Utah Data Privacy Laws: UCPA Consumer Rights Guide (2026)

The Utah Consumer Privacy Act (UCPA), codified at Utah Code Title 13, Chapter 61, took effect December 31, 2023, granting Utah residents rights to access, delete, and port personal data and to opt out of targeted advertising and data sales. It applies only to businesses above the $25 million revenue threshold defined in Section 13-61-102.

Utah has established itself as a state that prioritizes consumer data protection within a deliberately business-friendly framework. The Utah Consumer Privacy Act (UCPA) was signed into law in March 2022 and took effect on December 31, 2023. It was the fourth comprehensive state consumer data privacy law in the country, following California, Virginia, and Colorado.

Alongside the UCPA, Utah maintains the Protection of Personal Information Act (Utah Code Title 13, Chapter 44), which governs data breach notification requirements. A growing body of sectoral laws, including Utah's Artificial Intelligence Policy Act and the Minor Protection in Social Media Act, has expanded the state's digital privacy landscape significantly since 2024.

This guide covers every major provision of Utah data privacy law, including consumer rights, business obligations, enforcement mechanisms, penalties, and the data breach notification process, updated through the 2026 General Session.

Utah Consumer Privacy Act (UCPA) Overview

The UCPA was enacted through Senate Bill 227 during the 2022 General Session and is codified at Utah Code Title 13, Chapter 61. The law establishes rights for Utah consumers regarding their personal data and imposes obligations on businesses that collect and process that data.

The UCPA was deliberately designed to be less burdensome on businesses than comparable laws in California, Colorado, and Connecticut. The 2025 Utah Legislature interim report evaluating the UCPA described it as the most business-friendly comprehensive state privacy law enacted in the United States. That same report noted that the law received only 32 consumer complaints in its first 18 months, a low figure compared with peer states like Connecticut and Oregon.

The Utah Division of Consumer Protection within the Department of Commerce and Utah Attorney General Derek Brown share responsibility for administering and enforcing the law.

Who the UCPA Applies To

The UCPA applies to any controller or processor that meets all three of the following criteria under Section 13-61-102:

Conducts business in Utah or produces a product or service that is targeted to Utah residents.

Has annual revenue of $25,000,000 or more.

Meets one of two data processing thresholds. The business must either control or process personal data of 100,000 or more consumers during a calendar year, or derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

All three criteria must be met. A business that operates in Utah but does not meet the revenue threshold is not subject to the UCPA. Similarly, a large company that meets the revenue threshold but does not process enough consumer data falls outside the law's scope. This combined revenue-plus-volume threshold structure is distinctive among U.S. state privacy laws.

Exempt Entities

The UCPA provides broad entity-level exemptions under Section 13-61-102. The following types of organizations are not subject to the law:

• Government entities and third-party contractors acting on their behalf
• Federally recognized tribes
• Institutions of higher education
• Nonprofit corporations
• Covered entities and business associates under HIPAA
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Consumer reporting agencies, furnishers, and users regulated under the Fair Credit Reporting Act (FCRA)
• Entities subject to the Driver's Privacy Protection Act
• Entities subject to the Family Educational Rights and Privacy Act (FERPA)
• Air carriers

Exempt Data Categories

Beyond entity-level exemptions, certain categories of data are excluded from the UCPA regardless of who holds them:

• Protected health information under HIPAA
• Patient identifying information governed by 42 CFR Part 2
• Data collected for human subjects research meeting federal standards
• De-identified health information as defined by 45 CFR 164
• Information used for public health activities
• Employment and payroll data processed in the employment context

Consumer Rights Under the UCPA

Section 13-61-201 grants Utah consumers the following rights over their personal data.

Right to Confirm and Access

You can ask a business to confirm whether it is processing your personal data. If it is, you have the right to access that data.

Right to Delete

You can request that a controller delete personal data that you provided to the controller. This is narrower than the deletion rights in some other states because it applies only to data the consumer provided, not all data the business holds about the consumer.

Right to Data Portability

You can obtain a copy of your personal data in a format that is, to the extent technically feasible, portable and readily usable. The format must allow you to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Right to Opt Out of Data Sales

You can direct a controller to stop selling your personal data to third parties. Under the UCPA, a "sale" means the exchange of personal data for monetary consideration. This is a narrower definition than laws like the CCPA, which also includes exchanges for "other valuable consideration."

Right to Opt Out of Targeted Advertising

You can opt out of the processing of your personal data for purposes of targeted advertising. If a controller engages in targeted advertising or sells personal data, the controller must clearly and conspicuously disclose that fact and provide a way for consumers to opt out.

Right to Correct (Effective July 1, 2026)

Beginning July 1, 2026, Utah consumers will have the right to request that a controller correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing. This right was added through a 2025 legislative amendment and brings Utah in line with the correction rights that Virginia, Colorado, Connecticut, and Texas already provide. Businesses should ensure their consumer request workflows are updated to handle correction requests by the effective date.

How to Exercise Your Rights

Consumers can exercise their rights by submitting a request directly to the business. The Utah Division of Consumer Protection provides sample request letters and a data privacy complaint form.

Controllers must respond to consumer requests within 45 days of receiving the request. If a controller declines to take action, it must inform the consumer without undue delay and explain the basis for the refusal.

Sensitive Data Provisions

The UCPA defines "sensitive data" as personal data that reveals any of the following:

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Citizenship or immigration status
• Medical or mental health information
• Genetic data
• Biometric data used to identify a specific individual
• Specific geolocation data (within 1,750 feet or less)

Opt-Out Rather Than Opt-In

This is one of the most significant differences between the UCPA and other state privacy laws. Under Section 13-61-302, a controller may not process sensitive data without providing the consumer with clear notice and an opportunity to opt out.

By contrast, states like Virginia, Colorado, Connecticut, and Texas require opt-in consent before processing sensitive data. The UCPA's opt-out approach places less burden on businesses and gives consumers less protection over their most sensitive information.

For sensitive data of children under 13, the UCPA requires compliance with the federal Children's Online Privacy Protection Act (COPPA), which does require verifiable parental consent.

Exceptions to Sensitive Data Classification

The UCPA carves out two exceptions from the sensitive data definition:

• Racial or ethnic origin data processed by video communication services is not treated as sensitive data
• Medical data processed by licensed health care providers in the course of treatment is not treated as sensitive data under the UCPA

Controller and Processor Obligations

Controller Duties

Under Section 13-61-302, controllers must meet several obligations.

Privacy notice. Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties.

Data security. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data. These practices must reduce reasonably foreseeable risks of harm and be appropriate to the volume and nature of the data at issue.

Non-discrimination. Controllers cannot discriminate against consumers who exercise their rights. This means a controller cannot deny goods or services, charge different prices, or provide a different level of quality based on the consumer exercising a UCPA right. However, loyalty or rewards programs that offer price differentials are permitted.

Non-waiver. Any contract provision that purports to waive or limit a consumer's rights under the UCPA is void and unenforceable.

What the UCPA Does NOT Require

Several obligations that appear in peer state laws are absent from the UCPA. Controllers are not required to conduct data protection assessments for high-risk processing activities, recognize universal opt-out signals like Global Privacy Control, appoint a data protection officer, or provide a right to appeal a controller's response to a consumer request. These omissions reflect the law's business-friendly design intent.

Processor Duties

Under Section 13-61-301, processors must adhere to the controller's instructions and implement appropriate technical and organizational measures to assist the controller. Before processing personal data on a controller's behalf, the processor and controller must execute a contract specifying:

• The instructions for processing
• The nature and purpose of the processing
• The types of data subject to processing
• The duration of the processing
• The rights and obligations of both parties

The contract must require the processor to maintain confidentiality and ensure that any subcontractors meet the same obligations.

De-Identified and Pseudonymous Data

Section 13-61-303 provides that controllers are not required to re-identify de-identified or pseudonymous data to respond to consumer requests. Pseudonymous data is exempt from access, deletion, and portability rights as long as the identifying information is kept separate with appropriate technical and organizational safeguards.

UCPA Enforcement and Penalties

Division of Consumer Protection Role

The Utah Division of Consumer Protection serves as the front line for UCPA enforcement under Section 13-61-401. The Division receives consumer complaints, investigates alleged violations, and refers matters with substantial evidence to the Attorney General.

