How is the UCPA different from other state privacy laws?

The UCPA is the most business-friendly state privacy law. It requires meeting BOTH a $25M revenue threshold AND a consumer data processing threshold (AND logic), whereas most states use OR logic. It also omits the right to correction and an appeals process.

Who does the UCPA apply to?

The UCPA applies to businesses with $25M+ annual revenue that also process personal data of 100,000+ Utah consumers, or 25,000+ consumers while deriving 50%+ of revenue from data sales.

Utah Privacy Law

Q: Does Utah require GPC recognition?

No. The UCPA does not require businesses to honor universal opt-out mechanisms like Global Privacy Control.

Q: How does HB 357 affect motor vehicle manufacturers in Utah?

HB 357, signed in March 2026 and effective May 6, 2026, extends the UCPA to motor vehicle manufacturers that collect personal data through vehicle systems — regardless of the standard $25M revenue and consumer count thresholds. Starting with 2029 model year vehicles, manufacturers must provide in-vehicle privacy controls for consumers to view data categories, opt out of sales and targeted ads, and delete data. Safety and operational data is exempt from consent requirements.

Utah Consumer Privacy Act

Effective: December 31, 2023Active

Overview

The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022, and became effective on December 31, 2023. Utah adopted the most business-friendly approach of the early state privacy laws, requiring both revenue and consumer thresholds to be met (using AND logic rather than OR), and providing fewer consumer rights than most other state privacy laws. The UCPA provides Utah consumers with rights to access, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the sale of personal data and targeted advertising. Notably, the UCPA does not include a right to correction or an appeals process, making it one of the more limited state privacy laws from a consumer rights perspective. The law applies to controllers and processors that conduct business in Utah or target Utah consumers, have annual revenue of $25 million or more, AND meet one of two data processing thresholds: controlling or processing personal data of 100,000 or more consumers, or controlling or processing personal data of 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. The UCPA includes a 30-day cure period and penalties of up to $7,500 per violation, enforced by the Utah Attorney General. In March 2026, Governor Cox signed HB 357, which extends the UCPA to motor vehicle manufacturers that collect, transmit, or store personal data through vehicle data collection systems — regardless of the standard revenue and consumer count thresholds. Starting with 2029 model year vehicles, manufacturers must provide in-vehicle privacy controls enabling consumers to view data collection categories, opt out of data sales and targeted advertising, and delete readily accessible data.

Applicability Thresholds

Conditions are joined by AND — ALL conditions must be met.

$25M+

Annual gross revenue

100,000+

Utah consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

HB 357 signed March 19, 2026 — extends UCPA to motor vehicle manufacturers regardless of standard applicability thresholds, effective May 6, 2026
Motor vehicle manufacturers must provide in-vehicle privacy controls starting with 2029 model year vehicles (view data categories, opt out of sales/targeted ads, delete data)
HB 357 exempts certain safety and operational data from consent requirements
Motor Vehicle Division required to publish motor vehicle data privacy rights information and notify consumers during title transfers
Continued AG enforcement and guidance on UCPA compliance

Enforcement Details

Enforced By

Utah Attorney General

Penalty Per Violation

$7,500

Cure Period

30 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsSexual orientationCitizenship or immigration statusBiometric data for identificationSpecific geolocation data

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The UCPA does not require businesses to honor universal opt-out mechanisms such as GPC. Utah took a business-friendly approach and does not mandate automated signal recognition.

Minor / Child Protections

The UCPA requires opt-in consent before processing personal data of known children under 13, consistent with COPPA. The law does not have additional specific protections for teens aged 13-17 beyond standard requirements.

Compliance Checklist

1Assess whether your organization meets BOTH the $25M revenue threshold AND a consumer data processing threshold
2Update privacy notices to include all UCPA-required disclosures
3Implement opt-out mechanisms for the sale of personal data and targeted advertising
4Obtain opt-in consent for processing sensitive personal data
5Establish processes to respond to consumer access, deletion, and portability requests within 45 days
6Review and update contracts with data processors to include UCPA-mandated provisions

Utah Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.