What Is the UCPA? Utah Consumer Privacy Act Explained

The Utah Consumer Privacy Act (UCPA) is Utah's comprehensive consumer data privacy law, codified at Utah Code Title 13, Chapter 61 (Sections 13-61-101 through 13-61-404). Enacted as SB 227 and signed by Governor Spencer Cox on March 24, 2022, it took effect December 31, 2023, and gives Utah residents rights over their personal data while imposing the narrowest coverage threshold of any state privacy law in the country.

As of 2026, the Utah Attorney General holds exclusive authority to enforce the UCPA under Section 13-61-402, with civil penalties up to $7,500 per violation. A 30-day cure period applies before any action, and unlike several other states that let their cure windows expire, Utah's cure period has no sunset date.

Jurisdiction scope: This covers Utah's Consumer Privacy Act (Utah Code Title 13, Chapter 61). It is general legal information, not legal advice.

What the UCPA is: statute, enactment, and effective dates

The Utah Consumer Privacy Act is Utah's first comprehensive consumer data privacy law. It is codified at Utah Code Title 13, Chapter 61, running from Section 13-61-101 (definitions) through Section 13-61-404 (the attorney general report). The legislature passed it as Senate Bill 227 during the 2022 General Session, and Governor Spencer Cox signed it on March 24, 2022.

The statute took effect December 31, 2023, giving covered businesses roughly twenty months to prepare. That made Utah the fourth state, after California, Virginia, and Colorado, to enact a broad consumer privacy law. The chapter is enacted by "Chapter 462, 2022 General Session," the citation that appears at the end of each original section.

Utah's law sits in the Virginia and Colorado lineage rather than the California one. It uses the controller and processor vocabulary of those statutes, and it grants a familiar set of consumer rights. What makes the UCPA stand apart is not its structure but how far it pulls back the lever on coverage and on the duties it imposes. On nearly every contested design choice, Utah chose the most business-friendly path available.

Who the UCPA covers: the $25M AND-gated threshold

The applicability test in Section 13-61-102(1) is the single most important feature of the UCPA, because it is the narrowest in the United States. The law applies to a controller or processor that meets all of these conditions at once.

First, the entity must conduct business in Utah or produce a product or service targeted to Utah residents. Second, under Section 13-61-102(1)(a)(ii), it must have "annual revenue of $25,000,000 or more." Third, under Section 13-61-102(1)(a)(iii), it must satisfy one of two data thresholds: during a calendar year it "controls or processes personal data of 100,000 or more consumers," or it "derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers."

The structure is what matters. The $25 million revenue requirement is joined to the rest by the word "and," not "or." A company must clear the revenue floor and then also hit a data-volume threshold. This is fundamentally different from California, where the thresholds are alternatives.

Under California's CCPA, a for-profit business is covered if it meets any one of three tests: more than $25 million in annual gross revenue, the data of 100,000 or more California consumers or households, or 50% or more of revenue from selling or sharing personal information. A small data broker with $5 million in revenue that handles 200,000 Californians is covered by the CCPA. The same broker is not covered by the UCPA, because it never clears Utah's $25 million floor. By tying the revenue requirement to the data thresholds with an "and," Utah excludes every business below $25 million in revenue, no matter how much data it processes.

The practical upshot: a large share of mid-size companies that fall within California's, Colorado's, or Texas's reach owe no obligations under the UCPA at all. Utah's coverage is deliberately the most limited of any state privacy law as of 2026.

Categorical exemptions under Section 13-61-102(2)

Even among businesses that clear the threshold, Section 13-61-102(2) removes whole categories of organizations and data from the law's reach. These exemptions are entity-based and data-based, and they track the pattern set by other state laws.

On the entity side, the UCPA does not apply to a governmental entity or a third party acting on its behalf, a tribe, an institution of higher education, a nonprofit corporation, a HIPAA covered entity, a HIPAA business associate, or an air carrier. The nonprofit and higher-education exemptions are notable because some newer state laws have narrowed or eliminated them; Utah keeps both as full carve-outs.

On the data side, Section 13-61-102(2) excludes protected health information under HIPAA, patient identifying information under 42 C.F.R. Part 2, human-subjects research data, information governed by the Fair Credit Reporting Act, financial data and institutions governed by the Gramm-Leach-Bliley Act under Section 13-61-102(2)(k), data under the federal Driver's Privacy Protection Act, education records under FERPA, and data under the Farm Credit Act. Employment data and emergency-contact data are also carved out under Section 13-61-102(2)(o), and personal data processed for purely personal or household purposes is excluded under Section 13-61-102(2)(p).

These carve-outs mean that hospitals, banks, credit unions, universities, charities, and state agencies generally operate outside the UCPA even when they hold large volumes of Utah-resident data. A covered entity that processes a patient's protected health information in accordance with HIPAA is exempt as to that data, though it remains bound by HIPAA itself.

