What the UCPA Covers and Why It Differs from Other State Laws
Utah signed the Consumer Privacy Act into law on 24 March 2022, becoming the fourth US state to pass comprehensive privacy legislation after California, Virginia, and Colorado. The law took effect on 31 December 2023.
What sets the UCPA apart is its deliberately narrow scope. The Utah legislature drafted a law that leans toward business interests rather than expanding consumer rights. There is no private right of action, no requirement for data protection assessments, and no right for consumers to correct inaccurate data. If your organisation already complies with the Virginia Consumer Data Protection Act (VCDPA), you are likely close to UCPA compliance - though there are subtle differences worth understanding.
The Utah Division of Consumer Protection and the Office of the Attorney General share enforcement duties. As of mid-2025, the Division had received just 32 consumer complaints, with only one referral to the Attorney General. The first significant enforcement action came in June 2025, when Utah sued Snap, Inc. for failing to disclose data-sharing practices and for collecting sensitive data from minors without proper consent.
Applicability Thresholds: Which Businesses Must Comply
The UCPA applies to entities that conduct business in Utah or target products and services to Utah residents. Two additional conditions must be met.
First, the entity must have annual revenue of at least $25,000,000. Second, it must meet one of the following data processing thresholds:
- Control or process the personal data of 100,000 or more Utah consumers per year, or
- Derive over 50% of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers
These thresholds are higher than many other state laws. The Texas Data Privacy and Security Act, for example, has no revenue threshold at all. The practical effect is that the UCPA excludes most small and mid-sized businesses.
Consumer Rights Under the UCPA
The UCPA grants consumers a narrower set of rights than its counterparts. Utah residents can request access to their personal data, delete data they have provided, obtain a copy in a portable format, and opt out of the sale of personal data or targeted advertising.
Several rights available in other US state privacy laws are missing here. There is no right to correct inaccurate data. There is no right to opt out of profiling. There is no appeal mechanism if a business denies a consumer request.
| Consumer Right | UCPA | VCDPA | CCPA/CPRA | CPA (Colorado) |
|---|---|---|---|---|
| Access personal data | Yes | Yes | Yes | Yes |
| Delete personal data | Yes | Yes | Yes | Yes |
| Data portability | Yes | Yes | Yes | Yes |
| Opt out of sale | Yes | Yes | Yes | Yes |
| Opt out of targeted ads | Yes | Yes | Yes | Yes |
| Correct inaccurate data | No | Yes | Yes | Yes |
| Opt out of profiling | No | Yes | Yes | Yes |
| Appeal denied request | No | Yes | No | Yes |
| Private right of action | No | No | Limited | No |
Businesses must respond to consumer requests within 45 days. A 45-day extension is available when reasonably necessary. Responses must be provided free of charge once per 12-month period.
Sensitive Data: Opt-Out, Not Opt-In
This is one of the UCPA's most notable departures from other frameworks. Virginia, Colorado, and Connecticut all require opt-in consent before processing sensitive data. Utah requires only that controllers provide clear notice and an opportunity to opt out.
Sensitive data under the UCPA includes racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, genetic or biometric data, and geolocation data.
The opt-out approach to sensitive data significantly reduces the compliance burden. A business processing biometric data in Utah need only disclose the practice and offer an opt-out mechanism - it does not need to collect affirmative consent before processing begins. This contrasts sharply with the GDPR consent requirements, which demand explicit opt-in for special category data.
Definition of Sale: Monetary Consideration Only
The UCPA defines a sale as the exchange of personal data for monetary consideration by a controller to a third party. This is a narrower definition than California's CCPA, which covers exchanges for "monetary or other valuable consideration."
Under California law, sharing data with an advertising partner in exchange for analytics services could qualify as a sale. Under Utah law, it would not - unless actual money changes hands. This distinction means fewer transactions trigger the opt-out sale requirement.
The definition also excludes several common data-sharing scenarios: disclosures to processors acting on a controller's behalf, disclosures to affiliates, disclosures the consumer intentionally made public, and disclosures made as part of a merger or acquisition.
No Data Protection Assessment Requirement
Unlike the VCDPA, Colorado Privacy Act, and GDPR, the UCPA does not require businesses to conduct data protection impact assessments for high-risk processing activities. There is no obligation to document the risks and benefits of targeted advertising, profiling, or processing sensitive data.