Consumers who believe a business has violated their data privacy rights can file a complaint through the Division's online data privacy complaint form. The Division received 32 consumer complaints in the law's first 18 months, a low volume that led the Utah Legislature's 2025 interim report to note that the Consumer Privacy Restricted Account established by Section 13-61-403 remained unfunded, as enforcement revenue had not yet been collected.

Attorney General Authority

Under Section 13-61-402, the Utah Attorney General has exclusive authority to bring enforcement actions for UCPA violations. There is no private right of action, meaning consumers cannot sue businesses directly for violating the UCPA.

30-Day Cure Period

Before the Attorney General can initiate an enforcement action, the AG must provide written notice to the controller or processor identifying the specific violations and explaining the factual basis for the alleged violations.

The controller or processor then has 30 days to cure the violation and provide an express written statement that the violation has been cured and that no further violations will occur. If the company cures the violation within this window, no enforcement action may be taken.

This mandatory cure period is permanent under the UCPA. Some other states, such as Colorado and Connecticut, included cure periods that expired or became discretionary after a set date. The 2025 legislative interim report noted that the current enforcement workflow, in which the AG must refer to the Division and the Division must refer back before a cure letter can issue, creates procedural friction that may warrant future legislative streamlining.

Penalties for Non-Cured Violations

If a controller or processor fails to cure the violation within 30 days, the Attorney General can pursue:

• Actual damages to affected consumers
• Civil penalties of up to $7,500 per violation

Multiple controllers or processors involved in the same violation share liability under comparative fault principles.

Consumer Privacy Account

Section 13-61-403 established a Consumer Privacy Restricted Account. Money collected through enforcement actions is deposited into this account and used for Division investigation costs, Attorney General recovery expenses, and consumer and business education. Balances exceeding $4,000,000 are transferred to the General Fund. As of the 2025 interim evaluation, no funds had been deposited into the account.

UCPA Penalty Summary Table

UCPA Enforcement Actions

First Enforcement Notice and the Snap Lawsuit

Attorney General Derek Brown's office issued its first enforcement notice under Section 13-61-402 in May 2025, sending a formal Notice of Violation to Snap, Inc.

After Snap did not cure the identified violations within the statutory 30-day window, the Division of Consumer Protection and the State of Utah filed a civil enforcement complaint against Snap in the Third Judicial District Court on June 30, 2025.

The complaint alleges that Snap violated the UCPA by failing to inform consumers about its data collection and processing practices, failing to provide users or their parents with an opportunity to opt out of sharing sensitive data (including biometric and geolocation information gathered by the My AI feature), and committing related violations of Utah's consumer protection statutes. Snap filed a motion to dismiss; the case was still pending as of May 2026.

The Snap lawsuit was the fourth major social media enforcement action coordinated by the Division and Attorney General, following earlier coordinated suits against Meta and TikTok.

Enforcement Challenges

The 2025 interim report acknowledged that the low complaint volume reflects a gap between the number of likely violations occurring and the number of consumers engaging the formal complaint process. Attorney General Brown's office indicated it was evaluating legislative proposals to streamline the referral process between the Division and the AG's office to reduce procedural friction.

Utah Data Breach Notification Law

Separate from the UCPA, Utah maintains the Protection of Personal Information Act (Utah Code Title 13, Chapter 44), which governs data breach notification requirements.

What Is Personal Information

Under Section 13-44-102, "personal information" means a person's first name or first initial and last name combined with any one or more of the following data elements:

• Social Security number
• Driver's license number or state identification number
• Financial account number, or credit or debit card number (with any required security code, access code, or password)

What Constitutes a Breach

A "breach of system security" is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. An acquisition by an employee or agent does not count as a breach unless the personal information is used for an unlawful purpose or disclosed in an unauthorized manner.

Investigation Requirement

Under Section 13-44-202, when a person who owns or licenses computerized data becomes aware of a breach, they must conduct a good-faith, reasonable, and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud.

Consumer Notification

If the investigation reveals that misuse has occurred or is reasonably likely to occur, the person must notify each affected Utah resident in the most expedient time possible without unreasonable delay.

