Utah was the fourth state in the U.S. to pass a comprehensive consumer privacy law, with the Utah Consumer Privacy Act (UCPA) taking effect on December 31, 2023. The UCPA gives Utah residents meaningful control over their personal data — and a major amendment in July 2026 adds a new right to correct inaccurate data. Here's everything Utah residents need to know.
What is the Utah Consumer Privacy Act?
The UCPA (Utah Code § 13-61) is a state-level consumer privacy law that applies to businesses that:
- Have annual revenue of $25 million or more, and
- Conduct business in Utah or target Utah residents, and
- Either process the personal data of 100,000+ Utah consumers, or derive over 50% of gross revenue from selling the data of 25,000+ Utah consumers
The UCPA is more business-friendly than neighboring state laws
Compared to California (CCPA/CPRA), Colorado (CPA), and Oregon (OCPA), the UCPA is narrower in scope. It applies only to larger businesses, exempts more data types, and initially lacked a right to correct. However, the 2026 amendment brings Utah closer in line with peer states.
Your rights under the UCPA
Utah residents have the right to:
- Access — Know what personal data a business has collected about you
- Delete — Request deletion of data you provided to the business
- Portability — Receive a usable, portable copy of your data
- Opt out of sale — Stop the sale of your personal data
- Opt out of targeted advertising — Stop profile-based advertising
- Correct (effective July 1, 2026) — Request correction of inaccurate personal data
What's new in July 2026
The right to correct
The original UCPA was the only early comprehensive state privacy law without a right to correct. A legislative amendment passed in 2025 adds this right effective July 1, 2026. Starting then, Utah residents can request that businesses correct inaccurate personal data held about them. Businesses have 45 days to comply.
Sensitive data consent
The UCPA requires businesses to provide notice and an opt-out before processing "sensitive data," which includes:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Medical or health information
- Genetic or biometric data processed for identification
- Precise geolocation data
UCPA uses "opt-out," not "opt-in"
Unlike the EU's GDPR or California's CPRA, the UCPA uses an opt-out model for sensitive data. Businesses can collect it by default and merely need to provide a way to stop — unlike opt-in laws where collection requires affirmative consent.
What the UCPA does not cover
There are significant exclusions:
- No private right of action. Only the Utah Attorney General can enforce the UCPA. You cannot sue a business directly for violations.
- No right to opt out of profiling. Unlike Colorado and Virginia, Utah residents cannot opt out of algorithmic profiling.
- Employee data excluded. Data processed in an employment context is generally exempt.
- Financial and health data exempt. Data governed by HIPAA, GLBA, FERPA, and FCRA is not covered.
How to exercise your UCPA rights
- Find the business's privacy policy. It's usually linked from the website footer.
- Locate the consumer rights request form. Many businesses now have a dedicated "Do Not Sell or Share My Personal Information" page.
- Submit your request. Specify the right you're invoking (access, delete, opt out) and provide identifying information.
- Wait 45 days. Businesses have 45 days to respond, extendable once by another 45 days.
- Appeal if denied. The UCPA requires businesses to provide an appeal process.
- File a complaint. If appeals fail, contact the Utah Division of Consumer Protection (dcp.utah.gov) — they accept UCPA complaints directly.
UCPA and data brokers
Data brokers like Spokeo, BeenVerified, Whitepages, Acxiom, and LexisNexis that meet the UCPA threshold must honor deletion requests from Utah residents. Submitting a deletion request under the UCPA is one of the most powerful tools you have — but it's not a permanent fix. Data brokers continuously re-ingest public records, meaning your profile typically reappears within 3 to 12 months.
Penalties for non-compliance
The UCPA authorizes civil penalties of up to $7,500 per violation, plus actual damages to consumers. However, because there's no private right of action, you must rely on the Attorney General's Office to pursue violations.
How PrivacyOn helps Utah residents
PrivacyOn uses state privacy laws — including the UCPA — as the legal foundation for deletion requests to data brokers. Utah residents who enroll benefit from:
- Continuous monitoring of 100+ data brokers
- Automatic re-submission when profiles reappear
- Dark web monitoring for leaked credentials
- Family plans covering up to five household members
- 24/7 customer support
Plans start at $8.33/month — less than the cost of manually opting out of five brokers once.
Compare: Utah vs. neighboring state laws
| Right | Utah (UCPA) | California (CPRA) | Colorado (CPA) |
|---|---|---|---|
| Access | Yes | Yes | Yes |
| Delete | Yes | Yes | Yes |
| Correct | Yes (July 2026) | Yes | Yes |
| Opt out of profiling | No | Yes | Yes |
| Private right of action | No | Limited | No |
Final checklist for Utah residents
- Enable Global Privacy Control in your browser
- Submit UCPA deletion requests to the largest consumer-facing data brokers
- Freeze your credit at all three bureaus
- Starting July 1, 2026, use your new right to correct against inaccurate broker data
- Consider continuous monitoring to handle broker re-ingestion
The UCPA is a solid foundation, and the 2026 amendment makes it stronger. The key is actually using your rights — most Utah residents don't know they have them.