Utah Consumer Privacy Act

On December 31, 2023 the Utah Consumer Privacy Act is due to come into effect.

Laws relating to privacy and data are changing.

Don’t get caught out

Let us help you prepare

Who does it impact?

Any controller or processor who:

  • Conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah
  • Has an annual revenue of $25,000,000 or more
  • Satisfies one or more of the following thresholds:
    • During a calendar year, controls or processes personal data of 100,000 or more consumers
    • Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers


  • Institutions of higher education
  • Nonprofit organizations
  • Covered entities and business associates pursuant to the Health Insurance Portability and Accountability Act
  • Financial institutions governed by the Gramm-Leach-Bliley Act
  • Government entities and contractors
  • Air carriers
  • Tribes
  • Other data exemptions apply.

Consumer Rights

The right to confirm whether a controller is processing the consumer’s personal data and access that data.

Their personal data that they provided to the controller. UCPA does not allow consumers to delete all the data a controller has about them. They can only delete the personal data that they provided themselves.

The right to obtain a copy of their personal data, that they previously provided, in a format that is portable, to an extent that is technically feasible. Is readily usable, to a practicable extent, and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Of the processing of their personal data for the purposes of targeted advertising or the sale of personal data.


The Utah attorney general is responsible for enforcing the Utah Consumer Privacy Act. The Division of Consumer Protection will receive customer complaints and will investigate whether alleged violations have merit. If the director of the division believes substantial evidence of a violation exists it will be referred to the attorney general. If action is to be taken, written notice must be given to the controller or processor involved. The controller or processor then has 30 days to cure the alleged violation. They must provide the attorney general with a written statement that the violation has been cured and no further violations will occur.
Should a controller or processor fail to cure a violation they may face damages and fines of up to $7,500 per violation.

Value Privacy are on hand to make sure your business is compliant with data and privacy regulations. Whether you need a privacy health check or you want help to make sure you and your business are ready for the arrival of the Colorado Privacy Act, we’re here to help. You can find out more about what we do or contact us and have a chat about your needs.