Notification may be provided by any of the following methods:

• In person
• By telephone
• By email
• By mail
• Through substitute notice (website posting and statewide media notice) if the cost of direct notification exceeds $250,000, the affected class exceeds 500,000 residents, or the person does not have sufficient contact information

Notification Content Requirements

The notification must include:

• The date the breach occurred
• The date the breach was discovered
• The total number of people affected, including the number of Utah residents
• The type of personal information involved
• A description of the breach

Government and Large-Scale Breach Reporting

If the breach affects 500 or more Utah residents, the person must also notify the Utah Attorney General and the Utah Cyber Center. Reporting is done through an online breach reporting form that automatically notifies both agencies.

Government entities in Utah have a stricter timeline. Under Utah Code 63A-19-405, state and local government agencies must report breaches within five days of discovery.

Breach Notification Penalties

Under Section 13-44-301, the Attorney General enforces the data breach notification law. Penalties include:

• Up to $2,500 per violation or series of violations concerning a specific consumer
• Up to $100,000 in the aggregate for related violations concerning more than one consumer

The Attorney General may also seek injunctive relief and recover attorney fees and costs. There is no private right of action under this statute.

Statute of limitations: Administrative actions must be filed within 10 years of the breach. Civil actions must be filed within five years of the breach.

Utah Artificial Intelligence Policy Act

Utah enacted the Artificial Intelligence Policy Act (AIPA) through Senate Bill 149 during the 2024 General Session. The AIPA became effective May 1, 2024, making Utah the first state in the country to enact a law specifically regulating generative AI interactions in consumer-facing contexts.

Core Disclosure Requirements

The AIPA requires any person who provides services in a regulated occupation to disclose, when asked by a consumer, whether the consumer is interacting with a generative AI system rather than a human. The disclosure requirement applies to text, audio, and visual communications.

Businesses that deploy generative AI in consumer interactions must ensure the AI does not claim to be human when directly asked. Violations of the disclosure requirement are treated as deceptive trade practices under the Utah Consumer Sales Practices Act.

2025 Amendments (Effective May 7, 2025)

The Utah Legislature amended the AIPA in 2025 through two bills. Senate Bill 226 introduced stricter disclosure requirements for "high-risk" AI interactions, including situations where a consumer is seeking advice on health, financial, or legal matters, or where the AI interaction involves the collection of biometric or sensitive data. Under SB 226, disclosure of AI use in these contexts is required proactively, not only when the consumer asks.

Senate Bill 332 extended the AIPA's original sunset date. Without SB 332, the AIPA would have expired on May 7, 2025. SB 332 extended the Act through July 1, 2027, giving the Office of Artificial Intelligence Policy additional time to study AI governance and develop further regulatory guidance.

Office of Artificial Intelligence Policy

The AIPA established the Office of Artificial Intelligence Policy, housed within the Utah Department of Commerce. The Office administers a regulatory sandbox program that allows businesses to test AI applications under relaxed regulatory requirements while demonstrating compliance with core consumer protection principles.

Utah Social Media Laws for Minors

Minor Protection in Social Media Act

Utah enacted the Minor Protection in Social Media Act in 2024, repealing and replacing the earlier Social Media Regulation Act. The law requires social media companies to implement age-verification systems, apply default privacy settings for minor users, and prohibit addictive design features such as infinite scroll and autoplay for users under 18.

Current Injunction Status

On September 10, 2024, U.S. District Judge Robert J. Shelby granted NetChoice's motion for a preliminary injunction, blocking enforcement of the Minor Protection in Social Media Act pending litigation. The court found NetChoice was substantially likely to succeed on its claim that the law violates the First Amendment.

The State of Utah appealed the injunction to the U.S. Court of Appeals for the Tenth Circuit. Oral arguments were heard in November 2025. As of May 2026, the Tenth Circuit has not issued a decision. The law remains enjoined and is not currently in effect.

Data Privacy Implications

While enforcement is blocked, businesses operating social media platforms accessible to minors in Utah should monitor the Tenth Circuit ruling. If the injunction is lifted or partially modified, the law's data minimization requirements, consent obligations for parental data access, and sensitive-data protections for minor users would take effect on relatively short notice.

