On this pageDoes the Utah Consumer Privacy Act apply to your business?
State Law Practice Note

Utah Consumer Privacy Law (UCPA)

The Utah Consumer Privacy Act gives Utah consumers rights over their personal data and imposes notice, contracting, and sensitive-data duties on larger businesses — it has the narrowest applicability of the state privacy laws, treats sensitive data as notice-and-opt-out rather than opt-in, is enforced exclusively by the Attorney General after a 30-day cure, and provides no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawUtah Code § 13-61-102; Utah Code § 13-61-302; Utah Code § 13-61-301; Utah Code § 13-61-402

Does the Utah Consumer Privacy Act apply to your business?

Only if you are a larger business — Utah has the highest applicability bar of the state privacy laws. The UCPA reaches a controller or processor that does business in Utah or targets Utah residents, has annual revenue of $25,000,000 or more, and also meets a volume threshold: processing the data of 100,000 or more consumers a year, or 25,000 or more while deriving over 50% of revenue from selling personal data .

The combination is what makes Utah narrow: it requires a $25M revenue floor on top of a consumer-volume threshold, so a high-volume business under $25M is not covered (the inverse of Colorado, which has no revenue floor and even reaches nonprofits). As elsewhere, a consumer is a Utah resident acting in an individual or household context — not an employee or business contact — and the usual GLBA, HIPAA, and FCRA entity- and data-level exemptions apply.

Sources for this answer

Primary law

A.1 Utah Code § 13-61-102

The UCPA applies to a controller or processor doing business in Utah or targeting Utah residents that has $25,000,000+ annual revenue and meets a consumer-volume threshold.

This chapter applies to any controller or processor who: (a) (i) conducts business in the state; or (ii) produces a product or service that is targeted to consumers who are residents of the state; (b) has annual revenue of $25,000,000 or more; and (c) satisfies one or more of the following thresholds:

See Utah Code § 13-61-102(1).

What must your Utah privacy policy contain?

A covered controller must provide a reasonably accessible and clear privacy notice that lists the categories of personal data processed, the purposes of processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties .

For a template privacy policy, section 13-61-302 is the content checklist. Utah's list is close to the other states' but lighter in two ways worth noting: the UCPA does not require a separate appeal process the way Colorado and Texas do, and it imposes no data-protection-assessment obligation. A controller that sells personal data or processes it for targeted advertising must still clearly disclose that and how to opt out.

Sources for this answer

Primary law

B.1 Utah Code § 13-61-302

A controller must provide a reasonably accessible and clear privacy notice listing the categories of personal data processed and the purposes of processing, among other required disclosures.

A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purposes for which the categories of personal data are processed;

See Utah Code § 13-61-302(1)(a).

What must your contracts with processors say?

Before a processor handles personal data on your behalf, the UCPA requires a contract — so a data processing agreement is a statutory prerequisite, not a best practice. The contract must set out the processing instructions, the nature and purpose of the processing, the data type and duration, and the parties' rights and obligations .

Section 13-61-301 adds the rest: the processor must keep personnel under a duty of confidentiality, and must bind any subcontractor by a written contract to the same obligations. A compliant template DPA carries each of these terms.

Sources for this answer

Primary law

C.1 Utah Code § 13-61-301

Before processing on a controller's behalf, the processor and controller must enter a contract setting out the processing instructions, nature and purpose, data type, duration, and the parties' rights and obligations.

Before a processor performs processing on behalf of a controller, the processor and controller shall enter into a contract that: (a) clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations;

See Utah Code § 13-61-301(2).

Do you need consent to process sensitive data?

No — and this is where Utah is notably more permissive than other states. Rather than requiring opt-in consent, the UCPA lets a controller process an adult's sensitive data as long as it first presents the consumer with clear notice and an opportunity to opt out; for a known child, it must instead follow the federal Children's Online Privacy Protection Act .

This notice-and-opt-out model is the opposite of California, Colorado, and Texas, which all require affirmative opt-in consent before processing sensitive data. For a business operating across states, the practical consequence is that a Utah-only flow can rely on opt-out, but a multi-state template generally has to default to the stricter opt-in standard to stay compliant everywhere.

Sources for this answer

Primary law

D.1 Utah Code § 13-61-302

A controller may process an adult's sensitive data only after presenting clear notice and an opportunity to opt out; a known child's data must be handled under COPPA.

process sensitive data collected from a consumer without: (a) first presenting the consumer with clear notice and an opportunity to opt out of the processing; or (b) in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act

See Utah Code § 13-61-302(3).

Can a consumer sue your business under the UCPA?

No. The Attorney General has exclusive authority to enforce the UCPA, so there is no private right of action for consumers . Enforcement runs through the Division of Consumer Protection (which takes complaints and investigates) and then the Attorney General, and a controller gets at least 30 days' written notice and a chance to cure before any action .

Unlike Colorado, Utah's cure period has not been repealed — it remains a built-in off-ramp. Penalties run up to $7,500 per violation. The compliance posture is still to build the notice, opt-out, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue before penalties attach.

Sources for this answer

Primary law

E.1 Utah Code § 13-61-402

The Attorney General has the exclusive authority to enforce the UCPA — there is no private right of action.

The attorney general has the exclusive authority to enforce this chapter.

See Utah Code § 13-61-402(1).

Primary law

E.2 Utah Code § 13-61-402

At least 30 days before an enforcement action, the Attorney General must give the controller or processor written notice of each alleged violation and a chance to cure.

At least 30 days before the day on which the attorney general initiates an enforcement action against a controller or processor, the attorney general shall provide the controller or processor: (i) written notice identifying each provision of this chapter the attorney general alleges the controller or processor has violated or is violating;

See Utah Code § 13-61-402(3)(a).