Utah Privacy Law (UCPA): What Small Businesses Need to Know

The Utah Consumer Privacy Act (UCPA) took effect December 31, 2023, and applies to any business with annual revenue of $25 million or more AND processing the personal data of 100,000 or more Utah consumers in a calendar year. The threshold logic is AND, not OR — both conditions must be met. UCPA is widely regarded as the most business-friendly comprehensive state privacy law in the country: it grants narrower consumer rights than other state laws, has no right to correction, has limited deletion rights, requires no data protection assessments, and provides a 30-day cure period before any enforcement. The Utah Attorney General is the sole enforcement authority. UCPA is the model for businesses preferring narrow scope and minimal operational burden.

Does UCPA Apply to My Business?

UCPA applies to any controller that conducts business in Utah or produces products or services targeted to Utah residents AND meets all of the following:

• Has annual revenue of $25 million or more, AND
• Either controls or processes personal data of 100,000 or more Utah consumers during a calendar year, OR controls or processes personal data of 25,000 or more Utah consumers AND derives more than 50% of gross revenue from the sale of personal data.

The threshold logic is AND for the revenue requirement — businesses below $25 million in annual revenue are not in scope regardless of their Utah consumer count. This is structurally similar to Tennessee TIPA and very different from Texas TDPSA, Virginia VCDPA, and most other state privacy laws.

Utah accounts for roughly 1.0% of the US population. Reaching 100,000 Utah consumers requires approximately 10 million annual unique US visitors on a population basis. Combined with the $25 million revenue requirement, UCPA applies to a meaningfully smaller set of businesses than most other state privacy laws.

What Does UCPA Require?

UCPA grants Utah consumers a narrower set of rights than most other state privacy laws. The omissions are intentional and reflect the law's business-friendly design.

Consumer rights you must honor. Access personal data, delete personal data the consumer provided, obtain a copy in a portable format, and opt out of the sale of personal data and targeted advertising. UCPA does not grant a right to correction, does not grant a right to opt out of profiling, and the deletion right is more limited than under other state laws. Response deadline is 45 days, with one possible extension.

Disclosures you must publish. Privacy notice covering categories of personal data processed, purposes, third-party sharing categories, and instructions for exercising rights.

Operational practices you must implement. Establish reasonable security practices. Obtain affirmative opt-in consent before processing sensitive personal data. UCPA does not require data protection assessments, does not require honoring universal opt-out signals, does not require an appeals process for denied rights requests, and does not include any of the operational obligations that make Virginia VCDPA, Colorado CPA, and other state laws more demanding.

How UCPA Affects Small Businesses

UCPA's high thresholds and narrow consumer rights mean that for most small businesses, UCPA is not a significant compliance concern. If your annual revenue is below $25 million, UCPA does not apply regardless of consumer count. If you do not reach 100,000 Utah consumers, UCPA also does not apply.

For Shopify merchants and direct-to-consumer brands below the $25 million revenue line, UCPA requires no compliance work. The compliance focus should be on the state laws that do apply — Texas TDPSA, Virginia VCDPA, Connecticut CTDPA, and the others with broader consumer-count-only thresholds.

For businesses that are in scope (above $25 million revenue with substantial Utah distribution), UCPA compliance is the simplest of any state privacy law. The omissions of correction rights, profiling opt-outs, data protection assessments, and appeals processes substantially reduce the operational burden compared to Virginia, Colorado, or Connecticut.

Key Differences from Other State Privacy Laws

UCPA stands out as the most business-friendly comprehensive state privacy law on multiple dimensions:

AND threshold logic. UCPA requires both the revenue threshold and the consumer count threshold to be met. This is shared only with Tennessee TIPA and Florida FDBR.

No right to correction. UCPA does not grant consumers a right to correct inaccurate personal data. Iowa ICDPA is the only other state privacy law that omits this right.

Limited deletion rights. UCPA's deletion right is narrower than most state laws — it covers only personal data the consumer themselves provided to the business, not data inferred or obtained from third parties.

