The recent surge in state-level data privacy legislation in the US reflects modern realities. Growing public concerns over privacy scandals and active consumer lobbying are driving state legislatures to pass stronger data privacy laws.
While the American Data Privacy and Protection Act is under proposal, the US currently lacks a single federal data privacy regulation like the EU’s GDPR. States like Utah are modeling their efforts on other states, such as California and Virginia, which have already enacted strong privacy laws.
Rapid advances in technology, especially AI, are creating new privacy challenges that existing laws cannot address. New state data privacy laws recognize that an individual’s personal information deserves protection. As public awareness increases, expect to see more states consider and pass similar legislation.
This guide is one in a series of articles focusing on data privacy regulations in various US states. It explores the ins and outs of Utah’s data privacy law, including consumer rights, enforcement mechanisms, compliance requirements, and exemptions.
What is the Utah Consumer Privacy Act?
The Utah Consumer Privacy Act (UCPA) went into effect on December 31, 2023. It grants Utah consumers more control over their personal information. It also outlines obligations for businesses that operate in the state, dictating how they collect, process, store, and share consumer data.
The Utah Consumer Protection Act shares many similarities with other state privacy laws. However, it has fewer consumer rights provisions and less restrictive burdens for businesses. For instance, California’s CCPA includes a broad range of consumer rights that the Utah privacy act does not, such as the ability to correct inaccurate personal information.
Consumer Rights Under the Utah Consumer Privacy Act
Utah consumer protection laws grant consumers several fundamental rights over personal information, including:
- Right to access. Upon request, consumers can confirm whether a business is processing their personal data and gain access to that data. The requested data must be in a readable and portable format.
- Right to delete. A consumer can request a company to delete any personal information it has provided to the business. This right does not extend to all types of data collected from third-party sources.
- Right to data portability. Consumers can receive a copy of their data in a format easily transferred to another company or service.
- Right to opt out. Consumers can withdraw consent for targeted advertising and the sale of personal data to third parties. However, businesses are not required to offer an opt-out for data-based profiling.
- Right to non-discrimination. Businesses cannot discriminate against consumers who choose to exercise their privacy rights. They cannot deny services, charge different prices, or alter service quality based on a consumer’s decision to opt-out.
Enforcement of the Utah Consumer Privacy Act
Some state privacy laws allow consumers to sue businesses directly for violations. Because the UCPA is enforced exclusively by the state’s attorney general, violations in the state are handled differently:
- When the attorney general identifies a potential violation, the business is given a 30-day “cure period” to address and correct the issue.
- Businesses failing to correct a violation within 30 days are subject to civil penalties of up to $7,500 per violation.
- Collected penalties are deposited into a Consumer Privacy Account funding privacy-related initiatives in the state.
This enforcement model is less aggressive than laws like the CCPA, which allows consumers to file private lawsuits in some instances. Instead, all businesses are given sufficient time to correct compliance issues before facing legal consequences.
Who Must Comply with the Utah Consumer Privacy Act?
Not every business operating in Utah is required to comply with the UCPA. By applying the law only to companies meeting specific thresholds, the legislation aims to prevent placing undue burden on SMBs and startups.
Businesses must comply if they:
- Conduct business in Utah or market products or services to the state’s residents.
- Have annual revenue of at least 25 million.
- Meet one of these thresholds: process the personal data of 100,000 or more consumers annually; generate over 50% of gross revenue from the sale of personal data; or process data from a minimum of 25,000 consumers.
Businesses not meeting these thresholds are not subject to UCPA requirements.
Exemptions to Utah Consumer Privacy Act Compliance
UCPA exemptions help prevent regulatory overlap and ensure businesses subject to federal privacy laws aren’t necessarily burdened. The exemptions are based on either the type of organization or the nature of the data being processed and include:
- Organizational exemptions. Government entities, state agencies, tribal nations, higher education institutions, and nonprofit organizations do not need to comply with the UCPA.
- Data-specific exemptions. The UCPA does not apply to personal data already protected under federal law, including health data (HIPAA), financial data (Gramm-Leach-Bliley Act), credit information (Fair Credit Reporting Act), and education records governed by the Family Education Rights and Privacy Act).
- Employment exceptions. The UCPA does not apply to job applications, resumes, employee records, or data collected for hiring and workforce management.
How Does the UCPA Compare to Other Privacy Laws?
Compared to other state privacy laws—like California’s CCPA or the Virginia Consumer Data Protection Act (VCDPA)—Utah’s legislation is considered one of the country’s more business-friendly privacy laws.
Key differences between UCPA and other state laws include:
- No private right of action. Utah consumers cannot sue businesses directly.
- No universal opt-out. Utah consumers cannot use a global opt-out mechanism to automatically stop data collection and sales.
- Limited consumer rights. Utah consumers cannot request corrections to their personal data.
- Narrower scope. The UCPA applies only to businesses meeting specific high-level data processing and revenue thresholds.
Utah’s Data Breach Notification Law
Utah’s Data Breach Notification Law (DBNL) and the Utah Consumer Privacy Act (UCPA) are separate laws with distinct purposes. However, they both relate to data privacy and security.
Initially passed in 2006 and codified under the state’s Protection of Personal Information Act, the DBNL requires organizations to safeguard sensitive data and promptly notify affected individuals when a security breach occurs. Breach notification requirements were updated in May 2024. They now specify the content that must be reported to the state’s attorney general and cyber center.
Key provisions of the breach notification law are:
- Definition of personal information. This includes an individual’s first name (or initial) and last name combined with any unencrypted data elements like Social Security numbers, driver’s license numbers, state ID card numbers, financial account numbers, and security or access codes.
- Breach definition. “Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.”
- Notification requirements. Affected residents must be notified “in the most expedient time possible without reasonable delay.” Breaches affecting 500 or more state residents must be reported to the Utah Attorney General’s office and the Utah Cyber Center. Notifications must include the breach’s date, when the breach was discovered, the total number of affected individuals, the type of personal information involved, and a brief description of the breach.
- Third-party data management. Upon a breach’s discovery, data owners must be immediately notified by third-party entities maintaining their personal information.
- Penalties for non-compliance. Civil fines of up to $2500 for each individual violation. A maximum aggregate penalty of $100,000 for related violations that involve multiple consumers.
In summary, the UCPA prevents misuse of personal data by giving consumers control over how businesses collect, use, and share their information. The DBNL ensures that if a business experiences a data breach, it will notify affected individuals and authorities in a timely manner. Organizations doing business in Utah should familiarize themselves with these requirements to ensure compliance and protect the personal information of the state’s residents.
How Technology Can Help Navigate Multi-State Privacy Requirements
As Utah joins the growing number of states with comprehensive privacy laws, businesses face unique challenges in managing compliance across different jurisdictions. Utah’s business-friendly approach, combined with its specific thresholds and exemptions, adds another layer to an already complex regulatory landscape.
Velotix’s data access platform helps organizations navigate these complexities by providing:
- Dynamic policy management. Automatically adapt access policies as your business enters new states or as regulations change, without needing to rewrite underlying permissions
- Unified compliance framework. Manage multiple state privacy requirements through a single platform, reducing the complexity of maintaining separate compliance systems
- Real-time enforcement. Ensure that data access decisions align with the latest regulatory requirements and consumer opt-out requests across all jurisdictions
- Scalable implementation. As privacy laws continue to evolve and expand across states, the platform grows with your compliance needs without requiring extensive reconfiguration
This automated approach to managing data access helps businesses stay compliant with Utah’s privacy law while being prepared for future regulatory changes or expansion into new markets.
