Should Utah's Privacy Law Be on Your Radar?


When it comes to privacy compliance, businesses will have a lot on their plate in 2023. Major changes to the California Consumer Privacy Act (CCPA) are going into effect (including the expiration of employee data exemption), as well as four new state privacy laws. Among these is the Utah Consumer Privacy Act (UCPA).

The UCPA is somewhat more pro-business than the other state laws, including the Virginia Consumer Data Privacy Act on which it’s modeled, but it still imposes significant privacy obligations. The first step toward compliance is determining whether Utah’s privacy law applies to your business.

Which Businesses Must Comply with the UCPA?

Compared to the other data privacy laws, the UCPA is narrower in scope. A for-profit business must comply with the Utah Consumer Privacy Act if it meets the following three criteria:

  1. It does business in the state of Utah, and
  2. It has at least $25 million in annual revenue, and
  3. Either of the following applies:
    1. It processes the personal data of 100,000 or more UT residents, OR 
    2. It processes the personal data of at least 25,000 UT residents and derives 50% or more of its revenue from the sale of personal data

Doing Business in the State of Utah

This is the most basic requirement. Having a physical presence in the state counts as doing business there, but so does selling goods or services online to Utah residents.

At Least $25 Million in Annual Revenue

This requirement is unique to the UCPA. It’s worth noting that the $25 million figure refers to all gross revenue, not just revenue from Utah.

Processing Requirements

For businesses that operate online, the 100K-consumer threshold is easier to meet than they may realize. Websites are processing personal data (IP address, cookies, etc.) from each of their visitors. Getting just 8,400 unique visitors from Utah per month will put them over 100,000 for the year.


The UCPA lists several exemptions for certain types of organizations and personal data. These include:

  • Governmental entities
  • Nonprofit corporations
  • Institutes of higher education
  • Native American tribes
  • Covered entities and business associates, as defined by HIPAA
  • Financial institutions regulated by the Gramm-Leach-Bliley Act

Manage Multi-State Privacy Compliance in One Place

Navigating the complexities of multiple privacy laws at once can be difficult for any business, but it’s even harder for businesses that don’t have in-house privacy experts or legal departments. TrueVault US simplifies multi-state privacy compliance, allowing businesses of any size to handle it on their own.

Designed by attorneys, TrueVault US is an all-in-one privacy software that helps you get your business fully compliant with laws like the UCPA, CCPA, and more, even if you’re starting from scratch. From onboarding vendors to processing privacy requests, TrueVault provides guidance at every step.

Contact our team to learn more and view a demo.

Schedule Call