Utah Consumer Privacy Act

What you need to know to keep your company in compliance

Utah signed the Utah Consumer Privacy Act (UCPA) into law in March 2022, and it will go into effect December 31, 2023. The UCPA gives consumers the right to access, the right to delete, the right to data portability, and the right to opt out. Among all the privacy laws in the US, the UCPA has been hailed as one of the most business friendly. However, it’s still important to understand what’s required under the law and get in compliance. Here’s what every company needs to know.

Automate Utah requirements with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who is Subject to the UCPA

The UCPA applies to any business that:

  • Conducts business in Utah or offers a product or service targeted to Utah residents
  • Has an annual revenue of $25 million or more
  • Meets at least one of the following requirements:
    • Controls or processes personal data of 100,000 or more consumers in a calendar year
    • Derives more than 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers

The law does include exemptions for certain types of organizations (e.g. higher education institutions, non-profits, government entities), certain types of data (e.g. data covered under specific federal regulations and employment-related data), certain instances of selling data, and deidentified, publicly available, or aggregated data.

How the UCPA is Enforced

Enforcement Authority

The Utah attorney general is responsible for enforcing the UCPA. The Utah Division of Consumer Protection fields complaints and investigates potential violations, which it can then refer to the attorney general. The attorney general must provide written notice to the organization and offer a 30 day cure period, after which the company must respond with a written statement about the resolution.

Penalties for Non-Compliance

If a violating company fails to fix an issue or continues to violate the UCPA after saying it fixed the issue, the attorney general can issue a fine of up to $7,500 per violation as well as actual damages to consumers. There is no private right to action and consumers can’t use a violation of the UCPA to support a claim under another Utah law.

The UCPA requires organizations to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.”

What Incident Response is Required Under the UCPA

The UCPA’s incident response measures following a cybersecurity incident come from a pre-existing Utah law, which requires a notification in the case of a security breach.

What is a security breach?Any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
What is personal information?

A person’s first name or first initial and last name along with at least one of the following:

    • Social security number
    • Driver’s license or state identification number
    • Account, credit card, or debit card number along with a security code or password

…unless the data is encrypted or unreadable in any way, included in government records, or available to the general public.

Who should be notified following a breach?

Affected Utah residents, unless a reasonable and prompt investigation reveals it is unlikely the personal information will be misused for identity theft or fraud.

If the organization doesn’t own the data, then they must also notify the company that does own the data.

When should a notification be issued?As expediently as possible without unreasonable delay once the company has identified the scope of the breach and restored the integrity of any affected systems.
How should a notification be issued?
  • In writing by first-class mail to the most recent address on file
  • By telephone
  • Electronically, if that is the primary method of communication with affected consumers or if consumers previously provided consent to this method

If none of those methods are possible, the company can publish a notice in a newspaper widely circulated in Utah.

Are there any exceptions to issuing a notification?
  • If the data is encrypted or unusable
  • If a good faith investigation reveals the affected data has not been and is unlikely to be misused
  • If the company has a separate notification policy that aligns with timing requirements and includes affected Utah residents
  • If the company is subject to (and follows) state or federal regulations that include notifications to affected Utah residents
  • If a law enforcement agency requests a delay due to a criminal investigation
  • If the company is a financial institution or affiliate

Types of Security Breaches That Might Require Notification Under the UCPA

Based on the existing security breach notification guidelines in Utah, a variety of incidents can trigger a security breach notification, such as:

watering hole

Watering Hole Attack

A social engineering attack through which threat actors profile victims to determine websites they visit and then infect those websites to gain access to the victims’ computers or network.



An attack in which malicious actors use malware to steal data from an organization and hold it captive in exchange for money. Even if the data is returned, it was still exposed to a third party.

Phishing malware or trojan

Trojan Attack

An attack in which a malicious program is hidden inside legitimate software which, once downloaded by users, creates an access point to view digital behavior and access information.

How Organizations Can Prepare to Comply with the UCPA

Given that UCPA requires organizations to maintain reasonable security practices to protect personal data and that the data breach notification requirements grant a reprieve to organizations with encrypted data, it pays to take a proactive approach. This should cover:


Understand the requirements in relevant regulations and contracts, develop response plans accordingly, assign responsibilities to key stakeholders, and conduct simulations to prepare team members.


Investigate what happened, how and when it happened, what systems were involved, and the potential impact. Remediate the issue, notify customers, agencies, and partners, and implement a safe haven for relevant team communications.


Monitor and report on incident response plans to identify areas for improvement and updates. Communicate changes to stakeholders to maintain alignment and keep them aware of their responsibilities.

Prioritizing Proactive Incident Response

The UCPA is just one of hundreds of comprehensive privacy laws around the world. These regulations along with an increasing number of cyber incidents make proactive protection and incident response a top priority. Doing so requires keeping aware of regulatory updates and changes, introducing response plans with clear responsibilities, testing those plans with tabletop exercises, and regularly revisiting efforts to ensure readiness.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.


Headed to RSA?


Stop by to see us at our "Journey to Secure the Future" location at Fogo de Chão.


Book time with our team 👇

Schedule a Meeting