Utah Privacy Law in 2026: A Practical and Strategic Guide for Businesses

Utah privacy law has developed rapidly in recent years, but the Utah Consumer Privacy Act remains the foundation of the state’s comprehensive privacy framework. At the same time, the Utah Legislature has enacted additional statutes addressing artificial intelligence (AI), cybersecurity, social media governance, electronic data access and digital identity infrastructure.

For organisations operating in Utah or serving Utah residents, privacy compliance is no longer a discrete legal project but an ongoing regulatory responsibility touching marketing, product design, information security, vendor management and customer service. With the 2026 state legislative session ongoing, further changes to Utah’s privacy law should be expected.

Utah’s Place in the US Privacy Landscape

When the Utah Consumer Privacy Act was signed on 24 March 2022, Utah became just the fourth US state to enact comprehensive consumer privacy legislation, following California, Colorado and Virginia. The Act entered into force on 31 December 2023.

Utah adopted a pragmatic structure from the outset. Enforcement authority rests with the attorney general rather than private litigants and the statute avoids broad rule-making authority. Applicability thresholds are designed to focus on medium and large organisations. While the Utah Consumer Privacy Act shares many similarities with Colorado and Virginia law, compliance requires careful analysis for organisations operating in multiple jurisdictions, as there are differences.

Scope of Application: Revenue and Data Thresholds

The Utah Consumer Privacy Act applies to for-profit entities conducting business in Utah or targeting Utah residents that meet both a revenue and data-processing threshold. The statute applies to organisations with annual revenue exceeding USD25 million that either:

• control or process personal data of 100,000 or more Utah consumers during a calendar year; or
• control or process personal data of 25,000 or more Utah consumers and derive more than 50% of gross revenue from the sale of personal data.

Utah’s USD25 million revenue threshold is absolute. If it is not met, the statute does not apply, regardless of consumer volume. This differs from California and Colorado, where revenue is not always a gating requirement.

Exemptions apply to governmental entities, institutions of higher education, non-profit organisations, indigenous tribes, and personal data regulated under federal statutes such as the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act of 1999 and the Fair Credit Reporting Act of 1970. Organisations that are uncertain about the applicability of the Utah Consumer Privacy Act should document their analysis of revenue calculations, consumer counts and monetisation practices.

Personal Data and Sensitive Data

Personal data under the Utah Consumer Privacy Act includes information linked or reasonably linkable to an identifiable individual. This definition captures common business data, including:

• names and contact details; 
• account credentials; 
• online identifiers and device information; 
• transaction histories; and
• location data.

The Act also defines sensitive data, including information revealing:

• racial or ethnic origin;
• religious beliefs;
• sexual orientation;
• citizenship or immigration status;
• health conditions;
• genetic or biometric data; and
• precise geolocation.

Before processing sensitive data, controllers must provide clear notice and an opportunity to opt out. Organisations should evaluate marketing tools, analytics platforms and AI systems to determine whether sensitive data is implicated directly or indirectly.

Definition of “Sale” and Competitive Clarity

Utah defines “sale” narrowly as the exchange of personal data for monetary consideration. This approach contrasts with California’s broader “monetary or other valuable consideration” standard. Utah further excludes disclosures consistent with a consumer’s reasonable expectations. This narrower construction reduces ambiguity for organisations engaged in analytics, cross-context advertising, or vendor partnerships. However, multi-state operators must remain cautious. Practices that fall outside Utah’s definition may still constitute a sale under California or Colorado law.

Controllers and Processors: Allocation of Duties and Vendor Management

As is common in many privacy statutes around the world, the Utah Consumer Privacy Act distinguishes between controllers and processors and uses definitions similar to other jurisdictions: controllers determine the purposes and means of processing personal data, while processors act on behalf of controllers pursuant to written instructions.

Organisations sharing personal data with vendors, service providers or other third-parties should have contracts in place governing the data. Such controller-processor contracts must:

• describe the nature and purpose of processing; 
• impose confidentiality obligations; 
• require reasonable administrative, technical and physical safeguards; and 
• ensure that subcontractors provide equivalent protections. 

Periodic review of processor agreements and due diligence documentation strengthens defensibility in the event of regulatory scrutiny of such data sharing.

