June 27, 2022

Volume XII, Number 178


June 24, 2022

Subscribe to Latest Legal News and Analysis

Utah's Consumer Privacy Act

Utah has just become the fourth state to pass an omnibus consumer privacy law. The Utah Consumer Privacy Act (“UCPA”) was signed into law on March 24, 2022. 

UCPA is modeled after Virginia’s Consumer Data Protection Act (“VCDPA”), but has key differences. The effective date is December 31, 2023. We will follow up with more information as the effective date draws closer, but here are a few key points: 

Who Is Protected? 

UCPA protects the data of Utah residents in their individual or household capacity. It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data). 

Who Is Regulated? 

UCPA regulates “controllers” or “processors” that conduct business in Utah or produce a product or service that is targeted to Utah residents, have an annual revenue of $25 million or more, and either (i) control or process personal data of 100,000 or more Utah residents in a calendar year; or (ii) derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more Utah residents. 

How Will UCPA Be Enforced? 

Similar to the new Colorado Privacy Act (“CPA”) and VCDPA, UCPA does not include a private right of action. The Attorney General has the exclusive authority to enforce the UCPA. UCPA creates the Division of Consumer Protection that will establish and administer a system to receive complaints regarding violations of the UCPA. The Division will consult and assist the Attorney General in enforcement. The cure period is 30 days and does not sunset, unlike the cure period in the California Consumer Privacy Act (“CCPA”) and the CPA. 

What is a “Sale?” 

Like the VCDPA, UCPA narrows the definition of “sale” and does not include “other monetary consideration.” Additionally, the UCPA exempts a controller’s disclosure of personal data to a third party if the purpose of the disclosure is consistent with a consumer’s reasonable expectations. This exemption is not found in the other state privacy laws. 

What are the Penalties? 

If a controller or processor does not cure within the cure period or continues to violate the UCPA after curing and sending the required written statement that the violation has been cured, the Attorney General may recover actual damages to the consumer and up to $7,500 for each violation. 

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XII, Number 83

About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Of Counsel

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

Christine Xiao Attorney Intellectual Property Womble Bond Dickinson Raleigh

Christine Xiao focuses her practice on intellectual property transactions, privacy and cybersecurity, and technology commercialization. She has experience performing claims analysis for pending patents on new technologies, reviewing foreign third-party vendors to ensure compliance with anti-corruption statutes, and collaborating to assess risks related to customer and employee data use.

Prior to join the firm, Christine worked as a research technician for Duke University Medical Center in the Department of Pharmacology and Cancer Biology.