Utah Consumer Privacy Act (UCPA): 2026 update
Utah's UCPA adds a right to correct personal data and stricter portability rules from July 1, 2026, under H.B. 418. Here is what changes.
Utah Consumer Privacy Act (UCPA): 2026 updates and what your business needs to know
On July 1, 2026, Utah's Data Sharing Amendments (H.B. 418) go into effect, adding a brand-new consumer right and tightening the portability rules that govern how data is returned when someone makes an access request. If your business handles personal data from Utah residents, the work is not done.
In this post, we are going to walk you through exactly what the Utah Consumer Privacy Act requires, what the 2026 amendments change, and what that means for your operations.
Key takeaways
- The UCPA took effect on December 31, 2023, and applies to businesses with $25 million or more in annual revenue that meet data volume thresholds.
- From July 1, 2026, Utah consumers have the right to correct inaccurate personal data held about them.
- Data returned under access requests must now meet strict portability requirements: technically usable and easily transferable to another controller.
- The UCPA does not require a universal opt-out mechanism, unlike California's CCPA.
- Penalties of up to $7,500 per violation are enforced by the Utah Attorney General after a 30-day cure period.
- Businesses using Clym will have the 'Data correction request' workflow automatically deployed in their widget for Utah visitors from July 1, 2026.
What is the Utah Consumer Privacy Act?
The Utah Consumer Privacy Act (UCPA) is a state privacy law that governs how businesses collect, use, and share the personal data of Utah residents. Signed into law on March 24, 2022, and effective from December 31, 2023, it is the fourth comprehensive consumer privacy law passed in the United States, following Virginia (CDPA), Colorado (CPA), and California (CCPA/CPRA).
The UCPA sets out consumer rights, controller and processor duties, and enforcement mechanisms. Its structure broadly resembles Virginia's CDPA, making it one of the more business-friendly frameworks in the US privacy landscape. The full text is published by the Utah State Legislature.
Who does the UCPA apply to?
The UCPA applies to any controller or processor that conducts business in Utah or targets Utah residents, has $25 million or more in annual revenue, and satisfies at least one of the following volume conditions.
Threshold | Requirement |
|---|---|
Annual revenue | $25 million or more |
Data volume (OR) | Controls or processes data of 100,000+ consumers per year |
Revenue from data sales (AND data volume) | More than 50% gross revenue from data sales, AND controls or processes data of 25,000+ consumers |
The revenue floor is notable: the UCPA does not have a small business exemption based on employee count alone. Many smaller operators will fall outside the law by virtue of the $25 million threshold. There is also no exemption for non-profit organisations, though entities regulated under sector-specific laws such as HIPAA or GLBA have certain carve-outs.
Consumer rights under the UCPA
The UCPA grants Utah consumers rights over their personal data. The 2026 amendments add a right that was notably absent from the original law.
Right | What it means | Since |
|---|---|---|
Right of access | Request a copy of personal data held about you | Dec 31, 2023 |
Right to deletion | Request deletion of personal data | Dec 31, 2023 |
Right to data portability | Receive data in a technically usable, transferable format | Dec 31, 2023 (strengthened July 1, 2026) |
Right to opt out | Opt out of targeted advertising and sale of personal data | Dec 31, 2023 |
Right to non-discrimination | Not face discrimination for exercising privacy rights | Dec 31, 2023 |
Right to correct (NEW) | Request correction of inaccurate personal data | July 1, 2026 |
Controllers must respond to consumer requests within 45 days of receipt. A single 45-day extension is permitted when reasonably necessary, provided the consumer is notified within the initial response window.
Consumers can submit requests online or through an additional channel the business designates. Controllers may require consumers to authenticate their identity before processing requests, provided the verification method is not unreasonably burdensome.
What is new in 2026: the H.B. 418 Data Sharing Amendments
Signed on March 27, 2025, and effective July 1, 2026, H.B. 418 introduces two material changes to the UCPA. The revenue and volume thresholds that define who the law covers remain unchanged.
Right to correct
Utah consumers now have the right to correct inaccuracies in personal data that a controller holds about them. This right, already present in the GDPR, CPRA, and Colorado CPA, was absent from the original UCPA. The amendment brings Utah's framework in line with the broader US state privacy landscape.
In practice, this means your business needs a process to receive correction requests, verify the claimed inaccuracy, update relevant data records, and respond within the 45-day window. Where you have shared the inaccurate data with third-party processors, those corrections may need to flow downstream.
Stricter portability requirements
The original UCPA required data to be returned in a 'portable' format but left that term broadly defined. The 2026 amendment tightens this: data delivered under a standard access request must be in a format that is technically usable and easily transferable to another controller without impediment.
If your current data exports are in proprietary formats, require specialist tools to open, or are structurally incomplete, that approach may not satisfy the updated standard. Review your export process before the July 1 effective date.
What this means for your Clym widget
If you use Clym's consent management platform and have not made custom changes to your widget, the 'Data correction request' workflow will be automatically deployed for website visitors in Utah from July 1, 2026. Custom configurations will not be overwritten. This means eligible Utah visitors will see the correction request option without any manual update on your part.