For businesses already conducting DPIAs under other laws, this changes little. But for organisations subject only to the UCPA, it removes a significant administrative requirement.
Privacy Notice Obligations
Controllers must publish a reasonably accessible and clear privacy notice. The notice must include:
- Categories of personal data processed
- Purposes for processing
- How consumers can exercise their rights
- Categories of data shared with third parties
- Categories of third parties receiving data
If a controller sells personal data or uses it for targeted advertising, the privacy notice must clearly disclose this and explain how consumers can opt out. The UCPA does not mandate a specific opt-out method - unlike California, which requires a "Do Not Sell or Share My Personal Information" link. Businesses are free to choose their own mechanism, whether that is a settings page, a form, or a Global Privacy Control signal.
That said, the UCPA does not explicitly require recognition of universal opt-out signals such as GPC. Several other states, including Colorado and Connecticut, do mandate GPC recognition.
Enforcement and the 30-Day Cure Period
Only the Utah Attorney General can enforce the UCPA. Consumers cannot sue businesses directly for violations. Before filing an action, the Attorney General must issue a 30-day cure notice, giving the business time to fix the violation.
Unlike cure periods in other states, the UCPA's cure period has no sunset provision. In Colorado, for example, the cure period expired on 1 January 2025. Utah's cure period is permanent - a business will always have 30 days to remedy a violation before facing enforcement.
The enforcement structure itself has drawn criticism. The July 2025 evaluation report noted that investigations typically begin with consumer complaints filed with the Division of Consumer Protection, which then refers substantiated cases to the Attorney General. If the Attorney General identifies a violation independently, it must route the matter through the Division first, creating a bureaucratic loop.
Penalties for non-compliance can reach $7,500 per violation. The Attorney General may also seek injunctive relief and recover investigation costs.
How the UCPA Affects Cookie Consent and Tracking
The UCPA follows an opt-out model for cookies and tracking technologies used in targeted advertising. If your website uses marketing cookies or advertising pixels to deliver targeted ads to Utah visitors, you must disclose this in your privacy notice and provide an opt-out.
You are not required to obtain consent before setting these cookies - this is a critical difference from the EU's ePrivacy Directive, which requires opt-in consent for non-essential cookies. For websites that already run a cookie consent banner for European visitors, the simplest approach is to configure geo-specific behaviour: opt-in for EU and UK traffic, opt-out for Utah.
Kukie.io's geo-detection feature can apply different consent models based on a visitor's location, handling both opt-in and opt-out requirements from a single installation.
Compliance Checklist for the UCPA
If your organisation meets the revenue and data processing thresholds, take these steps:
- Audit your data collection practices - identify all categories of personal data you process from Utah consumers
- Update your privacy notice to disclose data categories, purposes, third-party sharing, and consumer rights
- Implement an opt-out mechanism for targeted advertising and data sales
- If you process sensitive data, ensure you provide clear notice and an opt-out before processing
- Establish a process for handling access, deletion, and portability requests within 45 days
- Review processor contracts to ensure they meet UCPA requirements
- Run a cookie audit to identify tracking technologies that qualify as targeted advertising tools
Frequently Asked Questions
Does the UCPA require opt-in consent for cookies?
No. The UCPA follows an opt-out model. Businesses may set cookies for targeted advertising without prior consent, provided they disclose the practice and offer a way to opt out.
What is the revenue threshold for the Utah Consumer Privacy Act?
A business must have annual revenue of at least $25,000,000 and meet one of two data processing thresholds: processing data of 100,000 or more consumers, or deriving over 50% of revenue from data sales while processing data of 25,000 or more consumers.
Can consumers sue businesses under the UCPA?
No. The UCPA does not include a private right of action. Only the Utah Attorney General can enforce the law.
Does the UCPA require recognition of Global Privacy Control signals?
No. Unlike Colorado and Connecticut, Utah does not require businesses to honour universal opt-out signals such as GPC. However, implementing GPC support is considered good practice for multi-state compliance.
How does the UCPA handle sensitive personal data?
The UCPA requires controllers to provide notice and an opportunity to opt out before processing sensitive data. This differs from most other state laws, which require opt-in consent for sensitive categories.
What happens if a business violates the UCPA?
The Attorney General must first issue a 30-day cure notice. If the business fails to fix the violation within that period, the AG can pursue civil penalties of up to $7,500 per violation.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or how they interact with Utah's opt-out requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
