Utah Becomes the 4th State to Pass Consumer Privacy Legislation – Will the Federal Government Ever Catch Up?

April 20, 2022

The UCPA is the Nation’s Fourth State Consumer Privacy Law

On March 24, 2022, Utah Governor Spencer Cox signed Utah Senate Bill 227, the Utah Consumer Privacy Act (UCPA) into law.  The UCPA is the nation’s fourth state consumer privacy law, following California, Colorado, and Virginia, to provide consumers more access to and control over how companies handle their personal information.  The UCPA becomes effective on December 31, 2023.

It should be noted that each state law creates different rights and obligations.  The UCPA creates responsibilities on “controllers” and “processors” of personal data; defined as persons doing business in Utah who determine the purposes for which and the means by which personal data is processed, and persons who process personal data on behalf of a controller, respectively.  Controllers and processors subject to the UCPA are:

  • Any person who conducts business in Utah, or produces a product or service that is targeted to Utah consumers

  • Has annual revenue of $25,000,000 or more
  • Either controls or processes personal data of 100,000 consumers or more in a calendar year or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes data of 25,000 or more consumers

Exceptions from the UCPA include:

  • Government entities
  • Tribes
  • Higher education institutions
  • Nonprofit corporations
  • Covered entities as defined in 45 C.F.R. 160.103
  • Financial institutions governed by GLBA
  • Consumer reporting agencies subject to regulation under the FCRA
  • Protected health information regulated by HIPAA
  • Personal data regulated by FERPA

Controllers have the following obligations under the UCPA:


Controllers must provide consumers with a reasonably accessible and comprehensive privacy notice that includes the categories of personal data processed, and the purposes for which that data is processed; how and where consumers may exercise their rights (described below); the categories of data shared with third parties; and the categories of third parties with whom the controller shares personal data.


Controllers may not process either sensitive data (as defined in the UCPA) collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of processing, or in the case of a known child, processing data in accordance with the Children’s Online Privacy Protection Act.


Controllers must establish and maintain reasonable data security practices to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.

Nondiscrimination and Nonretaliation

Controllers may not discriminate against consumers for exercising their rights under the UCPA.


Controllers may not include contract provisions that purport to waive or limit a consumer’s rights under the UCPA, and any such provision is void.

Consumer rights under the UCPA include the right to:

  • Confirm whether a controller is processing the consumer’s personal data and access that personal data
  • Delete the consumer’s personal data that the consumer provided to the controller
  • Obtain a copy of the consumer’s personal data that was previously provided to the controller, in a portable, usable, and transmittable format (to the extent feasible)
  • Opt-out of the processing of the consumer’s personal data for purposes of targeting advertising or the sale of personal data

Unlike in California, but similar to the Virginia and Colorado privacy acts, the UCPA does not provide a private right of action, with violations only enforceable by the Utah Attorney General’s office.  Utah enacted the UCPA ahead of an additional seventeen states with privacy laws currently in the committee stage or further, according to the International Association of Privacy Professionals.

KJK will continue to monitor developments related to state privacy laws. If you have any questions, please contact KJK Cybersecurity, Data Breach & Privacy attorney Brett Krantz (BK@kjk.com; 216.736.7238).