Controller duties under the UCPA
Businesses acting as controllers under the UCPA must observe the following principles. These have not changed under H.B. 418.
Transparency: Provide a privacy notice describing what data is collected, why it is processed, and how consumers can exercise their rights.
Purpose specification and data minimisation: Collect only what is needed for the stated purpose and limit use to those purposes.
Consent for secondary use: Obtain consent before using personal data for purposes materially different from those disclosed.
Security: Implement reasonable security measures appropriate to the sensitivity and nature of the data.
Nondiscrimination and non-retaliation: Never penalise consumers for exercising their privacy rights.
Non-waiver of consumer rights: Contractual provisions that purport to waive consumer rights are unenforceable.
Unlike the GDPR, the UCPA does not require a legal basis for processing personal data beyond the consent requirement for sensitive data. For sensitive data, including precise geolocation, financial data, health information, race, ethnicity, religious beliefs, sexual orientation, and biometric identifiers, explicit consumer consent is required before processing.
UCPA penalties and enforcement
The Utah Attorney General has sole enforcement authority over the UCPA. There is no private right of action, so consumers cannot bring individual lawsuits for violations.
Before penalties apply, controllers receive a 30-day cure period after formal notice of a violation. This opportunity to correct issues before facing financial consequences distinguishes Utah from states like California and Colorado, which have moved to limit or remove their cure periods.
Where violations are not remedied within the cure period, penalties can reach $7,500 per violation. Consumer complaints are first channelled through the Utah Division of Consumer Protection, which investigates before any referral to the Attorney General.
How to prepare for the July 2026 UCPA changes
If you are already operating under the UCPA, the following steps address the 2026 amendments specifically.
Add a data correction request to your consumer request intake process. If you handle access, deletion, and opt-out requests today, the correction workflow is additive and follows the same 45-day deadline.
Audit your data portability outputs. Pull a sample export and verify it can be opened and imported by another controller without specialist tools or conversion steps.
Update your privacy notice to reflect the right to correct. The UCPA requires transparency about all consumer rights.
Train your operations or legal team. Anyone handling data subject requests needs to understand the new correction right and the portability standard.
Review your widget or consent management configuration. Check whether an active correction request workflow is deployed for Utah visitors.
How Clym supports your UCPA data rights management
Managing data subject requests manually at scale creates operational risk. Missing a 45-day deadline, failing to document a correction, or returning data in an unusable format are real exposure points. Clym's data subject request management tools give you a structured workflow for receiving, tracking, and resolving requests across the full spectrum of consumer rights, including the new right to correct.
Requests come in through the Governance Portal, are routed to the right team, and are tracked with a full audit trail. The platform's ReadyCompliance® feature automatically applies the right request types for the consumer's jurisdiction. A Utah visitor is offered a correction workflow; a California visitor sees the CPRA-specific rights set. You do not need to manage those differences manually.
Conclusion
The Utah Consumer Privacy Act has always been one of the less demanding US state privacy frameworks. That is still true after the 2026 amendments. The addition of a right to correct and stricter portability requirements does not fundamentally change the compliance profile for most businesses in scope.
What it does require is an update to your data rights process and, in some cases, a review of how you return data under access requests. If you were already running a functioning DSR workflow, the correction request is a manageable addition.
The July 1, 2026 deadline is live. The question is whether your processes reflect what Utah consumers can now ask for.
Frequently asked questions
The Utah Consumer Privacy Act (UCPA) is a state data privacy law that took effect on December 31, 2023. It gives Utah residents rights over their personal data, including the right to access, delete, opt out of the sale of their data, and from July 2026, the right to correct it. It places corresponding obligations on businesses that collect or process that data.
The UCPA applies to businesses that conduct business in Utah or target Utah residents, have $25 million or more in annual revenue, and meet one of two data volume thresholds: processing data for 100,000 or more consumers per year, or deriving more than 50% of revenue from selling personal data while processing data for at least 25,000 consumers.
From July 1, 2026, Utah consumers can request that a controller corrects inaccurate personal data held about them. Controllers must respond within 45 days. This right was introduced by H.B. 418, the Data Sharing Amendments, signed into law in March 2025.
Data returned under a consumer access request must be in a format that is technically usable and easily transferable to another controller without impediment. The 2026 amendment makes this explicit, replacing the previously broad portability language in the original UCPA.
No. Only the Utah Attorney General can enforce the UCPA. Consumers cannot bring individual lawsuits for violations. Controllers receive a 30-day notice and cure period before penalties of up to $7,500 per violation can be imposed.
The UCPA is narrower in scope. It does not require a legal basis for all data processing, only consent for sensitive data. It has higher applicability thresholds, no Data Protection Officer requirement, no mandatory impact assessments, and no right to object to processing. The 2026 right to correct is one area where Utah and GDPR now align.
The UCPA is generally less restrictive than the CCPA and CPRA. It does not include a universal opt-out mechanism, does not require a 'Do Not Sell or Share' link, and has a higher revenue threshold. The right to correct was present in the CPRA before it was added to the UCPA.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
