What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·UCPA

Utah (UCPA) Privacy Law Compliance

The Utah Consumer Privacy Act (effective December 31, 2023) is the most business-friendly comprehensive state privacy law — narrow thresholds, fewer rights (no correction, no profiling opt-out), opt-OUT (not opt-in) for sensitive data, and a mandatory 30-day cure period that has not sunset. Many SMBs fall below the dual revenue + volume threshold.

Statute

Utah Consumer Privacy Act

Utah Code §13-61-101 et seq.

Effective

Dec 31, 2023

Enforcer

Utah Attorney General

(Department of Commerce investigates)

Consumer rights

7 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Controllers OR processors that conduct business in Utah OR produce products/services targeted to Utah residents
AND $25,000,000+ in annual revenue (worldwide)
AND one of: (a) control/process personal data of 100,000+ Utah consumers in a calendar year; OR (b) derive 50%+ of gross revenue from selling personal data AND process data of 25,000+ Utah consumers

Exemptions

State + local government, non-profits, higher-education institutions
GLBA financial institutions, HIPAA-covered entities + BAs
Employment + B2B data fully exempt
FCRA, DPPA, FERPA, COPPA in context

Consumer rights (5)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Business obligations (7)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Opt-out for sensitive data

Provide clear notice + opt-out (NOT opt-in) for sensitive data processing

Children opt-in

Opt-in for processing data of children under 13 (COPPA-aligned)

Required privacy notice elements

Categories of personal data processed
Purpose of processing
How consumers exercise rights
Categories of personal data shared with third parties
Categories of third parties
Active method to submit rights requests
Clear + conspicuous notice of sale / targeted advertising with opt-out
Clear + conspicuous notice of sensitive data processing with opt-out

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Penalties

Civil penalty per violation

Up to $7,500

Utah Code §13-61-402

Actual damages

Recoverable

AG enforcement

30-day cure period

Mandatory (not sunset)

§13-61-402(2)(c)

Common compliance pitfalls

⚠ Assuming you're exempt without revenue check

Utah requires BOTH $25M revenue AND volume threshold — both must be met. Many SMBs over the 100K threshold are still exempt because they're under $25M revenue. Document the analysis.

⚠ No data protection assessments required

Unlike Virginia/Colorado/Connecticut, UCPA does NOT require DPAs — but DPAs you already do for other states still serve as evidence of reasonable security.

⚠ Sensitive data opt-out missing

Even though UCPA is opt-out (not opt-in) for sensitive data, you still must provide CLEAR + CONSPICUOUS notice + a mechanism. 'Buried in the privacy policy' fails.

FAQ

Why is Utah considered the lightest state law?

Higher entry threshold ($25M revenue), fewer rights (no right to correct, no profiling opt-out), opt-out instead of opt-in for sensitive data, mandatory non-sunsetting 30-day cure period, no UOOM mandate, no private right of action, fewer enforcement actions.

Do I need a separate Utah privacy notice?

No — most controllers handle Utah within a unified privacy notice that addresses each state's requirements. Ensure the sale/targeted ads notice + opt-out are clear + conspicuous.

How does UCPA differ from CCPA?

UCPA is much narrower: no correction right, no profiling opt-out, no Universal Opt-Out Mechanism, no DPA requirement, no GPC mandate, sensitive data is opt-OUT (CCPA is right-to-limit), higher entry threshold.

Grade your Utah privacy policy in 20 seconds

Paste your privacy policy and we'll score it against UCPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Utah