Utah Privacy Law Overview
Utah's law took effect December 31, 2023 and deliberately favors businesses. It omits several rights found elsewhere (no profiling opt-out; sensitive data handled by opt-out and clear notice rather than consent) and has a high revenue threshold. A 2024 amendment adds a right to correct effective July 1, 2026, nudging Utah closer to the multistate norm.
The Utah Consumer Privacy Act (UCPA)
The UCPA is the most business-friendly comprehensive state privacy law. It grants access, deletion, portability and opt-out-of-sale and targeted-advertising rights, but — unlike most states — originally provided no right to correct data and no opt-out of profiling, and it treats sensitive data on an opt-out (rather than opt-in) basis. A right to correct is added effective July 1, 2026.
UCPA: Quick Overview
- Effective Date: December 31, 2023
- Citation: Utah Code § 13-61-101 et seq.
- Enforced By: Utah Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days (permanent)
Who Must Comply
The UCPA applies to businesses that meet Utah's applicability thresholds:
- Annual revenue of $25 million or more, and
- Processes data of 100,000+ Utah consumers per year, or derives over 50% of revenue from selling data while processing data of 25,000+ consumers
What makes Utah different: The UCPA is the most business-friendly comprehensive law — no profiling opt-out, opt-out (not opt-in) for sensitive data, and a permanent cure period.
Consumer Rights Under the UCPA
Utah residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
Sensitive personal data: opt-out (notice and opportunity to opt out)
Data Breach Notification in Utah
Utah requires notice to affected residents without unreasonable delay, and to the Attorney General and Utah Cyber Center when 500 or more residents are affected.
- Deadline to notify residents: In the most expedient time possible without unreasonable delay
- Attorney General notice: Notify the Utah Attorney General and Cyber Center if 500 or more residents are affected
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Utah
Even where Utah law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Utah Privacy Law FAQ
How is Utah's privacy law different from California's?
Does Utah require opt-in consent for sensitive data?
How a Utah Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Utah Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Utah Privacy Attorney?
Whether you are a business working toward compliance or a Utah resident whose privacy has been violated, our network of Utah-licensed attorneys can help.
Find a Utah Privacy Attorney