Consumer Rights and Operational Demands

Utah consumers possess defined rights under the Utah Consumer Privacy Act. Controllers must implement structured workflows to receive, verify and respond to requests efficiently. Consumers have the right to:

• confirm whether personal data is processed and access that data; 
• delete personal data provided by the consumer; 
• obtain a portable copy of previously provided data; 
• opt out of targeted advertising or the sale of personal data; and 
• correct inaccurate personal data (effective 1 July 2026).

The right of correction, effective 1 July 2026, requires particular attention. Correction requests may necessitate updates across multiple systems. Organisations should define internal criteria for evaluating such requests and document implementation decisions. Controllers must respond to data subject rights requests within 45 days. A single 45-day extension is permitted when reasonably necessary. In the case of data subject complaints or regulatory investigations, the Attorney General must provide written notice and a 30-day opportunity to cure before enforcement action, as discussed in more detail below.

Transparency and Privacy Notices

Transparency is an important element in Utah privacy law, as in other jurisdictions. Controllers must provide consumers with a reasonably accessible privacy notice describing:

• categories of personal data processed; 
• purposes of processing; 
• categories of third parties receiving data; and 
• available consumer rights and methods for exercising them.

Overly generic disclosures risk undermining statutory transparency obligations. Regular review is advisable, particularly when deploying new technologies or modifying vendor relationships.

Data Minimisation and Security Practices

Although the Utah Consumer Privacy Act does not use the term data minimisation explicitly, responsible data governance remains essential. Collecting only the data necessary for defined business purposes reduces risk exposure and simplifies compliance obligations. The Act requires organisations to implement reasonable administrative, technical and physical security safeguards. Strong security controls also support incident response readiness. Breach response planning should include defined roles, communication protocols and documentation procedures.

Enforcement Structure and Cure Provisions

Utah employs a hybrid enforcement model. The Utah Division of Consumer Protection investigates complaints and refers matters to the Attorney General. The Attorney General has exclusive authority to bring enforcement actions. If a violation is identified, the Attorney General must provide written notice and a 30-day opportunity to cure. Civil penalties may reach USD7,500 per violation for uncured violations.

Unlike California (but similar to Colorado and Virginia), Utah provides no private right of action under the Utah Consumer Privacy Act. Utah also has no standalone dedicated enforcement agency for privacy, as does California. Notably, neither the Division of Consumer Protection nor the Attorney General is empowered to promulgate privacy regulations. This absence provides predictability for organisations subject to the statute.

Cybersecurity and Breach Co-Ordination: Senate Bill 127

Following the adoption of the Utah Consumer Privacy Act, in 2023 the Utah Legislature passed Senate Bill 127, which strengthens breach notification and cybersecurity governance in Utah. Entities owning or licensing computerised personal data must investigate suspected breaches and provide timely notice where misuse for identity theft or fraud is confirmed. Breaches of relevant data affecting 500 or more residents must be reported to the Attorney General and the Utah Cyber Center. Data covered by the breach notification requirement is similar to other US jurisdictions and is limited to Social Security number, driver licence or State Identification number, and financial account information that would permit access to the account. Governmental entities must report breaches to the Utah Cyber Center.

The Utah Cyber Center co-ordinates statewide cybersecurity planning, incident response, and threat information sharing. From 1 January 2025, governmental entities must generally use authorised top-level domains such as .gov, .edu or .mil for official communications, subject to limited exceptions. These measures illustrate Utah’s investment in structured cybersecurity infrastructure.

Electronic Information and Law Enforcement: Senate Bill 226

In the year after the adoption of the Utah Consumer Privacy Act, the legislature strengthened privacy protections in the context of law enforcement by adopting Senate Bill 226, which limits access to electronic data. Law enforcement agencies must obtain a search warrant based on probable cause before accessing location information, stored data or transmitted data from electronic devices, except in defined emergency or consent-based circumstances. Data not covered by a warrant must be destroyed in an unrecoverable manner. Agencies may not use, copy or disclose information outside the scope of the warrant, subject to narrow exceptions. The statute protects providers acting in good faith reliance on a warrant from liability. The statute reinforces judicial oversight and aligns Utah more closely with global expectations regarding digital privacy safeguards.

