Applies to for-profit businesses with $25M+ annual revenue that either process 100,000+ Utah consumers' data or earn 50%+ of revenue from data sales. The narrowest of the comprehensive state laws.
Effective
2023-12-31
Penalty max
$7,500
Cure period
30 days
Honor GPC
Not required
Overview
The Utah Consumer Privacy Act (UCPA) took effect December 31, 2023. Utah took a deliberately business-friendly approach: there is no requirement to honor browser-level Global Privacy Control (GPC) signals, no right to correction, no opt-out for profiling, and no data protection assessment requirement. The applicability threshold is also higher than most states — you must have $25M+ in annual revenue AND meet a consumer-count or data-sales threshold. The Utah AG (Division of Consumer Protection) has a permanent 30-day cure period.
Who it applies to
Businesses processing personal data of 100,000+ Utah residents annually.
Businesses processing personal data of 25,000+ Utah residents AND deriving 50%+ of revenue from selling personal data.
For-profit businesses with $25M+ in annual revenue (CCPA/CPRA-style threshold).
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
What this means for e-commerce
Utah is the most business-friendly of the comprehensive state privacy laws — no requirement to honor GPC signals, no right to correction, no profiling opt-out, and no data protection assessment requirement. But the $25M revenue threshold filters out many smaller stores; if you cross it, you have a permanent 30-day cure period to fix violations before enforcement.
Penalties & enforcement
Enforced by the Utah Attorney General (Division of Consumer Protection). Penalties range from $0 to $7,500 per violation.
Utah provides a 30-day cure period (permanent). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.
Compliance checklist
Determine whether you cross the $25M revenue threshold (combined with 100K Utah consumers or 25K + 50% data sales)
Add an opt-out link for targeted advertising and data sales in your site footer
Update privacy policy with UCPA-required disclosures
Respond to consumer requests within 45 days
Update vendor and processor agreements with UCPA-required terms
Obtain opt-in consent before processing sensitive personal data
Does the UCPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Utah.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.