Author

Amanda Anderson

4As VP, Government Relations

Topic

  • Government Relations
  • Legislation
  • Privacy Law

Utah Becomes Fourth State to Enact a Comprehensive Privacy Law

On March 24, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), enacting the country’s fourth comprehensive data privacy law. The law will take effect on  December 31, 2023. 

Similar in design to Virginia’s privacy law (“VCDPA”), the law will apply to entities (with some exceptions) that: 

  • Conduct business in Utah or produce a product or service targeted to Utah residents;
  • Have an annual gross revenue of over $25 million; and
  • Either (i) control or process the personal data of at least 100,000 residents or (ii) derive over 50% of its gross revenue from the “sale” of personal data and controls or processes personal data of at least 25,000 Utah residents.

The UCPA provides consumers rights to access, delete, and confirm information collected about them by covered entities. The right to delete only applies to personal data provided by the consumer and not all data the controller has obtained about the consumer.  The law also grants consumers data portability and a non-discrimination right. The law does not include a consumer right to correct inaccuracies in personal data.

Consistent with the VCDPA, the UCPA would provide Utah consumers with rights to opt-out of the “sale” of their personal data and targeted advertising.  However, it would not provide consumers with the right to opt-out of certain “profiling” activities, distinguishing it from the VCDPA.  The definitions of “sale” and “targeted advertising” generally follow the VCDPA’s approach, though “sale” is arguably narrower under the UCPA. 

Similar to all other state privacy laws, the law grants enforcement to the Utah Attorney General, without any inclusion of a private right of action. Once a violation is referred to the Attorney General, there is a 30-day notice and cure period for violations with no sunset date. Notably different from other existing state laws, the UCPA does not require controllers to undertake data protection assessments for these (or any other) activities. Unlike California’s and Colorado’s laws, the UCPA does not require controllers to honor Global Privacy Control signals that enable users to opt out of the sale of personal data and targeted advertising on their browser instead of a site managed by the controller. 

Our updated state privacy law chart shows more details on how Utah’s law compares to other states.

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts