April 2022: Utah Consumer Privacy Act Signed Into Law

06 Apr


Update Applicable to:
All businesses in possession of consumer information in the state of Utah.

What happened?
On March 24, 2022, Utah Governor Spencer Cox signed Senate Bill 0227, the Utah Consumer Privacy Act (UCPA), into law which will go into effect on December 31, 2023.

Download Our Free Benefits Guide

Download our Benefits Brochure to see how we can provide Fortune 500-level benefits at a fraction of the cost.

Download Guide

What are the details?

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information). The Virginia’s Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA) do not have revenue thresholds.


The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA. Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA. The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period. After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing. The AG may seek up to $7,500 for each violation.


The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025, that evaluates liability and enforcement provisions and details a summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

Schedule a Call

Learn more about VensureHR and how we can make an impact on your business.

Contact VensureHR

For more information, please see the links below:

Senate Bill 0227

Article 1Article 2Article 3

What do employers need to do?
Employers should review the links provided above, revise their privacy policies, and implement any policies that would protect sensitive consumer information.

Subscribe to
The Vensure Voice