2026 Utah Legislative Session: Privacy Updates

The Utah Legislature's 2026 General Session produced three new laws relevant to data privacy.

HB 182: Genetic Information Amendments

House Bill 182, enacted in 2026, restricts the storage and transmission of genetic sequencing data by healthcare facilities and genomic research organizations in Utah. The law prohibits storage of genetic sequencing data in foreign adversary nations, bans remote access to such data by foreign-adversary-linked entities without written authorization, and requires facilities to implement reasonable encryption and access controls. Civil penalties of $10,000 per violation apply, enforced by the Attorney General. The law's primary effective date is January 1, 2028, with compliance certifications required by December 2028.

HB 261: Electronic Information Privacy Act Amendments

House Bill 261, signed March 24, 2026, amends Utah's Electronic Information Privacy Act. The amendments require law enforcement agencies to obtain a warrant based on probable cause before accessing electronic information, including location data, stored data, or data transmitted to service providers. Exceptions exist for informed consent, emergencies involving imminent danger to life or physical safety, and inadvertent discovery of felony-related evidence. The bill also adds a definition of "subscriber record" clarifying what types of customer information held by telecommunications and cloud providers fall under the warrant requirement.

HB 357: Motor Vehicle Data Privacy

House Bill 357, enacted in 2026, amends Utah's consumer data privacy framework to require motor vehicle manufacturers to comply with UCPA-style consumer data rights regardless of whether the manufacturer meets the UCPA's $25 million revenue and data-volume thresholds. The amendment closes a gap that would have excluded manufacturers below the UCPA's applicability floor from any consumer data rights obligation for vehicle-generated data.

Federal Privacy Laws That Apply to Utah Residents

Federal laws overlay Utah's state framework and provide additional protections for many Utah residents and businesses.

HIPAA

The Health Insurance Portability and Accountability Act applies to covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates. HIPAA's Privacy Rule and Security Rule govern the use and disclosure of protected health information regardless of what state the covered entity operates in. HIPAA-regulated entities are exempt from the UCPA's scope, but HIPAA imposes its own set of consumer rights, breach notification obligations, and security requirements.

Gramm-Leach-Bliley Act (GLBA)

The GLBA applies to financial institutions and governs how they share and protect consumers' nonpublic personal financial information. GLBA-regulated institutions are exempt from the UCPA, but remain subject to federal privacy notices, opt-out rights for certain data sharing, and the FTC Safeguards Rule's data security requirements.

Fair Credit Reporting Act (FCRA)

The FCRA governs consumer reporting agencies and the permissible uses of consumer reports. Consumer reporting agencies are exempt from the UCPA, but remain subject to FCRA accuracy, dispute, and disclosure requirements.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to operators of websites and online services directed to children under 13, or that knowingly collect personal information from children under 13. COPPA requires verifiable parental consent before collecting, using, or disclosing a child's personal information. The UCPA defers to COPPA for children's data, making COPPA compliance the baseline obligation for covered child-directed services.

TAKE IT DOWN Act (Effective May 19, 2025)

Congress enacted the TAKE IT DOWN Act (Pub. L. 119-12) as a federal law addressing nonconsensual intimate visual depictions, including AI-generated deepfakes. President Trump signed the Act on May 19, 2025. The Act has two operative parts:

• Criminal prohibition: The Act creates a federal criminal offense for knowingly publishing nonconsensual intimate images, effective immediately upon signing.
• Platform takedown obligations: Covered online platforms must provide a process for victims to request removal of such content. When a valid request is received, the platform must remove the content and any known identical copies within 48 hours. These obligations took effect on May 19, 2026, one year after enactment. The FTC began enforcing Section 3 of the Act on May 19, 2026, with potential civil penalties of up to $53,088 per violation.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive acts or practices in commerce. The FTC uses Section 5 to bring enforcement actions against companies that fail to honor their own privacy policies, maintain inadequate data security, or make material misrepresentations about data practices. Section 5 applies to most for-profit businesses, including those below the UCPA's applicability thresholds.

American Privacy Rights Act (APRA): Did Not Become Law

A bipartisan federal comprehensive privacy bill, the American Privacy Rights Act, was introduced in 2024 and advanced out of a House subcommittee. It expired at the end of the 118th Congress in January 2025 without being enacted. No substantially equivalent federal comprehensive privacy bill had been enacted as of May 2026. Businesses should not rely on any anticipated federal preemption of state privacy laws.

