As of July 1, 2026, Utah residents have a new privacy right — and if your business collects customer information, it's worth understanding what changed. An amendment to the Utah Consumer Privacy Act (UCPA), passed as HB 418, gives consumers the right to ask you to correct inaccurate personal data you hold about them. Here's a plain-English look at what that means and how to be ready.
The UCPA has been in force since the end of 2023, giving Utah consumers rights to access their data, delete it, opt out of targeted advertising and data sales, and receive a copy of it. The new amendment adds one more: the right to correct inaccurate personal information. When a consumer submits a valid correction request, a covered business generally has 45 days to respond — a window that can be extended once when reasonably necessary, as long as you notify the consumer.
The UCPA's headline thresholds are high: it applies to businesses operating in Utah (or targeting Utah residents) with annual revenue of $25 million or more that also process the data of at least 100,000 consumers a year — or that make more than half their revenue selling personal data. Many small and mid-size Utah businesses fall below that line and aren't strictly "covered."
Whether or not the correction right technically applies to you, the UCPA expects covered businesses to maintain "reasonable administrative, technical, and physical data security practices" to protect the personal data they hold. That's not a box to check once — it's ongoing: knowing what data you have and where it lives, controlling who can access it, encrypting sensitive information, and being able to respond to a consumer request without a fire drill. Weak security is where privacy compliance most often falls apart.
2026 brought a second change worth flagging. House Bill 357 requires motor vehicle manufacturers to honor UCPA-style consumer data rights regardless of whether they meet the usual revenue and data-volume thresholds. If you operate in the automotive space, the assumption that "we're too small to be covered" no longer holds the way it once did — and dealership systems tend to hold a lot of sensitive customer and financing data.
Preparing for the right to correct isn't complicated, but it does require a plan. You need a clear intake path for consumer requests, a way to verify who's asking, an accurate picture of where personal data is stored across your systems, and the security controls to keep all of it protected. That last piece — the underlying data security — is where most businesses need help, and it's exactly what we do. If you'd like a straightforward assessment of where your customer data lives and whether it's properly protected, our team can walk you through it.
This article is general information, not legal advice. For how the UCPA applies to your specific situation, consult an attorney — and we're happy to handle the technical and security side.
Get a free, no-pressure assessment and we'll show you where your data lives, who can reach it, and how to lock it down.
Get a Free IT Assessment