Utah Consumer Privacy Act

2022

The Utah Consumer Privacy Act (UCPA), S.B. 277, was signed into law on March 24, 2022.

2023

The UCPA went into effect on December 31, 2023.

Amendments

In March of 2025, the UCPA was amended by HB 418 to include the right of consumers to correct inaccuracies in their personal data. This change will go into effect on July 1, 2026.¹

Who

The UCPA is intended to protect personal data of consumers – people who are residents of Utah that are not acting as a business or employee.²

The UCPA applies to persons that conduct business in Utah or produce products or services that are targeted to residents of Utah and have an annual revenue of $25,000,000 or more and that meet one of the following³:

• control or process the personal data of 100,000 or more consumers during a calendar year, or
• derive over 50% of their revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

The UCPA distinguishes between controllers and processors.⁴ A controller is an entity that, in conducting business in Utah, determines the purposes and means for processing personal data.⁵ A processor is an entity that processes personal data on behalf of a controller. ⁶

Processing means any operation performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.⁷

The UCPA imposes restrictions and obligations on the relationship between controllers and processors – requiring that processors follow instructions from the controller related to how personal data may be processed.⁸ Contracts between controllers and processors must include the following⁹:

• the instructions for processing personal data,
• the types of personal data to be processed,
• the purpose for processing the personal data,
• the duration of the processing,
• a duty of confidentiality, meaning the data is protected from disclosure to or access by unauthorized parties, and
• an obligation that any subcontractors of the processor have controls to protect personal data that are at least as protective as the obligations in the agreement between the controller and the processor.

What

Personal Data

The UCPA regulates how companies can collect, use, and share personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions.¹⁰

Sensitive Data

The UCPA provides additional protections around a subcategory of personal data – sensitive data.¹¹ Sensitive data is treated differently because misuse, loss, or unauthorized disclosure of the data can have a more significant impact on consumers than with other types of personal data. For example, this data can facilitate discrimination, financial loss, identity theft, or reputational damage.

Sensitive data under the UCPA includes:¹²

• racial or ethnic origin (except personal data revealing racial or ethnic origin that is processed by a video communication service),
• religious beliefs,
• sexual orientation,
• citizenship or immigration status,
• information regarding medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional,
• genetic or biometric data if such data is used for the purpose of identifying a specific individual, and
• geolocation data that identifies an individual’s location within 1,750 feet.

Sensitive data does not include health information processed by a healthcare provider licensed under Utah law to operate a healthcare facility or to practice a healthcare profession.

Exemptions

Exempt Entities

The UCPA does not apply to the following entities¹³:

• governmental entities or third parties that contract with government entities acting on behalf of the government entity,
• tribes,
• higher education institutions,
• nonprofit corporations, and
• covered entities and business associates as defined in the Health Insurance Portability and Accountability Act (HIPAA), and
• air carriers as defined under 49 U.S.C. Sec. 40102, which governs transportation.

The following types of data are exempt from the UCPA¹⁴:

• Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA),
• Patient Identifying Information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
• identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
• identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, which govern research involving human subjects,
• information collected and maintained by a committee listed in Utah Code Section 26B-1-204, which governs the Utah Department of Health and Human Services (DHHS),
• information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 USC 11101 et seq.),
• patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
• information used for public health activities and purposes as authorized by HIPAA,
• collection, maintenance, disclosure, sale, communication, or use of personal data bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
• data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.),
• personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
• personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
• personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.),
• data processed or maintained for applications for employment or employment purposes,
• emergency contact information used for emergency contact purposes in an employment or contractor setting, and
• data necessary to administer benefits in an employment or contractor setting.

Deidentified Data

The UCPA includes an exemption for deidentified data.¹⁵

Deidentified data is data that cannot reasonably be linked to an identified or identifiable individual.¹⁶ Controllers processing deidentified data must¹⁷:

• take reasonable measures to ensure that the data is deidentified and cannot be linked to an individual,
• publicly commit to not attempt to reidentify the data, and
• contractually obligate recipients to not attempt to reidentify the data.

