercise their rights by submitting a request directly to the business. The Utah Division of Consumer Protection provides sample request letters and a data privacy complaint form that consumers can use.

Controllers must respond to consumer requests within 45 days of receiving the request. If a controller declines to take action, it must inform the consumer without undue delay and explain the basis for the refusal.

Sensitive Data Provisions

The UCPA defines "sensitive data" as personal data that reveals any of the following:

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Citizenship or immigration status
• Medical or mental health information
• Genetic data
• Biometric data used to identify a specific individual
• Specific geolocation data (within 1,750 feet or less)

Opt-Out Rather Than Opt-In

This is one of the most significant differences between the UCPA and other state privacy laws. Under Section 13-61-302, a controller may not process sensitive data without providing the consumer with clear notice and an opportunity to opt out.

By contrast, states like Virginia, Colorado, Connecticut, and Texas require opt-in consent before processing sensitive data. The UCPA's opt-out approach places less burden on businesses and gives consumers less protection over their most sensitive information.

For sensitive data of children under 13, the UCPA requires compliance with the federal Children's Online Privacy Protection Act (COPPA), which does require verifiable parental consent.

Exceptions to Sensitive Data Classification

The UCPA carves out two exceptions from the sensitive data definition:

• Racial or ethnic origin data processed by video communication services is not treated as sensitive data
• Medical data processed by licensed health care providers in the course of treatment is not treated as sensitive data under the UCPA

Controller and Processor Obligations

Controller Duties

Under Section 13-61-302, controllers must meet several obligations.

Privacy notice. Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties.

Data security. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data. These practices must reduce reasonably foreseeable risks of harm and be appropriate to the volume and nature of the data at issue.

Non-discrimination. Controllers cannot discriminate against consumers who exercise their rights. This means a controller cannot deny goods or services, charge different prices, or provide a different level of quality based on the consumer exercising a UCPA right. However, loyalty or rewards programs that offer price differentials are permitted.

Non-waiver. Any contract provision that purports to waive or limit a consumer's rights under the UCPA is void and unenforceable.

Processor Duties

Under Section 13-61-301, processors must adhere to the controller's instructions and implement appropriate technical and organizational measures to assist the controller. Before processing personal data on a controller's behalf, the processor and controller must execute a contract specifying:

• The instructions for processing
• The nature and purpose of the processing
• The types of data subject to processing
• The duration of the processing
• The rights and obligations of both parties

The contract must require the processor to maintain confidentiality and ensure that any subcontractors meet the same obligations.

De-Identified and Pseudonymous Data

Section 13-61-303 provides that controllers are not required to re-identify de-identified or pseudonymous data to respond to consumer requests. Controllers also are not required to maintain data in identifiable form solely to comply with the UCPA.

Pseudonymous data is exempt from access, deletion, and portability rights as long as the identifying information is kept separate with appropriate technical and organizational safeguards.

UCPA Enforcement and Penalties

Division of Consumer Protection Role

The Utah Division of Consumer Protection serves as the front line for UCPA enforcement under Section 13-61-401. The Division receives consumer complaints, investigates alleged violations, and refers matters with substantial evidence to the Attorney General.

Consumers who believe a business has violated their data privacy rights can file a complaint through the Division's online data privacy complaint form.

Attorney General Authority

Under Section 13-61-402, the Utah Attorney General has exclusive authority to bring enforcement actions for UCPA violations. There is no private right of action, meaning consumers cannot sue businesses directly for violating the UCPA.

30-Day Cure Period

Before the Attorney General can initiate an enforcement action, the AG must provide written notice to the controller or processor identifying the specific violations and explaining the factual basis for the alleged violations.

The controller or processor then has 30 days to cure the violation and provide an express written statement that the violation has been cured and that no further violations will occur. If the company cures the violation within this window, no enforcement action may be taken.

This mandatory cure period is permanent under the UCPA. Some other states, such as Colorado and Connecticut, included cure periods that expired or became discretionary after a set date.

Penalties for Non-Cured Violations

If a controller or processor fails to cure the violation within 30 days, the Attorney General can pursue:

• Actual damages to affected consumers
• Civil penalties of up to $7,500 per violation

Multiple controllers or processors involved in the same violation share liability under comparative fault principles.

Consumer Privacy Account

Section 13-61-403 established a Consumer Privacy Restricted Account. Money collected through enforcement actions is deposited into this account and used for Division investigation costs, Attorney General recovery expenses, and consumer and business education. Balances exceeding $4,000,000 are transferred to the General Fund.

UCPA Penalty Summary Table

Violation Type	Statute	Maximum Penalty	Cure Period	Enforced By
UCPA violation (per violation)	Utah Code 13-61-402	$7,500	30 days (mandatory)	Attorney General
Data breach notification failure (per consumer)	Utah Code 13-44-301	$2,500	None	Attorney General
Data breach notification failure (aggregate)	Utah Code 13-44-301	$100,000	None	Attorney General

Recent UCPA Enforcement

The Utah Attorney General's office issued its first enforcement notice under Section 13-61-402 in May 2025. In June 2025, the Division of Consumer Protection and the Attorney General filed a lawsuit against Snap, Inc. (the parent company of Snapchat) in state court.

