Utah Consumer Privacy Act (UCPA)
A practical compliance guide for website owners. Learn what Utah's privacy law requires and how to implement it on your site.
Who Must Comply
Annual revenue of $25M+ AND meets one of: controls/processes personal data of 100K+ consumers, OR derives 50%+ of revenue from selling personal data and processes data of 25K+ consumers
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Not required |
| Honor GPC browser signals | Recommended |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The UCPA requires the following links or notices to be visible on your website:
- 1Privacy Policy
Enforcement & Penalties
Key Things to Know
Utah's privacy law is considered the most business-friendly comprehensive state privacy law. It has a permanent 30-day cure period (no sunset), narrower consumer rights than California or Colorado, and does not require recognizing universal opt-out mechanisms like GPC.
Key difference: Utah does not provide a right to opt out of profiling and does not require honoring GPC signals. The law focuses primarily on sale of personal data and targeted advertising opt-outs.
Narrow scope: Utah only covers "sale" of personal data (exchange for monetary consideration), not "sharing" — a narrower definition than California's CCPA/CPRA.
How to Configure LegalBanner for UCPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Utah's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a UCPA-compliant privacy policy.
Set up UCPA compliance in 5 minutes
LegalBanner handles Utah privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
Does Utah require a cookie consent banner?
No. Utah does not require opt-in cookie consent. You must provide a mechanism for consumers to opt out of targeted advertising and sale of personal data, but Utah's requirements are among the lightest of all state privacy laws.
Does Utah require honoring GPC signals?
No. Utah does not require businesses to honor Global Privacy Control or any universal opt-out mechanism. This is a significant difference from states like California, Colorado, and Montana.
What makes Utah's law different from other state privacy laws?
Utah's UCPA is the most business-friendly: permanent 30-day cure period, no GPC requirement, narrower definition of 'sale' (monetary only), no right to opt out of profiling, and no private right of action.
What are the penalties for UCPA violations?
Up to $7,500 per violation, enforced by the Utah AG and Division of Consumer Protection. The 30-day cure period is permanent and does not sunset.
Does the UCPA apply to nonprofits?
No. The UCPA exempts nonprofits, government entities, higher education institutions, tribes, and entities covered by HIPAA or Gramm-Leach-Bliley Act.