Social Media Regulation and Youth Protection

Utah has been at the forefront among US states in regulating social media platforms, particularly with respect to minors; however, Utah’s efforts have been marked by sustained legislative action and ongoing constitutional litigation. In March 2023, the Utah Legislature enacted the Utah Social Media Regulation Act through SB 152 and HB 311, imposing age verification, parental consent requirements, advertising restrictions, and limits on certain platform features. Those provisions were challenged on constitutional grounds and ultimately repealed and replaced in 2024 with a revised framework, including the Minor Protection in Social Media Act (SB 194/HB 464), which was designed to refine age-assurance systems, strengthen default privacy protections, restrict features such as autoplay, and provide supervisory tools for parents.

The revised law was scheduled to take effect on 1 October 2024, but on 10 September 2024 a federal district court granted a preliminary injunction blocking its implementation, concluding that Utah had not demonstrated that the statute was likely to withstand First Amendment scrutiny, notwithstanding the state’s interest in protecting minors. The related litigation, most prominently NetChoice v Reyes, remains ongoing. Most recently, the state urged the Tenth Circuit Court of Appeals to reinstate the law, arguing that it regulates structural platform features rather than protected speech. Members of the appellate panel questioned whether the statute can meaningfully distinguish between regulated design features and constitutionally protected expression. As a result of the litigation, no social media age-verification or platform-design restrictions are currently enforceable in Utah while the legal challenges proceed.

The Artificial Intelligence Policy Act and AI Governance

Utah’s Artificial Intelligence Policy Act, effective 1 May 2024, established the Office of Artificial Intelligence Policy and the Artificial Intelligence Learning Laboratory Programme. The Learning Laboratory permits regulatory mitigation agreements for AI innovators operating under defined safeguards, including the possibility of limited exceptions from certain state-level regulatory requirements. Participants must demonstrate technical competence, financial capacity and effective risk management plans, and are required to report incidents promptly and to comply with cybersecurity auditing procedures.

In addition to creating this innovation-focused framework, Utah’s AI legislation emphasises transparency at consumer-facing touchpoints. Businesses must disclose when individuals are interacting with AI systems, such as chatbots or automated service tools. Certain high-risk applications, including AI tools used in sensitive contexts such as mental health support, are subject to additional restrictions relating to advertising practices, data use and consent.

Although the Artificial Intelligence Policy Act encourages innovation through regulatory mitigation, it also clarifies that existing consumer protection laws apply to AI applications. Organisations deploying AI should therefore integrate AI governance into broader privacy and compliance frameworks. Practical steps include:

• inventorying AI systems currently in use;
• evaluating whether consumer disclosures are required;
• implementing structured review mechanisms for higher-risk applications; and
• maintaining documentation of AI-related decision-making processes.

Utah’s approach reflects a dual objective: promoting responsible innovation while embedding oversight where consumer risk is most acute.

The 2025 Legislative Session: Recent Legislative Developments

While the Utah Consumer Privacy Act remains the foundation of Utah’s privacy framework, the Utah Legislature has continued to refine and expand the state’s approach to data governance. Since the Utah Consumer Privacy Act’s adoption in 2022, lawmakers have enacted and amended statutes addressing cybersecurity co-ordination, electronic data access, social media governance and AI oversight. Together, these measures create a layered regulatory environment in which privacy, security and consumer protection intersect.

The 2025 legislative session expanded Utah’s privacy framework beyond the Utah Consumer Privacy Act, with lawmakers introducing measures that address government data governance and AI transparency. These changes reflect how Utah is increasingly treating privacy as a cross-cutting issue with a broader view of privacy risk.

Changes to AI policy

In 2025, the Utah Legislature amended the Artificial Intelligence Policy Act to refine and extend its regulatory framework. Under the follow-on legislation signed in the 2025 General Session, including Senate Bill 226 and Senate Bill 332, the scope and requirements of the act were narrowed and clarified, and the act’s sunset date was extended until 1 July 2027. These amendments focus the AI disclosure obligations on instances where consumers make a clear and unambiguous request to know whether they are interacting with AI and limit proactive disclosure obligations for high-risk interactions involving sensitive personal or regulated occupational data. In addition, the legislature enacted complementary provisions addressing mental health chatbots and expanded protections against unauthorised AI-generated impersonations. These changes tailor Utah’s AI regulatory environment towards more specific consumer protection contexts while maintaining an innovation-friendly posture.