The complaint alleged that Snap violated the UCPA by failing to inform consumers about its data collection and processing practices and by failing to provide users or their parents with an opportunity to opt out of sharing sensitive data, including biometric and geolocation information.

The Snap lawsuit also included claims related to the platform's AI chatbot and alleged violations of other Utah consumer protection statutes. It was the fourth major social media lawsuit initiated by the Division of Consumer Protection and Attorney General, following coordinated actions against Meta and TikTok.

The 2025 legislative interim report evaluating the UCPA provides additional details on enforcement activity and the law's effectiveness since taking effect.

Utah Data Breach Notification Law

Separate from the UCPA, Utah maintains the Protection of Personal Information Act (Utah Code Title 13, Chapter 44), which governs data breach notification requirements.

What Is Personal Information

Under Section 13-44-102, "personal information" means a person's first name or first initial and last name combined with any one or more of the following data elements:

• Social Security number
• Driver's license number or state identification number
• Financial account number, or credit or debit card number (with any required security code, access code, or password)

What Constitutes a Breach

A "breach of system security" is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. An acquisition by an employee or agent does not count as a breach unless the personal information is used for an unlawful purpose or disclosed in an unauthorized manner.

Investigation Requirement

Under Section 13-44-202, when a person who owns or licenses computerized data becomes aware of a breach, they must conduct a good-faith, reasonable, and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud.

Consumer Notification

If the investigation reveals that misuse has occurred or is reasonably likely to occur, the person must notify each affected Utah resident in the most expedient time possible without unreasonable delay.

Notification may be provided by any of the following methods:

• In person
• By telephone
• By email
• By mail
• Through substitute notice (website posting and statewide media notice) if the cost of direct notification exceeds $250,000, the affected class exceeds 500,000 residents, or the person does not have sufficient contact information

Notification Content Requirements

The notification must include:

• The date the breach occurred
• The date the breach was discovered
• The total number of people affected, including the number of Utah residents
• The type of personal information involved
• A description of the breach

Government and Large-Scale Breach Reporting

If the breach affects 500 or more Utah residents, the person must also notify the Utah Attorney General and the Utah Cyber Center. Reporting is done through an online breach reporting form that automatically notifies both agencies.

Government entities in Utah have a stricter timeline. Under Utah Code 63A-19-405, state and local government agencies must report breaches within five days of discovery.

Breach Notification Penalties

Under Section 13-44-301, the Attorney General enforces the data breach notification law. Penalties include:

• Up to $2,500 per violation or series of violations concerning a specific consumer
• Up to $100,000 in the aggregate for related violations concerning more than one consumer (unless the violations affect 10,000 or more residents both in-state and out-of-state, or the person agrees to settle for more)

The Attorney General may also seek injunctive relief and recover attorney fees and costs. There is no private right of action under this statute.

Statute of limitations: Administrative actions must be filed within 10 years of the breach. Civil actions must be filed within five years of the breach.

How the UCPA Compares to Other State Privacy Laws

The UCPA is considered the most business-friendly of the early comprehensive state privacy laws. Several key differences set it apart.

Sensitive data standard. Utah requires only notice and an opt-out opportunity for processing sensitive data. Virginia, Colorado, Connecticut, and Texas all require affirmative opt-in consent.

Narrower definition of sale. The UCPA defines "sale" as the exchange of personal data for monetary consideration only. California, Colorado, and other states also include exchanges for "other valuable consideration," capturing a broader range of data-sharing arrangements.

No data protection assessments. The UCPA does not require controllers to conduct data protection assessments for high-risk processing activities. Virginia, Colorado, Connecticut, and Texas all mandate such assessments.

No universal opt-out mechanism requirement. Unlike Colorado, Connecticut, Montana, and Texas, Utah does not require businesses to honor universal opt-out signals like Global Privacy Control.

Permanent cure period. The UCPA's 30-day cure period is permanent. Colorado's cure period expired in January 2025, and Connecticut's became discretionary.

No right to correct (until July 2026). The UCPA was the only early comprehensive state privacy law that did not include a right to correct. This right will be added effective July 1, 2026 through a legislative amendment.

How to File a Data Privacy Complaint in Utah

If you believe a business has violated your data privacy rights under the UCPA, you can file a complaint with the Utah Division of Consumer Protection. The Division provides an online data privacy complaint form.

The Division investigates complaints and may refer cases to the Attorney General for enforcement. You can also contact the Division for general questions about your rights under the UCPA.

For data breach concerns, the Utah Cyber Center provides a breach reporting form and resources for affected individuals.

More Utah Laws

Looking for information on other Utah recording and privacy laws? Visit our Data Privacy Laws by State hub to compare Utah with other states. You can also explore related topics:

• California Data Privacy Laws for comparison with the CCPA/CPRA
• Colorado Data Privacy Laws for another comprehensive state privacy law
• Virginia Data Privacy Laws for comparison with the VCDPA
• Texas Data Privacy Laws for comparison with the TDPSA
• Connecticut Data Privacy Laws for a more consumer-protective approach

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Utah for advice about your specific situation. Last reviewed: March 2026.