Utah

• Utah Consumer Privacy Act (UCPA)
• Code: Utah Code §§ 13-61-101 to -404

Effective Date:  December 31, 2023

Threshold

For-profit entities that:
Conduct business in Utah or target products and services to consumers who are residents of the state;

• have annual revenues of at least $25 million; and
• meet one of two threshold requirements:
  • Annually control or process the personal data of 100,000 or more Utah residents ("consumers"); or
  • Derive over 50 percent of gross revenue from the "sale" of personal data and control or process personal data of 25,000 or more consumers

Definition of "Personal Data"

Information that is linked or reasonably linkable to an identified individual or an identifiable individual. Personal data does not include data from people acting in an employment or commercial context.

Definition of "Sensitive Data"

As with all state general privacy laws, includes the following Personal Data:

• Race or ethnic origin;
• Religious beliefs;
• Citizenship or immigration status;
• Genetic data;
• Biometric data;
• Information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; and 
• Sexual orientation.

In addition, Utah's definition also includes:

• Specific geolocation data.

Definition of "Sale"

Exchange of personal data for monetary consideration by a controller to a third party

Data-Protection Assessments

No

Opt-In Consent Required for Processing Sensitive Data 

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads

Yes

Consumer Right to Opt Out of Profiling

No

Pseudonymous Data Exempt from Consumer Requests

Yes

Appeal Rights

No

Universal Opt-Out Mechanism Required Recognition/Date

No

Data of Minors

Process personal data of a known child in accordance with COPPA

GLBA Exemption

Yes (both entity-level and data-level)

HIPAA Exemption

Yes (entity-level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

30 Days

Cure Period Expiration

No

Enforcement Authority/Damages

Attorney General/up to $7,500 per violation

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.