UCPA Compliance Checklist for Businesses (Utah 2026)

Complying with the Utah Consumer Privacy Act (UCPA) starts with one question: does the law even apply to you? Under Section 13-61-102, a business is covered only if it has annual revenue of $25,000,000 or more AND meets a data-volume threshold, which makes Utah's reach the narrowest of any state. Businesses that clear the bar must post a privacy notice, offer opt-outs for sale and targeted advertising, provide an opt-out for sensitive data, honor consumer requests within 45 days, and sign processor contracts.

As of 2026, Utah's compliance load is lighter than most states: there are no data protection assessments and no obligation to honor universal opt-out signals. The Utah Attorney General enforces the law under Section 13-61-402, with a permanent 30-day cure period and penalties up to $7,500 per violation.

Jurisdiction scope: This covers Utah's Consumer Privacy Act (Utah Code Title 13, Chapter 61). It is general legal information, not legal advice.

Step 1: Determine whether the UCPA applies to you

The first compliance task is the threshold analysis, because most businesses are not covered. Section 13-61-102(1) applies the UCPA to a controller or processor that conducts business in Utah or targets Utah residents, has "annual revenue of $25,000,000 or more," and satisfies one of two data thresholds: processing personal data of 100,000 or more consumers in a calendar year, or deriving over 50% of gross revenue from the sale of personal data while processing data of 25,000 or more consumers.

The critical structural point is that the revenue requirement is connected to the rest with "and." A business must clear the $25 million floor before any data threshold even matters. If your annual revenue is below $25 million, the UCPA does not apply to you, regardless of how many Utah residents' records you hold. That is what makes Utah's coverage the narrowest in the country.

Run the analysis precisely. Confirm whether you do business in Utah or target Utah residents. Confirm your annual revenue figure. Then test the two data prongs. Many companies that are covered by California, Colorado, or Texas law will find they fall outside the UCPA entirely, which can meaningfully shrink the scope of a multistate privacy program.

Step 2: Confirm you are not categorically exempt

Even above the threshold, Section 13-61-102(2) removes entire categories of organizations and data. Check whether you fit a carve-out before building anything.

Exempt entities include governmental entities and their contractors, tribes, institutions of higher education, nonprofit corporations, HIPAA covered entities, HIPAA business associates, and air carriers. Exempt data includes protected health information under HIPAA, information governed by the Fair Credit Reporting Act, data under the federal Driver's Privacy Protection Act, education records under FERPA, financial data and institutions governed by the Gramm-Leach-Bliley Act under Section 13-61-102(2)(k), and data under the Farm Credit Act.

Employment and emergency-contact data are also excluded under Section 13-61-102(2)(o). If you are partially exempt, for example a company with both a HIPAA-regulated division and a consumer division, apply the UCPA only to the non-exempt data. The statute does not grant a whole-organization pass based on partial overlap, so map your data flows to see which datasets remain in scope.

Step 3: Publish a compliant privacy notice

If you are covered, the privacy notice is the foundational obligation. Section 13-61-302(1)(a) requires a controller to provide consumers with "a reasonably accessible and clear privacy notice" that includes five elements: the categories of personal data processed, the purposes for which those categories are processed, how consumers may exercise a right, the categories of personal data shared with third parties, and the categories of third parties with whom data is shared.

Write the notice in plain language and place it where consumers can find it, typically linked from every page of a website. Keep it current as your data practices change. Because Utah does not require a separate sensitive-data sale notice with mandated statutory wording the way Texas does, the privacy notice and the opt-out disclosures do most of the transparency work under the UCPA.

Make sure the notice explains, in concrete terms, the method a consumer uses to submit a rights request. Section 13-61-202 lets the controller prescribe that method, but the privacy notice is where consumers learn what it is.

Step 4: Build opt-out mechanisms for sale and targeted advertising

If you sell personal data or engage in targeted advertising, you owe consumers a clear way out. Section 13-61-302(1)(b) requires that a controller "clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out" of the sale of personal data or processing for targeted advertising.

In practice this means a visible opt-out link or control, plus a back-end process to actually stop selling that consumer's data or stop targeting ads to them once they opt out. The opt-out right comes from Section 13-61-201(4).

One thing you do not have to build: a universal opt-out signal mechanism. Texas, Colorado, Montana, Oregon, and California require controllers to detect and honor browser- or device-level signals such as Global Privacy Control. The UCPA contains no such requirement. A consumer must use the opt-out method you prescribe; you are not obligated to recognize a global signal. This is one of the places where Utah compliance is genuinely lighter.

