The Utah Consumer Privacy Act (UCPA) is Here | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/utah-consumer-privacy-act-ucpa/
Content Type: resource
Section 1
New Utah privacy law passes legislature Utah became the 4th State to pass a consumer data privacy law on March 24, 2022. Joining California, Colorado, and Virginia, Governor Spencer Cox signed The Utah Consumer Privacy Act (UCPA) into law. number of consumer privacy bills currently in the legislative process, Utah is likely the first of several states to pass a privacy law in 2022. The Utah privacy law shares similarities with the GDPR and other US State privacy laws. However, Utah does add some unique aspects for organizations to consider. While the UCPA should remain on your privacy officer’s radar, you have time to comply. The Utah Privacy Law has an effective date of December 31, 2023. What organizations need
Section 2
to know about the Utah privacy law The Utah Consumer Privacy Act applies if you conduct business in Utah. It also applies if you produce or deliver commercial products or services targeted to Utah residents with annual revenue of at least $25 million plus one of the following items. Controls or processes the personal data of 100,000 consumers or more during a calendar year or Derives over 50% of its gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 consumers. refer to Utah residents but not within the B2B or employment contexts. is information that is linked or reasonably linkable to an identified or identifiable individual. It does not include
Section 3
de-identified, aggregated, or publicly available information. The Utah Privacy Law blends California’s minimum revenue amount with Colorado and Virginia’s approach of viewing revenue from the sale of consumer data and processing or controlling the data of 25,000 consumers. How will the Utah Consumer Privacy Act be enforced? Consumer complaints and investigations will be conducted through the Utah Division of Consumer Protection If the division finds reasonable cause to believe that substantial evidence of a violation exists, the case will be referred to the Utah Attorney General An organization will receive 30 days’ advance notice of any enforcement action. The notice will include an explanation and the provision being violated. It is possible to rectify the violation within that 30 day
Section 4
period by providing a written explanation to the AG. Otherwise, the AG may seek actual damages to the consumer with penalties of up to $7,500 for each violation If multiple entities are involved in violating the Utah Privacy Law, liability will be allocated according to the principles of comparative fault. Each party is responsible for their respective contribution to the violation. The UCPA does not restrict an organization’s ability to comply with a federal, state, or local law, rule, or regulation comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity detect, prevent, protect against, or respond to a security incident, identity theft, fraud, or any illegal activity; or
Section 5
investigate, report, or prosecute a person responsible for any of those actions engage in public or peer-reviewed scientific, historical, or statistical research in the public interest if the organization discloses required processing in a notice process personal data to conduct internal analytics or other research to develop, improve, or repair a controller or processor’s product, service, or technology process personal data to perform an internal operation that is reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller retain a consumer’s email address to comply with the consumer’s request to exercise a right An organization is not considered to be in violation of the UCPA if: the controller or processor discloses personal data to a
Section 6
third party controller or processor in compliance with this chapter; the third party processes the personal data in violation of this chapter; and the disclosing controller or processor did not have actual knowledge of the third party’s intent to commit a violation of this chapter. Consumer rights and consent under the UCPA Similar to the GDPR and other privacy laws recently enacted, the Utah Consumer Privacy Act demands transparency around how data is processed and shared. Organizations must provide consumers with a privacy notice that is accessible and clear. Consumers have a right to know if a controller is processing their data. Organizations must provide consumers with advanced notice and an opportunity to opt out of the processing of personal
Section 7
data. This also includes the consumer right to access. Additionally, consumers also have a right to portability. Organizations are required to provide access in a portable format that enables consumers to transmit data to another entity without barriers. Organizations must respond to consumer requests within 45 days of receiving the request. Extensions are available depending on the number of requests as long as consumers are informed of the delay. If a request is denied, reasons must be provided within 45 days. Selling personal data If your organization sells personal data, it must clearly disclose how consumers can exercise their right to opt-out of the sale or processing of their data for targeted advertising. The Utah Privacy Law also details specific
Section 8
responsibilities for both controllers and processor contracts in regards to the handling of data. Based on the organization’s size, scope, and type, security practices that are appropriate for the nature and volume of the personal data processed are required. Establishing technical and physical security practices protects the confidentiality and integrity of personal data and reduces reasonably foreseeable risk of harm to consumers. Business expectations The UCPA does allow businesses to refuse services or products in certain circumstances. This is permitted only when personal data is needed to provide a service or product and the consumer refuses to provide the data or let the organization process it. Consequently, the business would not be required to perform its service or product. An
Section 9
organization is not permitted to charge a consumer for their first request within a 12 month period. However, a controller may charge a reasonable fee to cover administrative costs if requests are excessive, repetitive, technically infeasible, or manifestly unfounded. If the organization does charge a fee or refuses to act, the burden will fall on you, the controller/processor, to prove the justification. Bonus compliance tip: If you’re already planning for Utah’s privacy obligations, don’t overlook the state’s new AI disclosure law. The Utah Artificial Intelligence Policy Act, which took effect in 2024, introduces requirements for transparency and risk mitigation when using generative AI. It’s a landmark piece of legislation—and a signal that AI governance is quickly becoming part of the
Section 10
broader compliance equation. Get the full breakdown here