Regulation

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act grants Utah consumers the ability to control their data and imposes data privacy responsibilities on organizations handling their data. It outlines the obligations and privacy protection standards applicable to covered organizations.

Are you subject to the Utah Consumer Privacy Act?

The Utah Consumer Privacy Act applies to organizations who are (a) doing business in Utah or producing products or services targeted at Utah residents; (b) having annual revenue of $25,000,000 or more; and (c) meeting any of the following criteria:

During a calendar year, control or process personal information of 100,000 or more consumers.
Derive over 50% of gross revenue from the sale of personal information and control or process personal information of 25,000 or more consumers.

Obligations & rights under the Utah Consumer Privacy Act

This data privacy and protection law requires organizations to provide control and transparency to Utah residents on how their personal information is collected, sold, and disclosed.

Consents & opt-outs

Organizations must obtain consent for the processing of personal information regarding a known child must comply with the verifiable parental consent mechanisms outlined in the federal Children’s Online Privacy Protection Act (COPPA), along with its implementing regulations and exemptions. Additionally, consumers must be provided the opportunity to opt out of targeted advertising, the sale of their personal information, and prior to processing their sensitive personal information.

Policies & motices

Organizations must provide consumers with a reasonably accessible and clear privacy notice that includes the categories of personal information collected and shared with third parties, the categories of third parties to whom the data is shared, the purposes of data processing, and the instructions for consumers to exercise their rights. Organizations that engage in the sale of personal information to third parties or process personal information for targeted advertising must ensure clear disclosure of these practices within their privacy notices. Additionally, they must outline the methods through which consumers can exercise their right to opt out of such activities.

Data subject rights & requests

Consumers are entitled to access, delete, opt out of processing, and exercise data portability rights. Organizations must respond to data subject requests within 45 days of receiving the request.

Vendor management

Under the Utah Consumer Privacy Act, organizations are required to execute vendor contracts that explicitly outline instructions for handling personal information, as well as describe the rights and responsibilities of all parties involved.

Whitepaper

The Ins and Outs of the Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) went into effect on December 31, 2023. There are many details including transparency requirements and consumer rights. Easily comply with our guide.

Download now

Achieve compliance

FAQs

What is the Utah Consumer Privacy Act?

The Utah Consumer Privacy Act provides Utah consumers with various rights, including the right to access, delete, opt out of processing, and exercise data portability rights concerning their personal information. Covered organizations are mandated to protect consumers’ personal information and fulfill data subject requests. The Act empowers the Division of Consumer Protection to receive and investigate consumer complaints related to personal information processing and authorizes the Office of the Attorney General to enforce compliance and levy penalties.

This privacy act took effect on December 31, 2023.
Who has privacy rights under the Utah Consumer Privacy Act?

The Utah Consumer Privacy Act provides privacy rights to Utah consumers but does not include individuals acting in employment or commercial contexts.
What is personal information and sensitive personal information under the Utah Consumer Privacy Act?

Personal information refers to information that can be directly associated with or reasonably connected to a known individual or an individual who can be identified but does not include deidentified data, aggregated data, or publicly available information. Examples include a first and last name and email address.

Sensitive personal information means personal information that reveals (a) an individual’s racial or ethnic origin, religious affiliations, sexual orientation, citizenship or immigration status, as well as their medical records, mental or physical health status, or any medical treatments or diagnoses provided by healthcare professionals; (b) the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; and (c) specific geolocation data.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.