How the UCPA Compares to Other State Privacy Laws

The UCPA is considered the most business-friendly of the early comprehensive state privacy laws. Several key differences set it apart.

Sensitive data standard. Utah requires only notice and an opt-out opportunity for processing sensitive data. Virginia, Colorado, Connecticut, and Texas all require affirmative opt-in consent.

Narrower definition of sale. The UCPA defines "sale" as the exchange of personal data for monetary consideration only. California, Colorado, and other states also include exchanges for "other valuable consideration," capturing a broader range of data-sharing arrangements.

No data protection assessments. The UCPA does not require controllers to conduct data protection assessments for high-risk processing activities. Virginia, Colorado, Connecticut, and Texas all mandate such assessments.

No universal opt-out mechanism requirement. Unlike Colorado, Connecticut, Montana, and Texas, Utah does not require businesses to honor universal opt-out signals like Global Privacy Control.

Permanent cure period. The UCPA's 30-day cure period is permanent. Colorado's cure period expired in January 2025, and Connecticut's became discretionary after a set date.

Right to correct added July 2026. The UCPA was the only early comprehensive state privacy law that did not include a right to correct from the start. The July 1, 2026 amendment closes this gap.

Practical Compliance Steps for Businesses

Businesses subject to the UCPA should take the following steps.

Confirm applicability. Verify that your business meets all three criteria: Utah nexus, $25 million annual revenue, and the applicable data-volume threshold. Many smaller businesses are not covered.

Update your privacy notice. The UCPA requires a notice that specifically describes the categories of data processed, purposes, consumer rights under Utah law, categories of data shared with third parties, and categories of third-party recipients. A generic notice that does not address Utah consumer rights may not satisfy the requirement.

Build consumer request workflows. You need a mechanism to receive and respond to requests for access, deletion, and portability within 45 days. As of July 1, 2026, correction requests must also be handled within 45 days.

Audit sensitive data processing. If you collect biometric data, precise geolocation, or health information, ensure you are providing clear notice and a genuine opt-out mechanism before processing. Document the basis for any sensitive data processing.

Establish processor contracts. Review all vendor agreements involving personal data processing to confirm required data processing agreement terms are in place.

Implement data security. The UCPA requires "reasonable" security practices scaled to the volume and sensitivity of the data. A documented security program is both a legal requirement and the foundation for any cure-period response.

Prepare for TAKE IT DOWN Act obligations (if you operate an online platform). If your business operates a platform where users can post images or videos, you must have a compliant notice-and-removal process for nonconsensual intimate visual depictions as of May 19, 2026.

How Utah Residents Exercise Their Privacy Rights

If you believe a business is processing your personal data in violation of the UCPA, you can file a complaint with the Utah Division of Consumer Protection. The Division provides an online data privacy complaint form and sample consumer request letters.

The Division investigates complaints and may refer cases to Attorney General Derek Brown's office for enforcement. Keep records of any requests you send to businesses and the responses you receive, as this documentation supports any later complaint.

For data breach concerns, the Utah Cyber Center provides a breach reporting form and resources for affected individuals.

More Utah Laws

Looking for information on other Utah recording and privacy laws? Visit our Data Privacy Laws by State hub to compare Utah with other states. You can also explore related topics:

• Utah AI Meeting Recording Laws
• Utah Alimony Laws
• Utah At-Will Employment Laws
• Utah Car Accident Laws
• Utah Car Seat Laws
• Utah Child Custody Laws
• Utah Child Support Laws
• Utah Common Law Marriage Laws
• Utah Deepfake Laws
• Utah Divorce Laws
• Utah Dog Bite Laws
• Utah Emancipation Laws
• Utah Expungement Laws
• Utah Hit and Run Laws
• Utah Landlord-Tenant Laws
• Utah Lemon Laws

In-depth guides

• What Is the UCPA? Utah Consumer Privacy Act
• UCPA Consumer Rights: Your Data Privacy Rights
• UCPA Compliance Checklist for Businesses (2026)