29 March 2022

Hello, Utah Consumer Privacy Act!

Squire Patton Boggs LLP


Squire Patton Boggs LLP
The Utah Consumer Privacy Act ("UCPA") was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA's progress throughout this legislative session.
United States Privacy
To print this article, all you need is to be registered or login on

The Utah Consumer Privacy Act ("UCPA") was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA's progress throughout this legislative session.

Effective Date

December 31, 2023.


In comparison to other state laws, the UCPA's applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers' personal information). The CDPA and CPA do not have revenue thresholds.


The UCPA establishes the Department of Commerce Division of Consumer Protection ("Division"), which will receive and investigate consumer complaints alleging violations of the UCPA. Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General ("AG"), who has exclusive authority to enforce the UCPA. The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period. After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing. The AG may seek up to $7,500 for each violation.


The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More