U.S. Consumer Data Privacy Law Guide: Utah

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: Utah

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Utah.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Utah Consumer Privacy Act (UCPA)

Effective Date: December 31, 2023

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the UCPA applies to an individual or legal entity conducting business in Utah or producing products/services targeted to Utah residents (consumers):

having $25 million or more in revenue; and
controlling or processing:
- 100,000+ Utah consumers' personal data (during a calendar year); or
- 25,000+ Utah consumers' personal data and derive more than 50 percent of its revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Narrowly defined as "the exchange of personal information for monetary consideration by a Controller to a third party," subject to certain exemptions.

3. Business Obligations:

The UCPA imposes additional obligations on persons who, alone or jointly with others, determine the purpose and means of processing personal information (Controller):

Data Processing Agreement (DPA): Processing activities by a supplier on the Controller's behalf (Processor) shall be governed by a DPA between the Controller and Processor.
Data Protection Assessment: None.
Privacy Notice: Yes, a Controller must provide consumers with a privacy notice that is reasonably accessible and clear, and disclose a list of required information.
Data Minimization and Purpose Limitation for Data Processing: The UCPA is a notable outlier that does not expressly provide for data minimization requirements.
Universal Opt-out Mechanism: None.

4. Consumer Rights:

Subject to certain exceptions, a Utah consumer has the right to:

Confirm whether a Controller is processing its personal data, and access the categories of data being processed;
Notably, the UCPA does not provide consumers the right to correct inaccuracies in their personal data;
Delete personal data in a readily usable format, which is narrowly scoped and limited to those provided by the consumer to the Controller;
Obtain a copy of their personal data, which is narrowly scoped and limited to those provided by the consumer to the Controller; and
Opt-out of data processing for targeted advertising and sales of personal data, but not for profiling.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: Up to $7,500 per violation in civil penalties. The Utah attorney general may also recover actual damages to the consumer.

Cure Period: There is a 30-day cure period; unlike some states, this is a permanent cure period that does not have a cutoff date.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.