Utah Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Utah was the fourth state in the nation to enact a comprehensive consumer data privacy law when Governor Spencer Cox signed SB 227 in March 2022. The Utah Consumer Privacy Act (UCPA) took effect on December 31, 2023, and it includes biometric data within its definition of sensitive data.
What makes Utah's approach distinctive is its opt-out model for sensitive data. While states like Colorado, Virginia, and Connecticut require businesses to obtain opt-in consent before processing biometric data, Utah only requires that businesses provide notice and an opportunity to opt out. This makes the UCPA one of the most business-friendly comprehensive privacy laws in the country.
For a broader overview of privacy protections in the state, see the parent guide to Utah Data Privacy Laws.
How the UCPA Defines Biometric Data
Under Utah Code 13-61-101, biometric data means data generated by automatic measurements of an individual's unique biological characteristics. The statute specifically lists these examples:
- Fingerprints
- Voiceprints
- Eye retinas
- Irises
- Other unique biological patterns or characteristics used to identify a specific individual
The definition explicitly excludes several categories of data:
- Physical or digital photographs
- Video or audio recordings
- Data generated from photographs or recordings
- Information captured from a patient in a health care setting
- Information collected, used, or stored for health care treatment, payment, or operations under HIPAA
This definition closely mirrors the approach taken by Virginia and Colorado. It is narrower than Illinois's BIPA, which covers a broader set of biometric identifiers.
Sensitive Data Classification and Opt-Out Rights
The UCPA classifies biometric data processed for the purpose of identifying a specific individual as "sensitive data." This is the highest protection tier under the law. Other categories of sensitive data include:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Medical history or health conditions
- Genetic data processed for identification
- Geolocation data (within 1,750 feet)
Under Utah Code 13-61-302, a business that acts as a data controller may not process sensitive data without first presenting the consumer with clear notice and an opportunity to opt out.
Opt-Out vs. Opt-In: Why It Matters
The distinction between opt-out and opt-in is significant for biometric data protection. Under Utah's opt-out model, a business can begin processing biometric data as long as it has provided notice and an opt-out mechanism. The consumer must take affirmative action to stop the processing.
Under an opt-in model, as used in states like Illinois and Texas, a business cannot process biometric data at all until the consumer affirmatively agrees.
In practice, opt-out requirements result in lower rates of consumer engagement. Most consumers do not actively review privacy notices or exercise opt-out rights, which means more biometric data gets processed under Utah's framework than under stricter opt-in states.
Consumer Rights Under the UCPA
Utah residents have several rights related to their biometric data under the UCPA. These rights apply to all personal data, including biometric information.
Right to Know
Consumers can request confirmation of whether a business is processing their personal data, including biometric data, and can access that data.
Right to Delete
Consumers can request deletion of their personal data that the consumer provided to the controller, including biometric data they directly submitted.
Right to Data Portability
Consumers can obtain a copy of their personal data in a portable, readily usable format, to the extent technically feasible.
Right to Opt Out of Targeted Advertising and Sale
Consumers can opt out of the processing of personal data for targeted advertising or the sale of personal data. This is separate from the sensitive data opt-out right.
Right to Non-Discrimination
Under Utah Code 13-61-302, a controller may not discriminate against a consumer for exercising any of these rights. This means a business cannot deny services, charge different prices, or provide a lower quality of service to consumers who opt out of biometric data processing.
Response Timeline
Businesses must respond to consumer rights requests within 45 days. An extension of up to 45 additional days is permitted when reasonably necessary, as long as the business notifies the consumer of the delay and the reason for it.
Who Must Comply
The UCPA applies to businesses that meet all of the following criteria:
- Conduct business in Utah or produce products or services targeted to Utah consumers
- Have annual revenue of $25 million or more
- Meet one of two data processing thresholds: control or process personal data of 100,000 or more Utah consumers in a calendar year, OR derive over 50% of gross revenue from the sale of personal data and control or process data of 25,000 or more Utah consumers
Exemptions
The UCPA includes broad exemptions for:
- Government entities and tribes
- Institutions of higher education
- Nonprofits
- Data regulated under HIPAA (health)
- Data regulated under GLBA (financial)
- Data regulated under FCRA (credit reporting)
- Employment data collected in a job applicant or employee context
- Business-to-business contact information
These exemptions mean that many common biometric data collection scenarios, such as employer fingerprint timekeeping or hospital patient identification, fall outside the UCPA's scope.
Enforcement and Penalties
The UCPA is enforced exclusively by the Utah Attorney General and the Utah Division of Consumer Protection. There is no private right of action.
Enforcement Process
Before filing suit, the Attorney General must provide the business with written notice of the alleged violation and a 30-day cure period under Utah Code 13-61-402. If the business cures the violation within 30 days, no action is taken.
If the business fails to cure, the Attorney General can pursue civil penalties of up to $7,500 per violation, plus actual damages to affected consumers.
First Major Enforcement Action
In May 2025, the Utah Division of Consumer Protection issued its first enforcement notice under the UCPA. In June 2025, the Division and the Attorney General filed a lawsuit against Snap, Inc. (the company behind Snapchat), alleging that Snap violated the UCPA by failing to inform consumers about its data collection practices and failing to provide users with an opportunity to opt out of processing sensitive data, including biometric and geolocation information.
This case signals that Utah regulators are willing to pursue enforcement actions related to biometric data processing under the UCPA.
Business Compliance Requirements
Businesses subject to the UCPA that collect biometric data should take several steps to ensure compliance.
Privacy Notice
Under Utah Code 13-61-302, controllers must provide a reasonably accessible and clear privacy notice that includes the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties.
Opt-Out Mechanism
For biometric data and other sensitive data, businesses must provide a clear opt-out mechanism before processing. This can be a settings toggle, a form, or another reasonable method. The mechanism must be easy to find and use.
Data Security
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including biometric data.
Data Processing Agreements
When a controller engages a processor to handle biometric data, the parties must enter into a written contract that governs the processor's data processing procedures and sets clear instructions, confidentiality obligations, and deletion requirements.
How Utah Compares to Neighboring States
Utah's opt-out approach to biometric data stands apart from its neighbors. Colorado requires opt-in consent for sensitive data processing, providing stronger protection. Nevada takes a narrower approach focused on data sale opt-outs.
Wyoming and Idaho lack comprehensive privacy laws and rely primarily on breach notification statutes. Montana enacted the Montana Consumer Data Privacy Act with biometric data provisions that follow the opt-in consent model.
Among all state comprehensive privacy laws, only Utah uses the opt-out model for sensitive data. Every other state that has enacted a comprehensive privacy law requires opt-in consent before processing biometric data for identification purposes.
More Utah Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Data Privacy Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Recording Laws
Sources and References
This article references Utah statutes available through the Utah Legislature website. For consumer guidance, visit the Utah Division of Consumer Protection UCPA page. For the full enrolled bill text, see SB 227. For information on enforcement actions, visit the Utah Attorney General Data Privacy page.
This article provides general legal information about Utah biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Utah government sources.
Sources and References
- Utah Code Chapter 13-61 - Utah Consumer Privacy Act(le.utah.gov).gov
- Utah Code 13-61-101 - UCPA Definitions(le.utah.gov).gov
- Utah Code 13-61-302 - Controller Responsibilities(le.utah.gov).gov
- SB 227 - Utah Consumer Privacy Act (Enrolled)(le.utah.gov).gov
- Utah Division of Consumer Protection - UCPA(dcp.utah.gov).gov
- Utah Attorney General - Data Privacy(attorneygeneral.utah.gov).gov
- Utah Sues Snapchat - UCPA Enforcement Action(dcp.utah.gov).gov
- Report Evaluating the Utah Consumer Privacy Act(le.utah.gov).gov