Step 5: Set up the sensitive-data opt-out

Utah's sensitive-data rule is the part of the checklist that differs most from other states, so handle it carefully. Section 13-61-302(3) says a controller "may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing." For a known child, the controller must process the data in accordance with COPPA.

This is an opt-out mechanism, not opt-in consent. You may process sensitive data, but only after you have given clear notice and a real chance to decline. Build a notice-and-opt-out flow that fires before sensitive data is processed, and make the opt-out easy to use. Sensitive data, defined in Section 13-61-101, includes data revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, and health conditions, plus genetic or biometric data used to identify a person and specific geolocation data accurate within 1,750 feet.

If you previously built opt-in consent flows for Virginia, Colorado, Connecticut, or Texas, you do not need to replicate them for Utah. But do not skip the Utah-specific notice and opt-out, because that is what the statute requires.

Step 6: Wire up consumer-request handling within 45 days

You need an intake and response process for consumer rights requests. Section 13-61-203 requires a controller, within 45 days of receiving a request, to take action and inform the consumer of the action taken. You may extend once by an additional 45 days, up to 90 days total, when reasonably necessary due to complexity or volume, provided you notify the consumer of the extension within the first 45 days.

Build authentication into the flow. Before honoring an access or deletion request, you may verify that the requester is the consumer entitled to make it; if you cannot authenticate using commercially reasonable efforts, you are not required to comply. The first request in any 12-month period must be free under Section 13-61-203(4); you may charge for a second or later request in the same period or decline requests that are excessive, repetitive, technically infeasible, or manifestly unfounded.

Plan now for the right to correct. HB 418 (2025) amends Section 13-61-201 to add a correction right effective July 1, 2026. It is not yet in force as of 2026, but covered businesses should be ready to handle correction requests through the same 45-day process when that date arrives.

Step 7: Put processor contracts in place

If you use vendors to process personal data, you need contracts that meet the statute. Section 13-61-301(2) requires that, before a processor performs processing on behalf of a controller, the two enter a contract that sets forth instructions for processing, the nature and purpose of the processing, the type of data, the duration, and the parties' rights and obligations.

The contract must also require the processor to ensure each person processing the data is subject to a duty of confidentiality, and to engage any subcontractor under a written contract imposing the same obligations on the subcontractor. Section 13-61-301(1) separately requires the processor to follow the controller's instructions and assist the controller with security and breach-notification obligations.

Review your existing vendor agreements and add UCPA-compliant data processing terms where they are missing. The same data processing addendum you use for other state laws will generally satisfy Utah, since Utah's processor terms track the common multistate pattern.

Step 8: Understand enforcement, the cure period, and penalties

Finally, know how the law is enforced, because it changes your risk calculus. The Division of Consumer Protection takes consumer complaints and investigates under Section 13-61-401; if the director finds reasonable cause that substantial evidence of a violation exists, the director refers the matter to the attorney general. Under Section 13-61-402(1), the Utah Attorney General has "the exclusive authority to enforce this chapter."

Before filing an action, the attorney general must give at least 30 days' written notice identifying each provision allegedly violated. Under Section 13-61-402(3)(b), no action proceeds if the controller or processor cures the noticed violation within 30 days and provides a written statement that the violation has been cured and will not recur. This cure period is permanent. Unlike Colorado and Connecticut, whose cure windows expired, Utah built no sunset into Section 13-61-402, so the cure opportunity remains available indefinitely as of 2026.

If a violation is not cured, the attorney general may recover actual damages to the consumer plus up to $7,500 for each violation under Section 13-61-402(3)(d). Money recovered goes into the Consumer Privacy Account established in Section 13-61-403. There is no private right of action, so the attorney general is the only party that can bring an enforcement claim.

More Utah Laws

• Utah AI Meeting Recording Laws
• Utah Alimony Laws
• Utah At-Will Employment Laws
• Utah Car Accident Laws
• Utah Car Seat Laws
• Utah Child Custody Laws
• Utah Child Support Laws
• Utah Common Law Marriage Laws
• Utah Deepfake Laws
• Utah Divorce Laws
• Utah Dog Bite Laws
• Utah Emancipation Laws
• Utah Expungement Laws
• Utah Hit and Run Laws
• Utah Landlord-Tenant Laws
• Utah Lemon Laws

Related guides

• Utah Data Privacy Laws (UCPA hub)
• What Is the UCPA? Utah Consumer Privacy Act Explained
• UCPA Consumer Rights: How to Access, Delete, and Opt Out
• US State Privacy Laws Comparison
• What Is the CCPA? California's Privacy Law Explained

Sources