Utah Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

On March 24, 2022, Utah Governor Spencer Cox signed Utah Senate Bill 227, the Utah Consumer Privacy Act (UCPA) into law. The UCPA becomes effective on Dec. 31, 2023.

The UCPA creates obligations on “controllers” and “processors” of personal data, which are defined as persons doing business in Utah who determine the purposes for which and the means by which personal data is processed, and persons who process personal data on behalf of a controller, respectively. Controllers and processors subject to the UCPA are any person with annual revenue over $25M who conducts business in Utah, or produces a product or service that is targeted to Utah consumers and:

Controls or processes personal data of 100,000 or more Utah consumers in a calendar year, and/or


Derives over 50% of its gross revenue from the sale of personal data and controls or processes data of 25,000 or more Utah consumers.

Significant carve outs from UCPA compliance are made for: government entities; tribes; higher education institutions; nonprofit corporations; covered entities or business associates governed by HIPAA; financial institutions and entities subject to the GLBA, FCRA and FERPA; and other consumer reporting agencies. 

Controllers must provide consumers with a reasonably accessible and comprehensive privacy notice that includes the categories of personal data processed and the purposes for which that data is processed; how and where consumers may exercise their rights described below; the categories of data shared with third parties; and the categories of third parties with whom the controller shares personal data. To process defined sensitive data, the controller must present the consumer with clear notice and an opportunity to opt out of processing.

The controller must also establish and maintain reasonable data security practices and may neither contract away consumer rights nor discriminate against consumers for exercising these UCPA rights. 

Consumers have the right to confirm whether a controller is processing the consumer’s personal data and access that personal data; delete the consumer’s personal data that the consumer provided to the controller; obtain a copy of the consumer’s personal data that was previously provided to the controller, in a portable, usable and transmittable format (to the extent feasible); and opt out of the processing of the consumer’s personal data for purposes of targeting advertising or the sale of personal data. 

Like the Virginia and Colorado privacy acts, the UCPA does not provide a private right of action, with violations only enforceable by the Utah Attorney General’s office. 

Have more Questions?