Consentise Logo

REGULATIONSUtah Consumer Privacy Act (UCPA)

Utah’s UCPA protects your digital privacy by giving you rights to control your personal information and requiring businesses to handle your data responsibly and transparently.

Subscription Icon

The Utah Consumer Privacy Act (UCPA) is Utah’s first comprehensive data privacy law, giving residents new rights over their personal information and creating clear requirements for businesses that collect and process that data. Signed into law in March 2022, the UCPA went into effect on December 31, 2023, making Utah the fourth U.S. state to enact a broad consumer privacy law after California, Virginia, and Colorado.

What is the UCPA?

The UCPA is designed to protect the privacy of Utah residents by:

  • Giving consumers the ability to access and delete personal data,
  • Requiring businesses to provide clear notices and privacy disclosures,
  • Enabling consumers to opt out of certain types of data processing, like targeted advertising and data sales,
  • Imposing data security obligations on businesses.

While the UCPA shares similarities with other state privacy laws like the CCPA and CPA, it is considered more business-friendly due to its narrower scope and simpler compliance requirements.

Who does the UCPA apply to?

The UCPA applies to businesses operating in Utah or targeting Utah residents that meet both of the following thresholds:

  • Have an annual revenue of $25 million or more, and
  • Either:
    • Process personal data of 100,000 or more Utah consumers annually, or
    • Derive more than 50% of their revenue from selling personal data of 25,000 or more consumers.

Nonprofits, government entities, and businesses outside of these thresholds are exempt.

What rights do Utah consumers have?

The UCPA grants Utah residents the following key rights:

  • Right to access: Consumers can request to know what personal data a business has collected about them.
  • Right to delete: Consumers can ask a business to delete their personal data.
  • Right to data portability: Consumers can receive a copy of their personal data in a portable format.
  • Right to opt out: Consumers can opt out of:
    • The sale of their personal data,
    • Targeted advertising.

Unlike some other laws, the UCPA does not include a right to correct inaccurate data or opt out of profiling.

What are the penalties for non-compliance?

The UCPA is enforced by the Utah Attorney General, in coordination with the Utah Division of Consumer Protection. Non-compliance can lead to:

  • Civil penalties of up to $7,500 per violation,
  • A 30-day cure period that gives businesses the chance to fix violations before facing penalties.

There is no private right of action, meaning individuals cannot sue businesses under this law.

Does the UCPA apply only in Utah?

No. Even if a business is based outside of Utah, the UCPA applies if it:

  • Meets the revenue and data processing thresholds, and
  • Targets or serves consumers in Utah.

This means many businesses with national or online operations may fall under UCPA requirements — even without a physical presence in the state.

How Consentise helps you stay UCPA-compliant

Consentise makes it simple for your business to comply with the UCPA by providing:

  • Clear, customizable consent banners and privacy notices,
  • Tools for managing user opt-outs for data sales and targeted advertising,
  • Easy-to-use interfaces for handling access and deletion requests,
  • Consent logs and audit trails to demonstrate compliance,
  • A lightweight solution that scales with your data needs.

Whether you're just getting started with privacy compliance or expanding your efforts, Consentise offers the tools and flexibility you need to meet Utah's privacy requirements.

Ready to start?

Start for free