UCPA - Utah Consumer Privacy & Opt-Out Compliance | ConsentStack

Back to Regulations Guide

Key Facts

Effective Date

December 31, 2023

Enacted

March 24, 2022

Enforcing Authority

Utah Attorney General; Utah Division of Consumer Protection

Consent Model

Opt-out

Fulfillment Time

45 days

Applies To

Entities with $25M+ annual revenue AND (100,000+ consumers OR 25,000+ consumers and 50%+ revenue from selling PI)

Overview

The UCPA is the most business-friendly US state comprehensive privacy law, requiring both a $25M+ revenue threshold and a data volume threshold. This dual-threshold approach means significantly fewer businesses fall under its scope compared to other state laws.

What This Means for Your Website

Opt-in consent is needed for sensitive data processing
Consumers can access, delete, and port their data, and opt out of sale and targeted advertising
No right to correct data or opt out of profiling — narrower consumer rights than most states
A permanent 30-day cure period applies before enforcement

Key Requirements

The Utah AG and Division of Consumer Protection enforce the UCPA with penalties up to $7,500 per violation. Consumer requests must be fulfilled within 45 days. The dual threshold ($25M+ revenue AND data volume requirements) creates the highest bar for applicability among US states.

How ConsentStack Handles This

ConsentStack detects Utah visitors and applies the UCPA's opt-out model with opt-in for sensitive data categories.

Penalties

Up to $7,500 per violation.

Maximum Fine

USD7,500 per violation

Key Requirements

Privacy notice disclosing data practices
Opt-in consent for sensitive data
Consumer rights: access, delete, portability, opt out of sale and targeted advertising
45-day response window for consumer requests
Reasonable data security practices

Notable Provisions

Most business-friendly US state privacy law
Dual threshold (revenue + data volume) is unique
No right to correct data or opt out of profiling

US State Specifics

Cure Period

30 days

Private Right of Action

No

Global Opt-out Required

No

Sensitive Data Opt-in

Yes

Children Provisions

Under 13 data is sensitive requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States

The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.

PIPEDACanada (Federal)

Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.

Quebec Law 25Quebec, Canada

The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.

TDPSATexas, United States

The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

CPAColorado, United States

Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.

MODPAMaryland, United States

The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

What makes the UCPA unique?

The UCPA requires both a revenue threshold ($25M+) and a data volume threshold — the highest dual applicability bar among US state privacy laws.

Does Utah require a right to correct data?

No. The UCPA does not include a right to correct personal data, making it narrower than most US state privacy laws.

What is the UCPA cure period?

30 days — permanent, meaning it does not sunset. Businesses have 30 days to fix violations before enforcement action.

Stay compliant with UCPA

ConsentStack helps you implement Opt-out consent for Utah, United States automatically.