What is the UCPA?

The Utah Consumer Privacy Act (UCPA) is Utah's comprehensive consumer privacy law, passed in 2022 and effective from December 31, 2023. It regulates how covered businesses collect, use, and share the personal data of Utah residents.

Under the UCPA, consumers have the right to access, delete, and obtain a copy of their personal data, as well as opt out of certain uses such as the sale of personal data or targeted advertising. Businesses covered by the law must provide clear privacy notices, explain consumer rights, and offer a way for Utah residents to exercise those rights.

Who does the UCPA apply to?

The UCPA applies to businesses that operate in Utah or offer products or services targeted to Utah residents. To fall under the law, a business must also have at least $25 million in annual revenue and meet one of the UCPA's personal data thresholds.

A business is covered when it either:

  • Controls or processes the personal data of 100,000 or more Utah consumers in a calendar year.
  • Controls or processes the personal data of 25,000 or more Utah consumers and earns over 50% of its gross revenue from selling personal data.

This means the UCPA is mainly aimed at larger businesses with significant access to Utah consumer data, rather than every company that happens to have users or customers in Utah.

UCPA and Clickwrap Agreements

In contrast to the privacy laws of its peer states, Virginia, Colorado, and Connecticut, the UCPA adopts a opt-out model for the majority of data processing and reserves opt-in consent only for sensitive data under Section 13-61-302(3). Clickwrap design under the UCPA is largely dependent on whether the data being gathered is classified as sensitive due to this divided structure. The controller's responsibilities are outlined in Sections 13-61-301 through 305, and the Utah Attorney General is solely responsible for enforcing compliance.

How UCPA Affects Clickwrap Design

The UCPA does not require users to give affirmative consent before the collection or use of non-sensitive personal data. Rather, the legislation primarily uses opt-out rights and privacy disclosures. Controllers are required by Section 13-61-302(1) to give Utah customers a reasonably accessible privacy notice and to make it clear how they may opt out if they sell personal data or use it for targeted advertising.

Clearer notification in the clickwrap flow is necessary for sensitive data. Section 13-61-302(3) of the UCPA mandates that controllers provide consumers with explicit notice and an option to opt out prior to processing sensitive data, in contrast to certain privacy regulations that demand opt-in consent. Information disclosing racial or ethnic origin, religious convictions, sexual orientation, citizenship or immigration status, medical history, physical or mental health issues, genetic or biometric information used for identification, and precise geolocation data within 1,750 feet are all considered sensitive data.

This implies that sensitive data alerts shouldn't be hidden in generic terms when it comes to clickwrap design. They ought to be given in an understandable manner with an obvious option for the user to opt out.

Clickwrap conditions cannot be used to waive UCPA rights. Additionally, Section 13-61-302 declares that any clause in a contract that restricts or waives a consumer's legal rights is null and invalid. This implies that approving a Terms of Service checkbox shouldn't imply that consumers forfeit their right to privacy. Although the clickwrap may include a link to the Privacy Policy, acceptance of the conditions should not be interpreted as a surrender of UCPA rights.

What Must Be Shown Under UCPA

Section 13-61-301 requires controllers to provide a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller.
  • The purposes for processing each category of personal data.
  • How consumers can exercise their rights, including the right to opt out of targeted advertising and the sale of personal data.
  • The categories of personal data shared with third parties, if any.
  • The categories of third parties with whom personal data is shared.

Before or at the moment of data collection, the privacy notice must be accessible. This implies that the notice, or a clear, direct link to it, must be available within the agreement flow in a clickwrap context rather than hidden away in a footer or separate settings page.

Additionally, when a controller sells personal data or uses it for targeted advertising, Section 13-61-301(2) mandates that the privacy notice clearly and conspicuously disclose this information along with the consumer's option to opt out.

What Records You Must Keep Under UCPA

The UCPA does not create a detailed recordkeeping rule for clickwraps or consent logs. However, businesses still need enough records to show that Utah consumers were given the notices and choices required under the law.

Controllers should keep records of:

  • Privacy notice versions - The full text of each Privacy Policy version, the date it was published, and where it appeared in the clickwrap flow.
  • Opt-out requests - When the request was received, whether it applied to targeted advertising or the sale of personal data, and when the request was completed.
  • Sensitive data notices - What sensitive data category was involved, what notice was shown, when it was shown, and how the user was given the chance to opt out.
  • Clickwrap acceptance records - The timestamp, user identifier, agreement version, IP address, and UI screen used when the user accepted the terms.

The 30-day cure period makes these records even more important. Under Section 13-61-306, the Attorney General must give a controller written notice before bringing an enforcement action. The controller then has 30 days to cure the alleged violation and provide a written statement confirming that the issue has been fixed.

UCPA and Clickwrap Agreements

Key Provisions of UCPA

Consumer
An individual who is a Utah resident acting in an individual or household context. Does not include an individual acting in an employment or commercial context (Section 13-61-101(8)).
Personal Data
Information that is linked or reasonably linkable to an identifiable individual. Does not include de-identified data, publicly available information, or aggregated data (Section 13-61-101(22)).
Sensitive Data
Personal data that reveals racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health condition, or genetic or biometric data processed for identification purposes. Also includes specific geolocation data (Section 13-61-101(30)).
Consent
A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer (Section 13-61-101(7)).
Right to Opt Out
Consumers have the right to opt out of the processing of personal data for targeted advertising and the sale of personal data. Unlike other state laws, the UCPA does not include an opt-out right for profiling (Section 13-61-302).
No Right to Correct
Unlike CCPA, VCDPA, CPA, and CTDPA, the UCPA does not grant consumers the right to correct inaccurate personal data — only the rights to access, delete, and port their data (Section 13-61-302).

Penalties for UCPA Non-Compliance

AG enforcement action Up to $7,500 per violation
The Utah Attorney General can impose civil penalties of up to $7,500 per violation. The AG must first provide a 30-day cure notice, and this cure period does not expire — giving businesses a permanent opportunity to fix violations before penalties apply.
Division of Consumer Protection investigation Investigation and referral
The Utah Division of Consumer Protection can receive consumer complaints, investigate potential violations, and refer cases to the Attorney General for enforcement action.
Actual damages No private right of action
The UCPA does not grant consumers a private right of action. Enforcement is exclusively through the Attorney General, making the risk of class-action lawsuits under this specific law nonexistent.

Frequently Asked Questions

The UCPA applies to businesses that have annual revenue of $25 million or more, conduct business in Utah or target products and services to Utah consumers, and either control or process the personal data of 100,000 or more consumers, or derive over 50% of gross revenue from selling personal data while controlling or processing data of 25,000 or more consumers.
No. Unlike the VCDPA, CPA, and CTDPA, the UCPA's 30-day cure period is permanent and does not include a sunset provision. This means businesses will always have the opportunity to fix a violation within 30 days before the Attorney General can impose penalties.

Related Regulations

CCPA / CPRA
California Consumer Privacy Act & Privacy Rights Act
California · Updated 2020
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.