← Back to Blog

Utah Consumer Privacy Act (UCPA): The Most Business-Friendly Privacy Law

Utah's privacy law has the highest bar for applicability and the fewest consumer rights. Here's what makes it different and what you still need to do.

2026-03-01

The Utah Consumer Privacy Act (UCPA) took effect on December 31, 2023, making Utah one of the earliest states to pass a comprehensive privacy law. It's widely considered the most business-friendly state privacy law — with the highest applicability thresholds and the fewest consumer rights.

Who Does the UCPA Apply To?

The UCPA has a dual threshold — you must meet both a revenue requirement and a consumer count:

  • Annual revenue of at least $25 million, AND
  • Either control or process personal data of 100,000+ Utah consumers, OR control or process personal data of 25,000+ Utah consumers while deriving more than 50% of revenue from selling personal data

This dual requirement means the UCPA has the highest bar of any state privacy law. Most small-to-medium businesses won't meet both criteria. But if you do, compliance is required.

Consumer Rights — More Limited Than Other States

Utah provides fewer consumer rights than most state privacy laws:

  • Access personal data
  • Delete personal data
  • Data portability — obtain a copy
  • Opt out of sale and targeted advertising

Notably missing:

  • No right to correct inaccurate data
  • No right to opt out of profiling
  • No requirement to honor GPC signals
  • No required data protection assessments

Key Requirements

Privacy Notice

Standard disclosure requirements: data categories, purposes, third-party sharing, consumer rights, and data sale practices.

Sensitive Data

Opt-in consent required before processing sensitive data, including racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric/genetic data, children's data, and precise geolocation.

Data Security

Controllers and processors must implement reasonable administrative, technical, and physical security practices to protect data confidentiality and integrity.

Response Timeline

45 days to respond to consumer requests. No specified extension period.

Enforcement

Enforced by the Utah Attorney General. No private right of action. Utah has a 30-day cure period that does not expire — the most lenient enforcement approach of any state.

Penalties can reach $7,500 per violation.

How Utah Compares

| Feature | Utah | Iowa | Virginia | California |

|---|---|---|---|---|

| Revenue threshold | $25M | None | None | $25M |

| Consumer threshold | 100K (+ revenue) | 100K | 100K | 50K |

| Right to correct | No | No | Yes | Yes |

| GPC required | No | No | No | Yes |

| DPAs required | No | No | Yes | Yes |

| Cure period | 30 days (permanent) | 90 days (permanent) | Expired | None |

Utah and Iowa are the two most business-friendly state privacy laws. If you're compliant with stricter states like California or Colorado, you're automatically covered for Utah.

Utah Compliance Checklist

  • Privacy policy with required disclosures
  • Cookie consent banner with opt-out for sale and targeted advertising
  • Consumer request process — 45-day response window
  • Sensitive data consent — opt-in
  • Data security — reasonable protections

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including Utah's UCPA.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free