WHY WALLA

Understanding Utah’s UCPA: A Practical Guide for SaaS Platforms Like Walla

Yuvin Kim

July 16, 2025

WHY WALLA

Understanding Utah’s UCPA: A Practical Guide for SaaS Platforms Like Walla

Yuvin Kim

July 16, 2025

While many U.S. states are enacting GDPR-inspired privacy laws, Utah has taken a more business-friendly approach with the Utah Consumer Privacy Act (UCPA). Signed into law in March 2022 and effective as of December 31, 2023, UCPA introduces basic privacy rights for Utah residents—but with narrower scope and fewer obligations compared to laws in California, Colorado, or Connecticut.

For SaaS companies like Walla, UCPA may appear more lenient, but it's still a critical compliance checkpoint if you process data from Utah users. Especially if you're scaling your services across the U.S., understanding UCPA helps align your infrastructure and legal posture early on.

1. Overview of the UCPA

Category

Detail

Law

Utah Consumer Privacy Act (UCPA)

Effective Date

December 31, 2023

Enforcement

Utah Attorney General

Applicability

For-profit entities that:

① Have annual revenue of $25 million or more,


AND


② Process data of 100,000+ Utah residents per year,


OR


Derive 50%+ of revenue from selling data of 25,000+ consumers


Exemptions

Nonprofits, government agencies, HIPAA-covered entities, GLBA-covered financial institutions

UCPA is the only U.S. state privacy law (as of now) that includes a minimum revenue threshold—$25 million.

2. Consumer Rights Under UCPA

Compared to other state laws, UCPA provides fewer rights to consumers. Here's what users in Utah can request:

  • Right to Access: View what personal data is collected and how it's used.

  • Right to Delete: Request deletion of data provided directly by the consumer.

  • Right to Data Portability: Receive a copy of their personal data in a portable format.

  • Right to Opt Out of: Sale of personal data, Targeted advertising

🧠 Note: UCPA does not include the right to correct personal data or opt out of profiling.

3. Key Business Obligations

While the consumer rights are limited, businesses still have responsibilities when processing Utah residents' data:

3-1. Data Security

You must implement “reasonable administrative, technical, and physical data security practices” to protect personal data.

3-2. Data Processing Contracts

If you share data with third parties (processors), you must have binding contracts that outline processing instructions, data confidentiality, and deletion policies.

3-3. Privacy Notice

Publicly disclose:

  • Categories of data collected

  • Purposes of processing

  • How users can exercise their rights

  • Whether data is sold or shared for targeted advertising

3-4. Opt-Out Mechanism

Provide clear and accessible options for users to opt out of data sales or targeted ads.

4. UCPA vs. Other U.S. Privacy Laws

Feature

Utah (UCPA)

California (CPRA)

Colorado (CPA)

Virginia (VCDPA)

Right to Access

O

O

O

O

Right to Delete

O (data provided by user)

O (all data)

O

O

Right to Correct

X

O

O

O

Right to Opt Out of Profiling

X

Partial

O

Partial

DPIA Required

X

X

O

O

Minimum Revenue Threshold

O ($25M)

X

X

X

Sensitive Data Consent

O (opt-in)

O

O

O

Enforcement

Attorney General only

CPPA + AG

AG

AG

📌 UCPA is considered the least burdensome among the five major U.S. privacy laws—making it easier to comply but still important to observe.

5. How Walla Complies with UCPA

Although UCPA is less strict, Walla’s privacy architecture is designed to handle more demanding regimes like GDPR or CPRA—so UCPA compliance is effectively built in.

Requirement

Walla’s Approach

Privacy Notice

Full disclosure on data types, purposes, and retention policies

Opt-Out Support

Built-in consent toggles and cookie banners for ad tracking

Data Portability

Downloadable user data via dashboard or API

Processor Contracts

Predefined DPA templates for vendors and cloud providers

Data Security

Encryption, access control, and audit logging across regions

Walla treats privacy compliance not as a checkbox—but as a core product feature.

6. Final Thoughts

The Utah Consumer Privacy Act (UCPA) represents a lighter-touch approach to data privacy in the U.S. It offers fewer user rights and obligations than other states—but also signals that even conservative jurisdictions are embracing modern privacy standards.

For SaaS builders like Walla, the takeaway is clear:

  • Don’t wait for stricter laws—design your product to meet the highest privacy standards today

  • Use lighter regulations like UCPA to validate and fine-tune your compliance playbook

  • View privacy not as a barrier, but as a differentiator in trust-based markets

+ TL;DR: Walla’s UCPA-Ready Framework
  • Region-aware hosting, including U.S. support

  • Industry-grade encryption & access controls

  • User control over ad tracking and data sharing

  • Transparent privacy notices and opt-out tools

  • Data sharing contracts with subprocessors

By building for privacy from the ground up, Walla is ready for Utah—and for the evolving privacy landscape across the United States.

https://home.walla.my

While many U.S. states are enacting GDPR-inspired privacy laws, Utah has taken a more business-friendly approach with the Utah Consumer Privacy Act (UCPA). Signed into law in March 2022 and effective as of December 31, 2023, UCPA introduces basic privacy rights for Utah residents—but with narrower scope and fewer obligations compared to laws in California, Colorado, or Connecticut.