Publicly Available Data

The UCPA does not apply to publicly available information.¹⁸ Publicly available information is information that is¹⁹:

• lawfully made available through government records,
• reasonably believed by a person to have been lawfully made available to the general public by a consumer or by widely distributed media, or
• obtained from a person to whom the consumer disclosed the information, where the consumer did not restrict the information to a specific audience.

Pseudonymous Data

Pseudonymous data is data that cannot be attributed to a specific individual without the use of additional information, where that additional information is kept separately and is subject to appropriate technical and organizational measures.²⁰ Where a controller demonstrates that the additional information needed to identify the consumer is kept separately and is subject to appropriate technical and organizational measures so that the personal data are not attributed to an identified or identifiable individual, the consumer’s rights to confirm processing, access their personal data, request deletion of consumer-provided data, and obtain a portable copy of their personal data do not apply to that pseudonymous data. The right to opt out is not affected.²¹

Consumers have several rights under the UCPA²²:

• Right to Know,
• Right to Delete,
• Right to Opt-Out, and
• Right to Not Be Discriminated Against.

Right to Know

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.²³ This includes the right to obtain a copy of personal data the consumer previously provided to the controller, in a format that is portable such that the consumer can transmit the data to another controller.²⁴

Additionally, this right is embodied in the various disclosures that controllers must make in their privacy notice. The notice must include²⁵:

• the categories of personal data processed by the controller,
• the purpose for processing personal data,
• how consumers can exercise their rights,
• the categories of personal data that the controller shares with third parties,
• the categories of third parties with whom the controller shares personal data, and
• if applicable, how a consumer may opt out of the sale of personal data or targeted advertising.

Right to Delete

Consumers have the right to request that a controller delete any personal data provided by the consumer.²⁶

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, and the processing of sensitive data.²⁷

Targeted advertising is when a controller displays advertisements to a consumer where the advertisements are selected based on the consumer’s personal data that have been obtained over time and from across nonaffiliated websites or online applications and is used to predict the consumer's preferences or interests.²⁸ Targeted advertising does not include²⁹:

• advertising based on a consumer’s activities within a controller's own (or affiliated) websites or online applications,
• advertising based on the context of a consumer's current search query or current visit to a website or online application,
• advertisements directed to a consumer in response to the consumer's request for information or feedback, and
• personal data processed solely for measuring or reporting advertising performance, reach, or frequency.

Sale of data occurs when a controller exchanges personal data with a third party for monetary consideration.³⁰ Sale does not include³¹:

• the disclosure of personal data to a processor that processes the personal data on behalf of the controller,
• the disclosure or transfer of personal data to an affiliate of the controller,
• the disclosure of personal data to a third party if the disclosure is consistent with the expectations of the consumer (considering context),
• the disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or the parent/legal guardian of a child,
• the disclosure or transfer of personal data when a consumer directs the controller to disclose the data or to interact with one or more third parties,
• the disclosure of information that the consumer intentionally made available to the general public via mass media and did not restrict to a specific audience, and
• the disclosure of personal data as part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

Sensitive Data presents a greater risk of harm if misused or inappropriately disclosed to third parties. Accordingly, consumers have the right to opt out of the processing of sensitive data.³²

Right to Not Be Discriminated Against

Consumers also have the right to not be discriminated against by a controller for exercising their consumer rights.³³ A controller cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer because that consumer exercised their UCPA rights.³⁴

However, the UCPA does not prevent a controller from offering different prices, rates, levels, qualities, or selections of goods or services where the consumer has opted out of targeted advertising, or where the differential is part of a bona fide loyalty, rewards, premium-features, discounts, or club-card program.³⁵

Exercising Rights

A consumer may exercise their rights to know, delete, or opt out under the UCPA by submitting a request to the controller that specifies the right they wish to invoke.³⁶

A controller must respond to the consumer’s request within 45 days of receipt and may request additional information needed to authenticate the consumer and their request.³⁷ If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.³⁸