No profiling opt-out. UCPA does not grant consumers the right to opt out of profiling or automated decision-making. Virginia, Texas, Colorado, Connecticut, and most other state laws include this right.

No data protection assessments. UCPA does not require businesses to conduct or document data protection assessments for high-risk processing.

No appeals process. UCPA does not require an appeals workflow for denied rights requests.

No universal opt-out signal mandate. UCPA does not require honoring GPC.

Compared to California CCPA/CPRA, UCPA is dramatically narrower in every dimension. CCPA grants more rights, has more enforcement mechanisms, requires GPC handling, and uses OR logic for thresholds. Compared to Iowa ICDPA, UCPA is similarly narrow in consumer rights but uses AND logic where Iowa uses OR.

How to Comply with UCPA

If UCPA applies to your business — meaning you have $25M+ in revenue AND 100,000+ Utah consumers — the following steps establish baseline compliance.

1. Confirm scope. Verify that you meet both the $25 million revenue threshold and the 100,000 Utah consumer threshold. If you do not meet both, UCPA does not apply.
2. Update your privacy notice with categories, purposes, third-party sharing, and rights instructions. Utah's required disclosures are minimal compared to other states.
3. Add opt-out mechanisms for targeted advertising and sale of personal data. UCPA does not require profiling opt-outs.
4. Build a consumer rights request workflow with the 45-day response deadline tracked. The workflow only needs to handle access, deletion (limited), and portability — no correction or profiling opt-outs.
5. Implement opt-in consent for sensitive data.
6. Document reasonable security practices appropriate to data volume.
7. Skip data protection assessments and appeals processes if Utah is your only obligation. If you handle requests from multiple states, build the broader workflow once.

UCPA Enforcement and Penalties

The Utah Attorney General has exclusive enforcement authority for UCPA. There is no private right of action — Utah consumers cannot sue businesses directly. The AG may seek civil penalties of up to $7,500 per violation.

UCPA includes a permanent 30-day cure period before formal enforcement. The AG must provide written notice of the alleged violation, and the business has 30 days to fix the issue and provide a written statement to the AG. If cured within 30 days, the AG may not bring an action for that specific violation. This permanent cure period is more protective than the discretionary or sunset-based regimes in California, Colorado, and Connecticut.

The Utah AG has been minimally active on UCPA enforcement since the law took effect, consistent with the law's business-friendly design and the small number of businesses in scope.

Frequently Asked Questions

Is Utah privacy law easier to comply with than CCPA?

Generally yes. Utah uses AND logic (both $25M revenue AND 100K Utah consumers required), meaning fewer businesses are in scope. It also grants fewer consumer rights than CCPA — no right to correction, limited deletion rights, and no right to opt out of profiling. UCPA does not require honoring GPC, conducting data protection assessments, or building an appeals process.

When did Utah's privacy law take effect?

Utah's Consumer Privacy Act (UCPA) took effect December 31, 2023. The Utah Attorney General is the sole enforcement authority.

Does UCPA grant a right to correction?

No. UCPA is one of only two state privacy laws (alongside Iowa ICDPA) that does not grant consumers a right to correct inaccurate personal data. Every other comprehensive state privacy law includes this right.

Does UCPA require honoring universal opt-out signals?

No. UCPA does not mandate honoring GPC or other universal opt-out browser signals. This is consistent with the law's business-friendly design.

What are the penalties for UCPA violations?

The Utah AG can seek civil penalties of up to $7,500 per violation. There is no private right of action. UCPA includes a permanent 30-day cure period — if the business fixes the violation within 30 days of notice, the AG cannot bring an action for that violation.

Does UCPA apply to my Shopify store?

UCPA only applies if your business has $25 million or more in annual revenue AND processes data from 100,000 or more Utah consumers annually. Both conditions must be met. Most Shopify merchants are well below the $25 million revenue threshold and are therefore not in scope under UCPA.

Check if UCPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.