For SaaS companies like Walla, UCPA may appear more lenient, but it's still a critical compliance checkpoint if you process data from Utah users. Especially if you're scaling your services across the U.S., understanding UCPA helps align your infrastructure and legal posture early on.

1. Overview of the UCPA

Category

Detail

Law

Utah Consumer Privacy Act (UCPA)

Effective Date

December 31, 2023

Enforcement

Utah Attorney General

Applicability

For-profit entities that:

① Have annual revenue of $25 million or more,


AND


② Process data of 100,000+ Utah residents per year,


OR


Derive 50%+ of revenue from selling data of 25,000+ consumers


Exemptions

Nonprofits, government agencies, HIPAA-covered entities, GLBA-covered financial institutions

UCPA is the only U.S. state privacy law (as of now) that includes a minimum revenue threshold—$25 million.

2. Consumer Rights Under UCPA

Compared to other state laws, UCPA provides fewer rights to consumers. Here's what users in Utah can request:

  • Right to Access: View what personal data is collected and how it's used.

  • Right to Delete: Request deletion of data provided directly by the consumer.

  • Right to Data Portability: Receive a copy of their personal data in a portable format.

  • Right to Opt Out of: Sale of personal data, Targeted advertising

🧠 Note: UCPA does not include the right to correct personal data or opt out of profiling.

3. Key Business Obligations

While the consumer rights are limited, businesses still have responsibilities when processing Utah residents' data:

3-1. Data Security

You must implement “reasonable administrative, technical, and physical data security practices” to protect personal data.

3-2. Data Processing Contracts

If you share data with third parties (processors), you must have binding contracts that outline processing instructions, data confidentiality, and deletion policies.

3-3. Privacy Notice

Publicly disclose:

  • Categories of data collected

  • Purposes of processing

  • How users can exercise their rights

  • Whether data is sold or shared for targeted advertising

3-4. Opt-Out Mechanism

Provide clear and accessible options for users to opt out of data sales or targeted ads.

4. UCPA vs. Other U.S. Privacy Laws

Feature

Utah (UCPA)

California (CPRA)

Colorado (CPA)

Virginia (VCDPA)

Right to Access

O

O

O

O

Right to Delete

O (data provided by user)

O (all data)

O

O

Right to Correct

X

O

O

O

Right to Opt Out of Profiling

X

Partial

O

Partial

DPIA Required

X

X

O

O

Minimum Revenue Threshold

O ($25M)

X

X

X

Sensitive Data Consent

O (opt-in)

O

O

O

Enforcement

Attorney General only

CPPA + AG

AG

AG

📌 UCPA is considered the least burdensome among the five major U.S. privacy laws—making it easier to comply but still important to observe.

5. How Walla Complies with UCPA

Although UCPA is less strict, Walla’s privacy architecture is designed to handle more demanding regimes like GDPR or CPRA—so UCPA compliance is effectively built in.

Requirement

Walla’s Approach

Privacy Notice

Full disclosure on data types, purposes, and retention policies

Opt-Out Support

Built-in consent toggles and cookie banners for ad tracking

Data Portability

Downloadable user data via dashboard or API

Processor Contracts

Predefined DPA templates for vendors and cloud providers

Data Security

Encryption, access control, and audit logging across regions

Walla treats privacy compliance not as a checkbox—but as a core product feature.

6. Final Thoughts

The Utah Consumer Privacy Act (UCPA) represents a lighter-touch approach to data privacy in the U.S. It offers fewer user rights and obligations than other states—but also signals that even conservative jurisdictions are embracing modern privacy standards.

For SaaS builders like Walla, the takeaway is clear:

  • Don’t wait for stricter laws—design your product to meet the highest privacy standards today

  • Use lighter regulations like UCPA to validate and fine-tune your compliance playbook

  • View privacy not as a barrier, but as a differentiator in trust-based markets

+ TL;DR: Walla’s UCPA-Ready Framework
  • Region-aware hosting, including U.S. support

  • Industry-grade encryption & access controls

  • User control over ad tracking and data sharing

  • Transparent privacy notices and opt-out tools

  • Data sharing contracts with subprocessors

By building for privacy from the ground up, Walla is ready for Utah—and for the evolving privacy landscape across the United States.

https://home.walla.my

While many U.S. states are enacting GDPR-inspired privacy laws, Utah has taken a more business-friendly approach with the Utah Consumer Privacy Act (UCPA). Signed into law in March 2022 and effective as of December 31, 2023, UCPA introduces basic privacy rights for Utah residents—but with narrower scope and fewer obligations compared to laws in California, Colorado, or Connecticut.

