Utah Consumer Privacy Act (UCPA)
Utah's comprehensive privacy law — the most business-friendly among early state laws, with the highest applicability thresholds and narrowest set of consumer rights. No DPIA, no UOOM, no profiling opt-out.
Overview
The Utah Consumer Privacy Act (UCPA), codified at Utah Code Ann. § 13-61-101 et seq. and enacted as SB 227 (2022), became effective December 31, 2023. Utah designed the most business-friendly comprehensive privacy law in the U.S.: highest thresholds, narrowest rights, no DPIA obligation, no UOOM mandate, and a permanent 30-day cure period.
Applicability is gated by three cumulative conditions, not alternatives — unique among state laws:
- $25 million+ in annual revenue (prerequisite), AND
- One of: 100,000+ Utah consumers processed annually, OR 25,000+ consumers AND 50%+ gross revenue from data sales.
The revenue precondition means many mid-sized companies that would be covered elsewhere fall outside UCPA entirely.
Exemptions mirror the VCDPA template: HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA, employee/B2B, regulated utilities.
Consumer Rights
- Right to access personal data
- Right to delete (limited to data the consumer provided — not inferred data)
- Right to data portability
- Right to opt out of sale and targeted advertising
- Right to correct — not available until scheduled July 2026 amendment
- Right to opt out of profiling — not granted at all (unique omission)
No formal right of appeal. A July 2026 amendment adds correction and expands portability to cover social-media data transfers between platforms.
Compliance Requirements
Controllers must publish a privacy notice and obtain opt-in consent for processing sensitive data (race, religion, sexual orientation, citizenship, genetic/biometric identifiers, precise geolocation, minors under 13). DPIAs are not required. UOOM/GPC is not required. Utah operates as pure notice-and-choice with no intrinsic minimization language.
Processor contracts are required but the list of mandatory clauses is shorter than Virginia's.
Cure Period + Enforcement
The Utah AG and Division of Consumer Protection share investigative authority; the AG brings actions. Penalties reach $7,500 per violation. The 30-day cure period is permanent — no sunset clause. This is the most permissive enforcement environment among comprehensive state laws.
How Inori Addresses This
Because Inori implements the stricter CTDPA/CPA/VCDPA controls across all U.S. users, UCPA compliance is satisfied a fortiori:
- Notice:
src/content/legal/privacy.mdxv1.2 covers UCPA disclosures. - DSAR:
/api/dsaraccepts access, deletion, and portability with a 30-day SLA. Correction requests are already accepted (anticipating Utah's July 2026 addition). - Opt-outs: No sale occurs; GPC is honored via
middleware.ts:respectGpceven though Utah does not require it — part of Inori's multi-state posture. - Sensitive data: Not collected; no opt-in gate is required.
- Deferred: Profiling opt-out is not shipped because Utah does not grant the right; the feature will be built when adjacent states (CO, CT, VA) drive a broader requirement.
Related Concepts
See CCPA/CPRA and VCDPA for baseline models, GPC for the signal Utah does not require but Inori honors anyway, and DSAR for the request pipeline. TDPSA sits at the opposite extreme — no thresholds at all.
See how Inori handles utah consumer privacy act (ucpa)
Try our free COI checker first, or start a free trial of the full platform.