UCPA Consumer Rights: Access, Delete & Opt Out (Utah)

Under the Utah Consumer Privacy Act (UCPA), Utah residents have four core rights over their personal data as of 2026: to confirm and access what a covered business holds, to delete the data they provided, to obtain a portable copy, and to opt out of both the sale of their personal data and targeted advertising. These rights are set out in Section 13-61-201 of Utah Code Title 13, Chapter 61.

To use a right, a consumer submits a request to the controller, which has 45 days to respond under Section 13-61-203. Utah is one of the more limited state frameworks: as of 2026 there is no right to correct inaccurate data and no right to opt out of profiling, though a correction right takes effect July 1, 2026 under HB 418.

Jurisdiction scope: This covers Utah's Consumer Privacy Act (Utah Code Title 13, Chapter 61). It is general legal information, not legal advice.

The four UCPA consumer rights

Section 13-61-201 lays out the rights Utah residents hold against covered controllers. As enacted, there are four. The statute describes them in plain terms, and they track the rights found in Virginia and Colorado, minus a couple that Utah chose to leave out.

First is the right to confirm and access. Under Section 13-61-201(1), a consumer has the right to "confirm whether a controller is processing the consumer's personal data" and to "access the consumer's personal data." This is the entry point: a resident can find out whether a company holds data about them and see what it is.

Second is the right to delete. Section 13-61-201(2) gives a consumer the right to delete "the consumer's personal data that the consumer provided to the controller." Note the limit: the deletion right reaches data the consumer provided, not necessarily everything a controller may have inferred or obtained from third parties. This is narrower than the deletion rights in some other states.

Third is the right to data portability. Under Section 13-61-201(3), a consumer may obtain a copy of personal data they previously provided in a format that is portable, readily usable to the extent practicable, and that allows the data to be transmitted to another controller without impediment where processing is automated.

Fourth is the right to opt out. Section 13-61-201(4) lets a consumer opt out of the processing of their personal data for "targeted advertising" or "the sale of personal data." These are the two opt-out categories Utah recognizes.

What Utah leaves out: no correction right (yet), no profiling opt-out

Two rights that have become common elsewhere are missing from Utah's list as of 2026.

There is no right to opt out of profiling. Several state laws, including Virginia, Colorado, Connecticut, and Texas, let consumers opt out of profiling that produces legal or similarly significant effects, such as automated decisions about credit, employment, housing, or insurance. The UCPA's opt-out right in Section 13-61-201(4) covers only targeted advertising and the sale of data. Profiling is not on the list, so a Utah resident cannot opt out of it under the UCPA.

There is also no right to correct, at least not yet. As originally enacted, Section 13-61-201 contained no correction right at all. That made Utah the only one of the early comprehensive state laws without a way for consumers to fix inaccurate data. The omission was deliberate and is one of the features that earned the UCPA its reputation as the most business-friendly state law.

The absence of these two rights is part of a consistent theme. Utah granted the familiar core of access, deletion, portability, and the two opt-outs, then stopped. It did not add the broader correction and profiling protections that other states layered on.

The forthcoming right to correct: HB 418 and July 1, 2026

The correction gap is on the way to closing. HB 418, enacted in the 2025 General Session, amends Section 13-61-201 to add a fifth right. The revised statute, carrying the "Amended by Chapter 468, 2025 General Session" citation, gives a consumer "the right to request that a controller correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data."

The effective date is the key detail. The current version of Section 13-61-201 is labeled "Superseded 7/1/2026," and the amended version is labeled "Effective 7/1/2026." That means the right to correct is not in force as of 2026. It begins July 1, 2026.

Until that date arrives, a Utah consumer who finds inaccurate data in a company's records has no UCPA right to demand a fix. After July 1, 2026, the correction right will sit alongside the existing rights and be handled through the same request process and the same 45-day response window. HB 418 does not add a profiling opt-out or change the sensitive-data model; it adds the correction right and otherwise leaves Utah's narrow framework in place.

How to exercise a UCPA right

Section 13-61-202 sets out how a consumer makes a request. A consumer "may exercise a right by submitting a request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise." In practice that means using whatever channel the company offers, often a web form, a privacy email address, or a toll-free line described in its privacy notice.

The statute also addresses requests on behalf of others. Under Section 13-61-202(2), when the data concerns a known child, "the parent or legal guardian of the known child shall exercise a right on the child's behalf." Under Section 13-61-202(3), for a consumer subject to guardianship or conservatorship, the guardian or conservator exercises the right.

Before honoring certain requests, a controller may need to verify identity. The statute defines "authenticate" as using reasonable means to confirm that a request to exercise the rights in Section 13-61-201 is actually made by the consumer entitled to exercise them. If a controller cannot authenticate a request using commercially reasonable efforts, it is not required to comply, though it may ask the consumer for additional information to enable authentication.

The 45-day response window and fees

Section 13-61-203 governs the controller's response. Within 45 days after receiving a request, the controller must take action on the request and inform the consumer of any action taken. The clock starts on receipt.

The controller may extend once, by an additional 45 days, when reasonably necessary due to the complexity of the request or the volume of requests received. If it extends, it must tell the consumer of the extension and the reasons within the original 45-day period. That puts the outer limit at 90 days. If a controller declines to act on a request, it must, within 45 days, inform the consumer of the reasons for not taking action.

On cost, the first request in a 12-month period is generally free. Under Section 13-61-203(4), a controller may not charge a fee for information in response to a request unless it is the consumer's second or subsequent request during the same 12-month period. A controller may also charge a reasonable fee, or decline to act, if a request is excessive, repetitive, technically infeasible, or manifestly unfounded, but it bears the burden of showing the request met one of those criteria.

How the opt-out sensitive-data model affects consumers

Utah's treatment of sensitive data shapes what consumers can expect. Under Section 13-61-302(3), a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing. For a known child, the controller must instead follow COPPA.

For consumers, this means the default runs the other way from most states. In Virginia, Colorado, Connecticut, and Texas, a business cannot process your sensitive data unless you opt in first. In Utah, a business may process it after giving you notice, and the burden is on you to opt out if you do not want it. Sensitive data here includes information revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health conditions, genetic or biometric identifiers used to identify you, and specific geolocation data accurate within 1,750 feet.

The practical effect is that a Utah resident who wants to keep sensitive data from being processed has to watch for the notice and take the opt-out step. There is no automatic consent gate working in the consumer's favor before processing begins.

No private lawsuit: how the UCPA is enforced

The UCPA gives consumers rights but not a courtroom. There is no private right of action. A consumer who believes a business violated their rights cannot sue the company directly under Chapter 61.

Instead, enforcement runs through the state. Under Section 13-61-401, the Division of Consumer Protection establishes and administers a system to receive consumer complaints about alleged violations and may investigate them. If the division's director has reasonable cause to believe substantial evidence of a violation exists, the director refers the matter to the attorney general. Under Section 13-61-402(1), the Utah Attorney General has "the exclusive authority to enforce this chapter." A consumer who wants action files a complaint with the Division of Consumer Protection rather than going to court.

Related guides

• Utah Data Privacy Laws (UCPA hub)
• What Is the UCPA? Utah Consumer Privacy Act Explained
• UCPA Compliance Checklist for Businesses
• US State Privacy Laws Comparison
• What Is the CCPA? California's Privacy Law Explained

Sources