For SaaS companies like Walla, UCPA may appear more lenient, but it's still a critical compliance checkpoint if you process data from Utah users. Especially if you're scaling your services across the U.S., understanding UCPA helps align your infrastructure and legal posture early on.

1. Overview of the UCPA

Category

Detail

Law

Utah Consumer Privacy Act (UCPA)

Effective Date

December 31, 2023

Enforcement

Utah Attorney General

Applicability

For-profit entities that:

① Have annual revenue of $25 million or more,


AND


② Process data of 100,000+ Utah residents per year,


OR


Derive 50%+ of revenue from selling data of 25,000+ consumers


Exemptions

Nonprofits, government agencies, HIPAA-covered entities, GLBA-covered financial institutions

UCPA is the only U.S. state privacy law (as of now) that includes a minimum revenue threshold—$25 million.

2. Consumer Rights Under UCPA

Compared to other state laws, UCPA provides fewer rights to consumers. Here's what users in Utah can request:

  • Right to Access: View what personal data is collected and how it's used.

  • Right to Delete: Request deletion of data provided directly by the consumer.

  • Right to Data Portability: Receive a copy of their personal data in a portable format.

  • Right to Opt Out of: Sale of personal data, Targeted advertising

🧠 Note: UCPA does not include the right to correct personal data or opt out of profiling.

3. Key Business Obligations

While the consumer rights are limited, businesses still have responsibilities when processing Utah residents' data:

3-1. Data Security

You must implement “reasonable administrative, technical, and physical data security practices” to protect personal data.

3-2. Data Processing Contracts

If you share data with third parties (processors), you must have binding contracts that outline processing instructions, data confidentiality, and deletion policies.

3-3. Privacy Notice

Publicly disclose:

  • Categories of data collected

  • Purposes of processing

  • How users can exercise their rights

  • Whether data is sold or shared for targeted advertising

3-4. Opt-Out Mechanism

Provide clear and accessible options for users to opt out of data sales or targeted ads.

4. UCPA vs. Other U.S. Privacy Laws

Feature

Utah (UCPA)

California (CPRA)

Colorado (CPA)

Virginia (VCDPA)

Right to Access

O

O

O

O

Right to Delete

O (data provided by user)

O (all data)

O

O

Right to Correct

X

O

O

O

Right to Opt Out of Profiling

X

Partial

O

Partial

DPIA Required

X

X

O

O

Minimum Revenue Threshold

O ($25M)

X

X

X

Sensitive Data Consent

O (opt-in)

O

O

O

Enforcement

Attorney General only

CPPA + AG

AG

AG

📌 UCPA is considered the least burdensome among the five major U.S. privacy laws—making it easier to comply but still important to observe.

5. How Walla Complies with UCPA

Although UCPA is less strict, Walla’s privacy architecture is designed to handle more demanding regimes like GDPR or CPRA—so UCPA compliance is effectively built in.

Requirement

Walla’s Approach

Privacy Notice

Full disclosure on data types, purposes, and retention policies

Opt-Out Support

Built-in consent toggles and cookie banners for ad tracking

Data Portability

Downloadable user data via dashboard or API

Processor Contracts

Predefined DPA templates for vendors and cloud providers

Data Security

Encryption, access control, and audit logging across regions

Walla treats privacy compliance not as a checkbox—but as a core product feature.

6. Final Thoughts

The Utah Consumer Privacy Act (UCPA) represents a lighter-touch approach to data privacy in the U.S. It offers fewer user rights and obligations than other states—but also signals that even conservative jurisdictions are embracing modern privacy standards.

For SaaS builders like Walla, the takeaway is clear:

  • Don’t wait for stricter laws—design your product to meet the highest privacy standards today

  • Use lighter regulations like UCPA to validate and fine-tune your compliance playbook

  • View privacy not as a barrier, but as a differentiator in trust-based markets

+ TL;DR: Walla’s UCPA-Ready Framework
  • Region-aware hosting, including U.S. support

  • Industry-grade encryption & access controls

  • User control over ad tracking and data sharing

  • Transparent privacy notices and opt-out tools

  • Data sharing contracts with subprocessors

By building for privacy from the ground up, Walla is ready for Utah—and for the evolving privacy landscape across the United States.

https://home.walla.my

Continue Reading

The form you've been searching for?

Walla, Obviously.

Paprika Data Lab Inc.

557, Yeoksam-ro, Gangnam-gu, Seoul

The form you've been searching for?

Walla, Obviously.

Paprika Data Lab Inc.

557, Yeoksam-ro, Gangnam-gu, Seoul

The form you've been searching for?

Walla, Obviously.

Paprika Data Lab Inc.

557, Yeoksam-ro, Gangnam-gu, Seoul