Utah Consumer Privacy Act (UCPA): Complete 2026 Compliance Guide

What Is the Utah Consumer Privacy Act?

The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022, and became effective on December 31, 2023. Utah took the most business-friendly approach of the early state privacy laws, setting a high bar for applicability by requiring businesses to meet both a revenue threshold and a consumer data processing threshold before the law applies.

The UCPA follows the Virginia VCDPA model but is significantly narrower in scope. It omits the right to correction, the right to opt out of profiling, and an appeals process — making it one of the most limited state privacy laws from a consumer rights perspective. For businesses, this means compliance is generally simpler than under broader laws like California’s CCPA/CPRA or Maryland’s MODPA.

Use our Privacy Law Calculator to check whether the UCPA applies to your organization.

Who Does the UCPA Apply To?

The UCPA uses unique AND logic for its applicability thresholds, meaning a business must meet all of the following:

• Annual revenue: $25 million or more; AND
• Consumer data threshold (one of two):
  • Control or process personal data of 100,000 or more Utah consumers; OR
  • Control or process personal data of 25,000 or more Utah consumers and derive over 50% of gross revenue from the sale of personal data.

This AND-logic approach is unique among state privacy laws — most states (Virginia, Colorado, Connecticut, etc.) use OR logic, meaning meeting either threshold triggers the law. Utah’s approach significantly narrows the number of businesses subject to the UCPA.

The UCPA applies only to for-profit entities. Nonprofits, government entities, higher education institutions, and entities subject to HIPAA and GLBA are exempt.

Consumer Rights Under the UCPA

Utah consumers have a more limited set of rights compared to most other state privacy laws:

• Right to access: Confirm whether a controller is processing their personal data and access that data.
• Right to deletion: Delete personal data provided by the consumer.
• Right to data portability: Obtain a copy of their personal data in a portable, readily usable format.
• Right to opt out of sale: Opt out of the sale of their personal data.
• Right to opt out of targeted advertising: Opt out of the processing of personal data for targeted advertising.

Notable omissions: The UCPA does not include a right to correction, a right to opt out of profiling, or an appeals process. This makes it the most limited of the major state privacy laws in terms of consumer rights.

Controllers must respond to consumer requests within 45 days, with a possible 45-day extension. One free request per consumer per year is required.

Sensitive Data and Consent Requirements

Like other state privacy laws, the UCPA requires opt-in consent before processing sensitive personal data. Sensitive data categories include:

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Citizenship or immigration status
• Biometric data for identification purposes
• Specific geolocation data

The UCPA also requires opt-in consent before processing personal data of known children under 13, consistent with COPPA. However, there are no additional protections for teens aged 13–17 beyond standard requirements.

Enforcement and Penalties

The UCPA is enforced exclusively by the Utah Attorney General. There is no private right of action.

• 30-day cure period: The AG must notify the business of a violation and provide 30 days to cure. This cure period is permanent with no sunset provision.
• Penalties: Up to $7,500 per violation.
• No private right of action: Consumers cannot sue businesses directly for UCPA violations.

Utah’s enforcement approach is among the most lenient. The permanent cure period, combined with the high applicability thresholds, means most small and mid-size businesses have significant protection from enforcement actions.

GPC and Universal Opt-Out

The UCPA does not require businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC). Utah took a deliberate business-friendly approach by not mandating automated signal recognition.

If your business operates across multiple states, you may still need to support GPC for California, Colorado, Connecticut, Texas, Montana, Delaware, Oregon, Maryland, and other states. Use our GPC Compliance Checker to determine your obligations.