The opt-out sensitive-data model: Utah's signature difference

The clearest way Utah departs from every other state is how it treats sensitive data. Under Section 13-61-302(3), a controller "may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing." For a known child, the controller must process the data in accordance with COPPA.

That is an opt-out model. Every other comprehensive state privacy law, including Virginia, Colorado, Connecticut, and Texas, requires opt-in consent before a controller may process sensitive data. Under those laws, sensitive data cannot be processed unless the consumer first affirmatively agrees. Utah flips the default: a controller may process sensitive data and simply give the consumer notice and a chance to say no.

Sensitive data is defined in Section 13-61-101 and includes personal data revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or medical history and health conditions, along with genetic or biometric data processed to identify a specific individual and specific geolocation data accurate within 1,750 feet. Because Utah uses an opt-out gate for all of these categories, businesses face a lighter consent burden in Utah than anywhere else.

This single design choice, more than any other, is why the UCPA is widely described as the most business-friendly comprehensive privacy law in the country.

The lighter compliance load: no assessments, no universal opt-out

Two duties that have become standard elsewhere are simply absent from the UCPA. First, the law contains no data protection assessment requirement. Colorado, Connecticut, Texas, and others require controllers to document risk assessments for high-risk processing such as targeted advertising, data sales, and certain profiling. Utah imposes no such obligation, so a covered Utah controller does not have to prepare or retain these assessments.

Second, the UCPA does not require controllers to honor a universal opt-out mechanism. Texas, Colorado, Montana, Oregon, and California all require covered businesses to recognize browser- or device-level opt-out signals such as Global Privacy Control. Utah's opt-out rights in Section 13-61-201 must be exercised by the consumer through whatever method the controller prescribes under Section 13-61-202; there is no statutory command to detect or honor a global signal.

The consumer-rights set is also trimmer than the national norm. As enacted, Section 13-61-201 grants the right to confirm and access, to delete data the consumer provided, to obtain a portable copy, and to opt out of targeted advertising and the sale of personal data. There is no right to opt out of profiling, and there was no right to correct inaccurate data, a gap that made Utah the only early comprehensive state law without a correction right.

Forthcoming: the right to correct under HB 418

That correction gap is closing, but not yet. HB 418, enacted in the 2025 General Session, amends Section 13-61-201 to add a right to correct. The revised statute, which carries the "Amended by Chapter 468, 2025 General Session" citation, gives a consumer "the right to request that a controller correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing."

The timing matters. The current version of Section 13-61-201 is marked "Superseded 7/1/2026," and the amended version is marked "Effective 7/1/2026." In other words, the right to correct is not in force as of 2026. It becomes effective July 1, 2026. Until that date, Utah consumers still cannot demand correction of inaccurate data under the UCPA, and businesses are not yet obligated to build a correction workflow, though the deadline gives a clear reason to prepare.

When it takes effect, the correction right will join the existing rights and be subject to the same 45-day response window in Section 13-61-203. It does not add a profiling opt-out or a universal opt-out duty; the rest of Utah's narrow framework remains intact.

UCPA vs. CCPA: the key differences

Utah's law and California's CCPA are frequently compared by companies operating nationally. Our state data privacy law comparison page covers the full multistate picture, but three distinctions between the UCPA and California's CCPA matter most.

Coverage threshold. The CCPA uses three alternative tests joined by "or," so a business is covered if it meets any one. The UCPA joins its $25 million revenue floor to its data thresholds with "and," so a business must clear both. That single conjunction makes Utah's net far smaller. Many companies covered by the CCPA owe nothing under the UCPA.

Sensitive data. California requires businesses to let consumers limit the use of sensitive personal information, and other states require opt-in consent. Utah alone uses an opt-out gate under Section 13-61-302(3): notice plus an opportunity to decline. This is the lightest sensitive-data standard among comprehensive state laws.

Enforcement and remedies. California retains a limited private right of action for certain data breaches, allowing statutory damages between $100 and $750 per consumer per incident. The UCPA has no private right of action of any kind. Under Section 13-61-402(1), the Utah Attorney General has "the exclusive authority to enforce this chapter," and consumers cannot sue covered businesses directly.

More Utah Laws

• Utah AI Meeting Recording Laws
• Utah Alimony Laws
• Utah At-Will Employment Laws
• Utah Car Accident Laws
• Utah Car Seat Laws
• Utah Child Custody Laws
• Utah Child Support Laws
• Utah Common Law Marriage Laws
• Utah Deepfake Laws
• Utah Divorce Laws
• Utah Dog Bite Laws
• Utah Emancipation Laws
• Utah Expungement Laws
• Utah Hit and Run Laws
• Utah Landlord-Tenant Laws
• Utah Lemon Laws

Related guides

• Utah Data Privacy Laws (UCPA hub)
• UCPA Consumer Rights: How to Access, Delete, and Opt Out
• UCPA Compliance Checklist for Businesses
• US State Privacy Laws Comparison
• What Is the CCPA? California's Privacy Law Explained

Sources