Businesses operating in or targeting Utah residents must obtain clear, affirmative cookie consent (“optin”) for tracking that qualifies as processing personal data under the Utah Consumer Privacy Act (UCPA), especially when engaging in targeted advertising or selling data. Is your consent management up to par in Utah?
The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, is a state law that empowers Utah residents with data rights and places obligations on large companies handling their personal data. It regulates personal data collection, sale, targeted advertising, consent mechanisms, and data security.
Evaluate if your organization meets the UCPA's thresholds, and if yes, your compliance checklist should include:
Conduct an audit:
Perform a full audit of data collection and sharing practices.
Update privacy policy:
Update privacy and cookie policies with Utah-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Data subject handling:
Establish processes for handling data subject requests.
Data security:
Ensure data security measures are in place.
Compliance is required for controllers/processors that:
Exemptions include institutions of higher education, nonprofits, government entities and contractors, HIPAA-covered entities, GLBA-regulated financial institutions, tribes, air carriers, and data governed under federal laws like FCRA, COPPA, DPPA, FERPA, and Farm Credit Act.
Utah residents enjoy:
Confirm whether personal data is processed and request copies
Remove personal data consumers provided
Receive data in a usable, transferable format
Prevent sale of their data and use for targeted advertising
Prohibit penalizing consumers for exercising rights
Requests must be acknowledged within 45 days, with one possible 45day extension. Businesses cannot charge for first-time requests unless they are manifestly unfounded or repetitive. There is no private cause of action or right to correction or appeal under UCPA.
Cookies that process personal data fall under UCPA’s scope. If you use cookies for targeted advertising or data sales, you must:
Disclose cookie use clearly in privacy notices
Offer optout mechanisms before or at first use
Maintain records of consent and optout actions
A good cookie consent mechanism and ongoing monitoring are critical—since UCPA compliance requires visibility into all trackers and data flows on sites/apps.
A compliant cookie banner should (1) identify cookie categories, (2) explain purposes, (3) offer optout/optin choices, and (4) record consent records—helping meet UCPA transparency and optout obligations.
The Utah Attorney General enforces UCPA via the Division of Consumer Protection. Non-compliance triggers:
Notice of violation + 30day cure window
If not remedied, fines up to 7,500 USD per violation plus actual damages to consumers.
To check your compliance with data privacy laws and the UCPA Utah, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
The UCPA applies to large for-profit controllers or processors doing business in Utah or serving Utah residents that meet both: ≥ $25 million annual revenue and either control data of ≥ 100,000 consumers or derive > 50% revenue from data sales serving ≥ 25,000 consumers.
Any information linked or reasonably linkable to an identified or identifiable individual. Deidentified, aggregate, or publicly available data are excluded.
Data revealing racial/ethnic origin, religion, sexual orientation, citizenship/immigration status, medical/mental health info, genetic or biometric identifiers. Processing requires notice and option to optout but not prior consent.
The Utah Attorney General enforces the law; the Utah Division of Consumer Protection investigates complaints and assists enforcement.
Exemptions include institutions of higher education, nonprofits, government entities & contractors, tribes, air carriers, HIPAA-covered entities, GLBA-regulated financial institutions, plus data under federal laws (e.g. FCRA, DPPA, FERPA, Farm Credit).
Utah’s Division of Consumer Protection website and the full Utah Consumer Privacy Act (Utah Code § 1361101) can offer guidance about UCPA compliance.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
