In 2022, Utah enacted a consumer personal data statute called the Utah Consumer Privacy Act (“UCPA”). Utah Code § 13-61-101, et seq. The UCPA took effect at the end of 2023 and now, covered businesses must be in full compliance.

The UCPA is enforced through Utah’s Attorneys’ General’s Office, and consumers are not allowed to file personal lawsuits for alleged violations of the Act by businesses. Complaints by consumers can be filed with the Utah Division of Consumer Protection, which conducts investigations. From there, the Attorney General may take enforcement actions. The UCPA requires that businesses be given a 30-day “cure” opportunity before any penalty can be imposed. Civil fines can be imposed of up to $7,500 per violation.

The UCPA is similar to other consumer privacy statutes in the U.S. That is, consumers are given certain rights vis-a-vis the businesses that collect and process their personal data. For example, consumers have a right to be given notice of certain information prior to having their data collected. This information includes the right to know:

• The categories of personal data collected and processed
• The business purposes for which the data is collected and processed
• Methods that consumers can use to exercise their rights under the UCPA
• What categories of personal data the controller shares with third parties
• What types — categories — of third parties does the business share/sell personal data to?

Further, the UCPA gives consumers the right to demand certain actions be taken by the businesses collecting their personal data. These include the rights:

• To access their personal data — that is, the right to know if data is being collected/processed and what the data is
• To request that a business delete their personal data — but this only applies to data specifically provided by the consumer to the business (not personal data obtained through other means)
• To obtain a copy of their personal data in a portable format
• To opt out of having their sensitive data sold or used for targeted advertising without prior consent
• To have inaccurate data corrected

Businesses must provide a method or process for consumers to exercise these rights. That is, consumers must be able to contact businesses and make allowable requests. The UCPA gives businesses up to 45 days to respond to any request (though more time can be taken if the business explains why more time is needed). Businesses cannot charge for responding to these requests and cannot discriminate or retaliate against a consumer for exercising rights under the UCPA. Unlike other statutes, there are no mandated appeal procedures if the business fails or refuses to respond to a request. In those cases, the consumer must file a complaint with the Utah Division of Consumer Protection.

How to Submit a Consumer Rights Request Under the UCPA

To exercise your rights under the Utah Consumer Privacy Act, you must submit a verifiable consumer request to the specific business (controller) whose data practices you want to address. The business’s privacy policy — which the UCPA requires to be posted and accessible — should identify the designated method for submitting requests, typically a web form, email address, or toll-free phone number. When submitting a request, provide enough identifying information to allow the business to verify your identity and locate your personal data. Do not provide more information than is reasonably necessary for that purpose — you should not need to provide your Social Security number or government ID simply to verify your identity as a website user.

Businesses have up to 45 days to respond to a verifiable consumer request. If the business needs additional time due to the complexity or volume of requests, it may extend the response period by an additional 45 days — but it must notify you of the extension before the initial 45-day period expires. If a business fails to respond within this window, or provides an inadequate response, your recourse is to file a complaint with the Utah Division of Consumer Protection.

Understanding the Deletion Right: What Data Can Be Deleted

The UCPA’s right to deletion is narrower than the deletion rights provided under California’s CPRA and Oregon’s OCDPA. Under the UCPA, you have the right to demand deletion of personal data that you specifically provided to the business — but not personal data the business obtained through other means, such as purchasing data from a data broker, deriving inferences from your purchasing history, or collecting data through tracking technologies like cookies and pixels without your direct input.

This distinction matters in practice. If you created an account on a retail website and provided your name, address, and purchase history by placing orders, that data is “provided by” you and subject to the deletion right. But if the retailer also purchased a demographic profile on you from a third-party data broker, that purchased data falls outside the UCPA’s deletion right. Understanding this limitation helps set realistic expectations when exercising deletion rights and may inform your decision to file complaints under broader statutes (such as California’s CPRA) if those laws apply to the business in question.

Opting Out of Targeted Advertising: Practical Steps

The UCPA grants consumers the right to opt out of having their sensitive personal data sold or used for targeted advertising without prior consent. To exercise this right, look for an “Opt Out of Targeted Advertising” or “Do Not Sell My Personal Data” link in the business’s privacy policy or cookie consent banner. Many businesses subject to multiple state privacy laws present a combined opt-out link that covers both sale and targeted advertising opt-outs simultaneously.

If a business does not provide an opt-out mechanism or fails to honor your opt-out request, file a complaint with the Utah Division of Consumer Protection at consumerprotection.utah.gov. Include documentation of your opt-out request — the date submitted, method used, and any confirmation or response from the business. The UCPA requires businesses to respond to opt-out requests within a reasonable time, and persistent failure to honor opt-out requests is an enforcement priority for the Division.

Filing a Complaint with the Utah Division of Consumer Protection

If a business violates your UCPA rights and internal remedies have failed, the Utah Division of Consumer Protection (UDCP) is the appropriate agency to contact. The UDCP accepts complaints online at consumerprotection.utah.gov/submit-a-complaint. When filing a complaint, include: (1) the full name and website address of the business; (2) a description of the data practices you believe are violating the UCPA; (3) copies of your consumer rights request and any response from the business; (4) any opt-out request records; and (5) any other documentation supporting your complaint.

The UDCP may refer substantiated complaints to the Utah Attorney General’s Office for formal enforcement action. While individual consumers cannot personally recover monetary damages under the UCPA, a successful AG enforcement action may result in injunctive relief requiring the business to change its data practices and civil penalties that deter future violations. Consumers who experience significant harm from a privacy violation — including identity theft, financial loss, or other concrete injuries — should also consult with a private attorney about claims under other statutes or common law theories that may provide personal recovery.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.