Main Navigation

What Utah’s new data privacy protection laws mean for you

True to its pioneer roots, Utah is at the frontier of consumer privacy, becoming the first U.S. state to pass a law focused on social media privacy rights for children and the fourth state to enact comprehensive consumer data protection legislation. Although there’s some controversy about the laws, they provide numerous data privacy protections, so it’s good to know your rights.

In 2021, the Utah Legislature created a 12-member Personal Privacy Oversight Commission and government operations privacy officer (now chief privacy officer) and state privacy offer positions to develop guidelines and best practices on data privacy and security and records management for state entities, including the University of Utah in certain instances. Earlier this year, Utah passed House Bill 343, which amends previous privacy legislation and delegates certain duties to the Department of Government Operations and Division of Archives and Records Services. The bill grants authority to the state archivist, anticipating further rulemaking to create the framework and expectations for state records custodians of executive branch agencies. Future rules will outline standards like data collection, identification and inventory, data retention, storage, and deletion timelines for certain state agencies that handle the personally identifiable information (PII) of Utah residents.

In 2022, Utah passed the Utah Consumer Privacy Act (UCPA), which goes into effect on Dec. 31, 2023. The UCPA protects Utahns’ right to privacy, prevents residents from taking private legal action against businesses that violate the law, and authorizes the Office of the Attorney General to investigate consumer complaints, enforce the law, and request that a court impose penalties.

The UCPA requires data controllers—companies that conduct business in Utah, produce goods or services targeted at Utah residents, have an annual revenue of $25 million or more, and control or process the personal data for a certain threshold of consumers—to provide notice to consumers that identify categories of and purposes for data collection, as well as their data privacy rights.

It also requires that businesses provide the opportunity for consumers to opt out of data processing for certain purposes, such as targeted advertising and profiling in decision-making regarding the consumer’s education, employment, health, or criminal histories, or access to basic necessities. The bill requires that businesses receive consumer consent, also known as “opting in” by reviewing privacy notices and providing affirmative consent, before they process specific categories of sensitive data for a specific purpose (e.g., racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, mental or physical health information, sexual orientation, citizenship or immigration status, and precise geolocation). Among other rights, the UCPA gives consumers the right to access and obtain copies of their personal data in a portable format and request its deletion.

The UCPA does not apply to data processed by higher education institutions and certain health-related information, meaning the University of Utah is exempt.

Senate Bill 152, which also goes into effect this December, aims to protect children’s privacy online, making Utah the first state to require social media companies to verify the ages of their users and obtain consent from a parent or guardian for social media accounts of children younger than 18. Among other protections, the bill prohibits ads that target minors, direct messages to youth accounts from non-affiliated accounts, and prohibits minor accounts from appearing in search results. It also imposes a curfew on youth accounts and limits data collection from minors.

Now that you know some of the basics about data privacy in Utah, you can create your own personal data protection plan, which starts with knowing your rights. Take simple steps, such as understanding your data footprint: the data you share by moving about the internet and how public and private entities plan to use that data. Thoroughly read privacy notices online and exercise opt-out mechanisms when you don’t want data processors holding, selling, or sharing your information. Under the UCPA, these notices must be clearly written and provide an opportunity to opt in or out of sharing your data, to access your data, and to request its deletion. But, just in case, the Utah Division of Consumer Protection accepts and investigates reports of suspected violations.

The U and your data

The University of Utah takes the protection of employee, student, alumnus and patient data seriously. All personal data—such as student records, financial records, PII and protected health information (PHI)—is collected, stored, and protected in accordance with international, federal, state, industry and university regulations. U employees with access to confidential information also must follow the guidelines for sensitive or restricted data as determined by the U’s data stewards and the data protection, retention and deletion policies outlined by their departments and the university.

If the university experiences certain IT security incidents or data breaches, the U will follow protocols and procedures for cybersecurity incidents, including recommended steps to protect and notify affected individuals or the organization.

Need help?

Concerned about a University of Utah or University of Utah Health data security incident? Contact the campus IT Help Desk at 801-581-4000, the University of Utah Health ITS Service Desk at 801-587-6000 or the Information Security Office's Security Operations Center at for immediate assistance.

Did you receive a malicious or suspicious email? Use the Phish Alert button in UMail or forward the email as an attachment to

Want to learn more? Reach out to the offices below.

  • Office of General Counsel: Contact if you are evaluating a service for your organization and are provided with a contract for goods or services.
  • Privacy Office: Contact if a third-party vendor will be accessing, viewing, storing, or using university-protected health information (PHI). If the terms of service or contract suggest data collection, a business associate agreement (BAA) or other data use agreement (DUA) may be legally necessary. Contact with general inquiries about information privacy and your rights and responsibilities.