What Your Business Needs to Know About the Utah Consumer Privacy Act

March 26, 2022

As of March 24th, 2022 the newest US state data privacy law is the Utah Consumer Privacy Act. The act was signed into law by governor Spencer J. Cox. This makes Utah the fifth state to pass its own privacy law, instead of waiting for the federal government to enact a national law similar to Europe’s GDPR.

We are still expecting other comprehensive privacy laws to pass across the United States this year.

The Utah Consumer Privacy Act is similar to California, Nevada, Virginia, and Colorado state privacy laws, and gives consumers the right to:

  • access and delete personal data maintained by certain businesses;
  • opt out of the collection and use of personal data for certain purposes;
  • requires some businesses to safeguard data, and provide transparency to consumers about how they collect and use data;
  • comply with a consumer’s request to exercise rights under the law;
  • provides consumers with the right to know what data a business collects, how it uses personal data and whether it sells the data;
  • requires a business to delete a consumers’ personal data or stop selling the data (with certain exceptions);
  • provides the Division of Consumer Protection jurisdiction to investigate consumer complaints regarding the processing of personal data; and
  • authorizes the Office of the Attorney General to enforce the law and impose penalties for violation.

The new privacy law includes broad definitions of personal and sensitive data, and requires controllers of data to provide notice to consumers of collection of personal data, and practice data minimization with appropriate security measures in place to protect personal data after collection.

The law provides authority to the Attorney General to enforce its provisions and to seek recovery for actual damages of any consumer, and $7500 per violation per law. 

The new law becomes effective on December 31, 2023 and is expected to impact companies around the globe that collect personal information from the citizens of Utah.

How Businesses are Preparing for UCPA

To get your organization ready for the Utah Consumer Privacy Act, first check if your company is in scope of the law. Companies who are in scope of the new privacy law must have an annual revenue of at least $25 million, and do business or market their product and service to Utah residents.

Additionally, the entity must either process or control data of at least 100,000 Utah Residents or derive at least half of its gross revenue from the sale of personal data and control the data of at least 25,000 consumers.

After you’ve confirmed your business is in scope, the other key components you will need to consider for your privacy program are:

  • Updating your privacy policy
  • Provide customers with an opt-out of targeted advertising
  • Build out an internal mapping of your systems and processes that collects personal data
  • Create workflows for responding to data subject requests.

About Opsware

If your organization is getting ready for the Utah Consumer Privacy Act, or other privacy laws, Opsware can help you orchestrate and maintain compliance.

Opsware makes privacy compliance impossibly simple with our turn-key data mapping automation tool and our automated data subject request workflows.

Book a demo today

Get a free, no-pressure demo of our software.


Peter Barbosa