UCPA: Utah Consumer Privacy Act Compliance
What is the UCPA?
The Utah Consumer Privacy Act (UCPA) came into effect December 31, 2023. The law gives consumers in Utah the right to know if a business is processing their personal data, to access and have that data deleted, and to opt out from their data being sold. The UCPA is considered one of the more “business-friendly” state-level privacy laws.
Visit the common UCPA questions and answers
COMPLIANCE
How to comply with the Utah data privacy law?
Companies operating in Utah must reduce the risk of harm by protecting the confidentiality and integrity of data they collect and process. They must also provide clear, accessible privacy notices explaining data practices and how consumers can opt out of data sales and targeted advertising. Prior consent must be obtained for processing children’s data.
RISKS
What are the consequences of UCPA noncompliance?
If a controller or processor fails to resolve, or repeats the violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action, including damages and fines up to USD 7,500 per violation. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.
your questions answered
Contact our expert team
We’re happy to answer questions about data privacy, compliant marketing operations, and the UCPA. Usercentrics’ Consent Management Platform helps you build trust and avoid penalties. Learn more today.
- Interested in how privacy compliance benefits user experience and your marketing strategies?
- Not sure if your business is privacy-compliant in Utah?
- Need clarity on what your company’s compliance responsibilities are?
- Looking to partner with us?
Learn more
Frequently asked questions
What are consumer rights under the UCPA?
Under the Utah Consumer Privacy Act (UCPA), consumers are granted four main rights:
- Right to access: confirming whether a controller is processing their data, and the ability to request and receive that data
- Right to deletion: if the data subject directly provided the data to the controller, they can request its deletion
- Right to portability: obtain a copy of their personal data from the controller in a reasonably readily usable format, which can be transmitted to another controller
- Right to opt out: of processing for the sale of the personal data or targeted advertising
What are the penalties for UCPA noncompliance?
The Utah Attorney General enforces the Utah privacy law, and the Division of Consumer Protection administers consumer complaints and has authority to investigate alleged violations. There is a 30-day cure period with no sunset date.
In cases where punitive action is required, like if the controller or processor fails to resolve or repeats a violation after providing a written statement to the contrary, the Attorney General can initiate enforcement, including damages and fines up to USD 7,500 per violation.
What is UCPA compliance software?
UCPA compliance software enables companies that process personal data to meet requirements under the Utah data privacy law. These include providing consumers with information about data processing and exercising their rights, and obtaining user consent where required.
Can a consent management platform enable UCPA compliance?
A consent management platform (CMP) is a type of UCPA compliance software. A CMP enables companies to become compliant with the Utah privacy law on websites and apps. A CMP presents information to users about what tracking technologies are used to collect personal information. This enables users to make granular consent choices. A CMP also securely stores and documents consent information over time, and users can update their choices.