Privacy Law Status

Your Rights as a Utah Resident

Under the Utah Consumer Privacy Act, Utah residents have specific rights regarding how businesses collect, use, and share their personal information. These rights apply to covered businesses that meet the law’s threshold requirements.

• Right to know what data is collected: You can request confirmation of whether a business is processing your personal data and obtain access to that information[3][8][11]. Businesses must respond to these requests within 45 days.
• Right to delete personal information: You can request deletion of personal data that you provided directly to the business[3][8][4]. Note that this right is more limited than in some other states, covering only data you provided rather than all data the business holds about you.
• Right to opt out of data sales: Businesses must provide a clear way for you to opt out of the sale of your personal data to third parties and the use of your data for targeted advertising[3][8][11].
• Right to correct inaccurate data: As of March 2025, Utah law includes the right to request correction of inaccurate personal information[7]. This was a recent addition that brings Utah in line with most other state privacy laws.
• Right to non-discrimination: Businesses cannot charge you different prices, provide different service levels, or deny services because you exercise your privacy rights[8][4]. However, businesses may offer different prices if you opt out of certain data uses, provided this is clearly disclosed.

These rights are enforceable through complaints to the Utah Division of Consumer Protection, which investigates violations and refers cases to the Attorney General’s office for potential enforcement action[3][8][11].

Business Requirements

The UCPA establishes specific obligations for businesses that fall under its scope, focusing on transparency and consumer control over personal data.

• Which companies must comply: The law applies to businesses that conduct business in Utah or target Utah residents, have annual revenue of $25 million or more, and either process personal data of 100,000 or more consumers annually or derive over 50% of gross revenue from data sales while processing data of 25,000 or more consumers[1][3][12].
• Notice and transparency requirements: Businesses must provide a reasonably accessible privacy notice detailing what personal data they collect, why they collect it, how consumers can exercise their rights, what data is shared with third parties, and which types of third parties receive the data[1][3][4].
• Consumer request response procedures: Companies must establish systems to receive, verify, and respond to consumer requests within 45 days, with a possible 45-day extension if necessary[8][11]. They may charge fees for excessive or repetitive requests after the first request in a 12-month period.
• Security and breach notification rules: Businesses must implement reasonable administrative, technical, and physical security practices to protect personal data confidentiality and integrity, and reduce foreseeable risks of harm to consumers[3][4]. The law also incorporates privacy-by-design principles including data minimization and purpose limitation[1].

The law includes broad exemptions for entities already regulated under federal laws, including HIPAA-covered entities, financial institutions under GLBA, and educational institutions under FERPA[1][3].

Practical Impact

• How these laws protect residents in daily life: The UCPA gives Utah residents more control over how companies use their personal information for marketing and advertising purposes. You can now opt out of data sales and targeted advertising, access information companies have collected about you, and request deletion of data you’ve provided. This is particularly useful when dealing with online retailers, social media platforms, and data brokers that previously operated with little transparency.
• What to do if rights are violated: If you believe a business has violated your privacy rights, you can file a complaint with the Utah Division of Consumer Protection through their online complaint system[3][13]. The Division investigates complaints and can refer cases to the Attorney General’s office for enforcement. However, you cannot sue companies directly for privacy violations, as Utah law does not include a private right of action[8][4][11].
• Limitations and gaps in protection: Utah’s law is considered more business-friendly than privacy laws in California, Colorado, or Virginia[5][10][8]. The enforcement process includes multiple layers and a 30-day cure period, which some experts say makes meaningful enforcement less likely. Additionally, many smaller businesses are exempt due to the high revenue and data processing thresholds, and the law doesn’t cover government entities (which are instead covered by the separate GDPA).

Comparison Context

• How Utah compares to leading privacy states: Utah’s UCPA most closely resembles Virginia’s privacy law and is generally considered less comprehensive than California’s CCPA or Colorado’s CPA[1][5][9]. Utah lacks some consumer protections found in other states, such as data protection impact assessment requirements for high-risk processing activities, and initially did not include a right to correct data (though this was added in 2025). The enforcement mechanism is also weaker, with no private right of action and a business-friendly cure period.
• What residents might be missing compared to other states: Unlike California residents, Utah consumers cannot sue companies directly for privacy violations and cannot opt out of automated decision-making or profiling[5][8]. The law also doesn’t require companies to conduct privacy risk assessments for sensitive data processing. Utah residents also have more limited deletion rights compared to other states, as they can only request deletion of data they provided directly to companies, not all data companies hold about them[8][9].

Action Steps for Residents

• Immediate steps to protect privacy: Review privacy policies of services you use regularly, especially social media platforms, online retailers, and mobile apps. Look for opt-out links for data sales and targeted advertising, which businesses must provide clearly and conspicuously. Consider using privacy-focused browsers and enabling “Do Not Track” settings, though note that Utah law doesn’t require businesses to honor universal opt-out signals.
• How to exercise legal rights: Contact businesses directly to request access to your data, request deletion of data you provided, or opt out of data sales and targeted advertising. Most companies will have online forms or email addresses for privacy requests. If you don’t receive a response within 45 days or believe your rights are being violated, file a complaint with the Utah Division of Consumer Protection at their official website or by calling (801) 530-6601[13].
• Resources for staying informed: Monitor the Utah Attorney General’s office for enforcement updates and guidance documents. Watch for legislative developments, as Utah lawmakers have shown willingness to strengthen the privacy law based on implementation experience. The Attorney General is required to report on the law’s effectiveness by July 2025, which may lead to further improvements[4][9].

Official Resources and Contact Information

Utah State Legislature

To contact your state representatives about privacy issues or to stay informed about upcoming privacy legislation, visit the Utah Legislature website at https://le.utah.gov[14]. You can find your specific legislators by entering your address and zip code using the “My Legislators” tool on their website. The Utah Senate can be reached at (801) 538-1035, and the Utah House of Representatives at (801) 538-1029[14].

Privacy Law Enforcement and Consumer Protection

The Utah Division of Consumer Protection handles consumer privacy complaints under the UCPA. You can file complaints online or contact them at (801) 530-6601 during normal business hours[13]. Their complaint system is available at https://db.dcp.utah.gov/complaints.html, though you should not use the complaint form for general questions[13]. For information about the UCPA and your consumer rights, visit https://dcp.utah.gov/ucpa/[3].

The Utah Attorney General’s office, which has exclusive enforcement authority for UCPA violations, can be reached at 350 N State Street, Suite 230, Utah Capitol Building, Salt Lake City, UT 84114[15]. The main phone number is (801) 366-0260[16]. You can also visit their website for updates on privacy enforcement actions and guidance for businesses and consumers.

Governor’s Office

For broader policy questions or to provide input on privacy-related executive actions, contact the Governor’s Office at 350 State Capitol Building, Suite E220, Salt Lake City, Utah 84114, or call (801) 538-1000[17]. The Governor’s office plays a key role in signing privacy legislation and setting statewide policy priorities.

Legislative Updates and Public Comment

Utah residents can stay informed about upcoming privacy legislation by monitoring the Utah Legislature website and signing up for bill tracking notifications. During legislative sessions (typically January through March), citizens can provide public comment on proposed bills through committee hearings and public input processes detailed on the legislature’s website[14]. The legislature’s session information and committee schedules are regularly updated at https://le.utah.gov.

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.