Strengthened oversight of government agencies

House Bill 444 strengthened privacy oversight within state government. It increased the authority of the Utah Privacy Commission and clarified rules governing how agencies collect and use personal data. For example, government websites must include plain-language privacy notices. Agencies must also identify high-risk data practices, such as facial recognition and automated profiling. Contractors working with state agencies must comply with similar standards. Organisations that provide services to the government should review contractual privacy provisions carefully and ensure alignment with statutory expectations.

The 2026 Legislative Session: Ongoing Developments (as of 20 February 2026)

Utah’s 2026 General Session is ongoing, and several introduced measures would materially affect cybersecurity co-ordination and AI oversight. Because bills may be amended during the session, organisations should track both the substance and the direction of travel: the proposals collectively signal continued legislative interest in technology governance, accountability and risk controls.

State-endorsed digital identity programme (SB 275)

Senate Bill 275 would create a state-endorsed digital identity programme and, notably, would establish a statutory digital identity bill of rights. The bill’s text frames core principles around individual control, voluntariness (including a right not to be compelled by the state to use a digital identity in place of a physical credential), transparency in design and operation, and protections against surveillance or persistent monitoring except as authorised by law.

The proposal would also set out requirements and responsibilities for multiple participants in the ecosystem (including governmental entities and private-sector participants, such as digital wallet providers, verifiers and relying parties), and includes enforcement and complaint pathways. In practice, if enacted, Sebate Bill 275 could become a key “plumbing” statute for identity-related privacy in Utah, with downstream implications for authentication, attribute sharing and data-handling expectations across services that choose to recognise state-endorsed credentials.

AI transparency amendments (HB 286)

House Bill 286 would enact an AI Transparency Act aimed at “frontier” AI models. The bill would require developers of certain covered models to create and publish public safety and child protection plans, publish summaries of risk assessments, and report certain safety incidents to the Office of Artificial Intelligence Policy. The proposal also includes civil penalties and employee whistle-blower protections tied to reporting safety concerns.

AI amendments (HB 438)

House Bill 438 would enact an AI Companion Chatbot Safety Act to regulate AI companion chatbots and protect consumers. The bill’s highlighted provisions include requiring suppliers to implement safety protocols (and assess their efficacy), facilitate independent evaluation, and publicly report on safety protocols and related metrics. It would also give the Office of Artificial Intelligence Policy authority to establish disclosure standards and monitor compliance, and it proposes restrictions that are directly privacy-adjacent, including limits on selling or sharing highly sensitive information and additional protections involving minors. As drafted, HB 438 reflects Utah’s continued pattern of regulating AI at specific consumer-risk touchpoints rather than attempting to impose a single, omnibus AI framework.

Government cybersecurity amendments (SB 123)

Senate Bill 123 would affect government cybersecurity by modifying provisions related to the Utah Cyber Center. The highlighted provisions include expanding the Cyber Center’s duties to include local education agencies, adjusting deadlines for statewide strategic cybersecurity planning, making changes to the composition of the Cybersecurity Commission, and creating a restricted account for the Cyber Center.

For organisations that interact with public-sector systems, the practical takeaway is that Utah continues to formalise the state’s cybersecurity co-ordination model – potentially affecting expectations around collaboration, reporting and incident-response support structures when an event touches government networks or partners.

Public sector privacy amendments (HB 450)

House Bill 450 focuses on Utah’s public-sector privacy framework. The bill would amend the Government Data Privacy Act and also makes related changes to the statute on public access to records. HB 450 would restructure elements of Utah’s privacy governance infrastructure, including changes involving the Utah Privacy Commission and the Office of Data Privacy (such as transferring support functions). It further proposes to establish the data privacy ombudsman as a component of the Office of Data Privacy, and it would expand amendment and correction procedures to cover information beyond “personal data” in the public-sector framework. A central feature is stronger process and oversight around certain “high-risk” governmental technologies (including provisions addressing authorisation before implementing specified surveillance-related activities, and reporting/oversight mechanisms tied to those activities).

Conclusion

Utah privacy legislation reflects incremental development of privacy law at the state level in the USA. The Utah Consumer Privacy Act establishes core consumer rights and enforcement mechanisms. Subsequent legislation addressing cybersecurity, electronic data access, AI and social media governance has expanded the state’s regulatory ecosystem. With the 2026 legislative session ongoing, further refinements are possible. Organisations that maintain disciplined, well-documented and adaptable compliance programmes will be best positioned to respond to any changes effectively while preserving consumer trust and operational resilience.