Furthermore, a controller must provide information in response to a consumer request free of charge, up to one time per year.³⁹ If a consumer’s requests are unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or refuse to act on the request.⁴⁰ A controller may also refuse the request if they cannot reasonably authenticate the consumer.⁴¹

The Attorney General of Utah has sole authority to enforce the provisions of the UCPA.⁴² Prior to initiating an enforcement action, the Attorney General must provide the subject of their investigation with a written explanation of each allegation and an opportunity to cure the violation within 30 days.⁴³ If the violation is not cured, penalties may include actual damages to the consumer and up to $7,500 per violation.⁴⁴ Any money recovered from violations shall be deposited into the Consumer Privacy Account, an account established by the UCPA.⁴⁵ Money from the Consumer Privacy Account may be used for the following⁴⁶:

• investigations and administrative costs related to UCPA investigations,
• costs and attorney fees related to enforcement of the UCPA, and
• consumer and business education of consumer rights under the UCPA and controller and processor obligations under the UCPA.

1. H.B. 418, 2025 Gen. Sess. (Utah 2025), § 2 (enrolled) (amending Utah Code § 13-61-201, eff. July 1, 2026). ↩
2. Utah Code § 13-61-101(10). ↩
3. Utah Code § 13-61-102(1). ↩
4. Utah Code § 13-61-101(12), (26). ↩
5. Utah Code § 13-61-101(12). ↩
6. Utah Code § 13-61-101(26). ↩
7. Utah Code § 13-61-101(25). ↩
8. Utah Code § 13-61-301(1). ↩
9. Utah Code § 13-61-301(2). ↩
10. Utah Code § 13-61-101(24). ↩
11. Utah Code § 13-61-101(32); see also id. § 13-61-302(3). ↩
12. Utah Code § 13-61-101(32)(a); see also id. § 13-61-101(33)(a) (specific geolocation data). ↩
13. Utah Code § 13-61-102(2)(a)-(f), (q). ↩
14. Utah Code § 13-61-102(2)(g)-(q). ↩
15. Utah Code § 13-61-101(24)(b); see also id. §§ 13-61-101(14), 13-61-303. ↩
16. Utah Code § 13-61-101(14)(a)(i). ↩
17. Utah Code § 13-61-101(14)(a)(ii). ↩
18. Utah Code § 13-61-101(24)(b), (29). ↩
19. Utah Code § 13-61-101(29). ↩
20. Utah Code § 13-61-101(28). ↩
21. Utah Code § 13-61-303(2). ↩
22. Utah Code § 13-61-201(1)-(4), 302(4)(a). ↩
23. Utah Code § 13-61-201(1). ↩
24. Utah Code § 13-61-201(3). ↩
25. Utah Code § 13-61-302(1). ↩
26. Utah Code § 13-61-201(2). ↩
27. Utah Code § 13-61-201(4), 302(3). ↩
28. Utah Code § 13-61-101(35)(a). ↩
29. Utah Code § 13-61-101(35)(b). ↩
30. Utah Code § 13-61-101(31)(a). ↩
31. Utah Code § 13-61-101(31)(b). ↩
32. Utah Code § 13-61-302(3). ↩
33. Utah Code § 13-61-302(4)(a). ↩
34. Id. ↩
35. Utah Code § 13-61-302(4)(b). ↩
36. Utah Code § 13-61-202(1). ↩
37. Utah Code § 13-61-203(1)-(2)(a),(5). ↩
38. Utah Code § 13-61-203(2)(b)-(c). ↩
39. Utah Code § 13-61-203(4)(a). ↩
40. Utah Code § 13-61-203(4)(b)(i). ↩
41. Utah Code § 13-61-203(5)(a). ↩
42. Utah Code § 13-61-402(1). ↩
43. Utah Code § 13-61-402(3)(a)-(b). ↩
44. Utah Code § 13-61-402(3)(c)-(d). ↩
45. Utah Code § 13-61-402(4); see also id. § 13-61-403(1)-(2). ↩
46. Utah Code § 13-61-403(3). ↩