2026 Updates: HB 357 Motor Vehicle Amendment

The most significant change to the UCPA in 2026 is HB 357, signed by Governor Spencer Cox on March 19, 2026, and effective May 6, 2026. This amendment extends the UCPA to motor vehicle manufacturers under special rules:

• Bypasses standard thresholds: Motor vehicle manufacturers that collect, transmit, or store personal data through vehicle data collection systems are subject to the UCPA regardless of the $25M revenue and consumer count thresholds.
• In-vehicle privacy controls: Starting with 2029 model year vehicles, manufacturers must provide on-screen or in-vehicle controls enabling consumers to: view data collection categories, opt out of data sales and targeted advertising, and delete readily accessible personal data.
• Safety exemptions: Certain operational and safety-related data (e.g., emergency features, crash data, theft tracking) is exempt from consent requirements.
• Consumer notifications: The Motor Vehicle Division must publish motor vehicle data privacy rights information and notify consumers during title transfers.

This is notable because Utah is one of the first states to specifically address connected car data privacy through amendments to its comprehensive privacy law.

Utah also signed HB 498 in 2026, adding requirements for pre-installed applications and app store providers regarding data privacy disclosures.

How the UCPA Compares to Other State Privacy Laws

• Highest applicability bar: The UCPA’s AND-logic thresholds (requiring both $25M revenue and consumer counts) mean far fewer businesses are subject to the law compared to states using OR logic like Virginia, Colorado, and Connecticut.
• Most limited consumer rights: No right to correction, no opt-out of profiling, no appeals process. Only Iowa’s ICDPA comes close in terms of limited rights.
• For-profit only: Unlike Virginia and Connecticut (which cover all entities), the UCPA only applies to for-profit businesses.
• No GPC requirement: Joins Virginia, Iowa, Indiana, and Tennessee in not requiring universal opt-out recognition.
• Permanent cure period: Like Virginia and Texas, Utah’s 30-day cure period does not sunset.
• First motor vehicle privacy amendment: HB 357 makes Utah a leader in connected car data privacy regulation.

Use our State Comparison Tool to see how Utah stacks up against all 20+ state privacy laws.

6-Step UCPA Compliance Plan

1. Determine applicability — Confirm your organization meets BOTH the $25M annual revenue threshold AND one of the consumer data processing thresholds. Use the Privacy Law Calculator. If you’re a motor vehicle manufacturer, HB 357 applies regardless of these thresholds.
2. Update privacy notices — Include UCPA-required disclosures: categories of personal data processed, processing purposes, how consumers can exercise their rights, categories of personal data shared with third parties, and categories of those third parties.
3. Implement opt-out mechanisms — Provide clear mechanisms for consumers to opt out of the sale of personal data and targeted advertising. While GPC is not required, consider implementing it for multi-state compliance.
4. Obtain sensitive data consent — Implement opt-in consent workflows for all sensitive data categories before processing. Review children’s data practices for COPPA alignment.
5. Build consumer rights workflows — Create intake, verification, and fulfillment processes for access, deletion, and portability requests. Configure 45-day response timelines.
6. Review processor contracts — Ensure all data processor agreements include UCPA-mandated provisions: clear instructions for processing, duty of confidentiality, subprocessor requirements, and return/deletion obligations at contract end.

For a detailed walkthrough, visit our Utah Compliance Checklist.

Frequently Asked Questions

Does the UCPA apply to small businesses?

Only if the small business has $25M+ in annual revenue and meets one of the consumer data thresholds. The AND-logic approach means most small businesses are not subject to the UCPA. However, motor vehicle manufacturers are now covered regardless of these thresholds under HB 357.

Can consumers correct their data under the UCPA?

No. The UCPA does not include a right to correction. Consumers can access, delete, and port their data, and opt out of sale and targeted advertising — but they cannot require a business to correct inaccurate data.

How does the UCPA interact with HIPAA?

The UCPA exempts HIPAA-covered entities and business associates at the entity level. This is the same broad entity-level exemption used by Virginia and most other state privacy laws.

What happens after HB 357 takes effect on May 6, 2026?

Motor vehicle manufacturers collecting personal data through vehicle systems become subject to the UCPA regardless of revenue or consumer count thresholds. The in-vehicle privacy control requirements apply starting with 2029 model year vehicles. Manufacturers should begin planning compliance now.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.