Shifting Gears on Data Privacy: Utah Amends Consumer Privacy Act to Cover Motor Vehicle Data

Firm Publication

Utah amended the Utah Consumer Privacy Act (UCPA) to address the collection and storage of personal data by motor vehicle manufacturers (OEMs) through in-vehicle technology systems (e.g., connected vehicles). The amendment adds OEMs to those covered by the UCPA, requires in-vehicle privacy controls for certain motor vehicles, exempts certain safety and operational data from consent requirements, and requires the Motor Vehicle Division to provide information to consumers regarding their motor vehicle data privacy rights. The amendment takes effect on January 1, 2027.

Below is an overview of the amendment’s key provisions and their implications for OEMs. For an overview of the requirements of the UCPA itself, please refer to our previous analysis here.

Expanded Applicability

As originally enacted, the UCPA applied only to controllers and processors meeting certain geographical, financial, and data volume thresholds, such as having annual revenue of at least $25 million and either controlling or processing the personal data of a minimum number of individuals.

As amended, the UCPA now also applies to any “motor vehicle manufacturer” (an entity that manufactures or assembles motor vehicles for sale or lease) that does both of the following:

  • Manufactures motor vehicles that are sold or leased in the state.
  • Collects, transmits, or stores personal data through a vehicle data collection system.

OEMs may fall within the UCPA even if they do not meet the traditional financial and data volume thresholds.

The amendment introduces the following new defined terms to support the motor vehicle data privacy framework.

  • Connected device: a consumer’s mobile phone, tablet, or similar personal electronic device that connects to a motor vehicle through the in-vehicle interface and accesses the device’s data through the vehicle’s display.
  • In-vehicle interface: the vehicle’s display screen, control panel, or other interactive system through which an individual may access or control motor vehicle functions or settings.
  • Readily accessible data: personal data that: (1) a consumer directly inputs into or provides to the motor vehicle from a connected device through a motor vehicle’s in-vehicle interface; and (2) is stored locally on the motor vehicle and accessible through the in-vehicle interface.
  • Vehicle data collection system: a technology system or device installed in or on a motor vehicle that collects, transmits, or stores a consumer or occupant’s personal data. This could include, for example, GPS tracking or information collected regarding driving behavior.

In-Vehicle Privacy Controls

For model years beginning in 2030, the amendment obligates OEMs to provide in-vehicle privacy controls that allow consumers to:

  • View the categories of personal data collected by the vehicle data collection system.
  • View the categories of third parties with whom the OEM shares personal data.
  • Opt out of the sale of personal data or targeted advertising relating to data collected through the vehicle itself.
  • Delete readily accessible data.

The in-vehicle privacy controls must be accessible through the motor vehicle’s in-vehicle interface, accessible to any individual operating the vehicle, and clearly labeled and easy to locate within the interface. The settings selected by a consumer must remain in effect until the consumer changes them.

While an OEM may additionally offer privacy controls through a website or mobile application, they may not require the consumer to use a website or mobile application to exercise the rights described in the statute. Notably, an OEM is not required to comply with these in-vehicle privacy control requirements for a specific motor vehicle model if it demonstrates that the model is not technologically capable of providing the required controls (for example, if an OEM offers a “dumb” version of a model that is not capable of connecting to the OEM or if the vehicle has no in-vehicle interface). If an OEM receives a court order requiring the deletion of personal data or a request that includes a copy of a legally issued protective order, the OEM must delete all personal data within five business days after receiving the court order or request.

Exemptions

The amendment exempts certain categories of data from the UCPA’s consent requirements. Specifically, the consent requirements do not apply to personal data collected for the purpose of:

  • Improving the OEM’s product if the OEM (1) collects only the minimum personal data necessary to accomplish the purpose; and (2) uses the personal data only for internal product improvement purposes.
  • Vehicle safety, including airbag deployment, operational safety, passenger safety, collision avoidance, or other safety features required by federal law.
  • Vehicle operation, including engine control, battery level, transmission operation, or other mechanical functions necessary to operate the motor vehicle.
  • Complying with a federal or state law, rule, or regulation.

Additionally, the consent requirements do not apply to personal data that a vehicle data collection system processes temporarily and does not transmit outside the motor vehicle or store for longer than necessary.

While not explicitly stated, any collection or use of personal data for these purposes will likely need to be described in the OEM’s privacy notice.

Notification Requirements

The amendment also directs the Motor Vehicle Division to provide information on its website regarding the data privacy rights of motor vehicle owners. This public-facing requirement is likely intended to increase consumer awareness of the rights available to them under the statute.

Important Dates

January 1, 2027: The amendment takes effect.

Model Year 2030: OEMs must begin providing in-vehicle privacy controls for vehicles with a model year of 2030 or later.

The above is only a high-level overview of the Amendments to Motor Vehicle Data Privacy, and OEMs subject to the law will need to review the law more closely and revise their compliance programs. If you are concerned that the UCPA may apply to your business and are interested in learning more about how to ensure your business complies with the UCPA, please reach out to the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

 

Related Professionals
Related Services
Firm Publication

Utah amended the Utah Consumer Privacy Act (UCPA) to address the collection and storage of personal data by motor vehicle manufacturers (OEMs) through in-vehicle technology systems (e.g., connected vehicles). The amendment adds OEMs to those covered by the UCPA, requires in-vehicle privacy controls for certain motor vehicles, exempts certain safety and operational data from consent requirements, and requires the Motor Vehicle Division to provide information to consumers regarding their motor vehicle data privacy rights. The amendment takes effect on January 1, 2027.

Below is an overview of the amendment’s key provisions and their implications for OEMs. For an overview of the requirements of the UCPA itself, please refer to our previous analysis here.

Expanded Applicability

As originally enacted, the UCPA applied only to controllers and processors meeting certain geographical, financial, and data volume thresholds, such as having annual revenue of at least $25 million and either controlling or processing the personal data of a minimum number of individuals.

As amended, the UCPA now also applies to any “motor vehicle manufacturer” (an entity that manufactures or assembles motor vehicles for sale or lease) that does both of the following:

  • Manufactures motor vehicles that are sold or leased in the state.
  • Collects, transmits, or stores personal data through a vehicle data collection system.

OEMs may fall within the UCPA even if they do not meet the traditional financial and data volume thresholds.

The amendment introduces the following new defined terms to support the motor vehicle data privacy framework.

  • Connected device: a consumer’s mobile phone, tablet, or similar personal electronic device that connects to a motor vehicle through the in-vehicle interface and accesses the device’s data through the vehicle’s display.
  • In-vehicle interface: the vehicle’s display screen, control panel, or other interactive system through which an individual may access or control motor vehicle functions or settings.
  • Readily accessible data: personal data that: (1) a consumer directly inputs into or provides to the motor vehicle from a connected device through a motor vehicle’s in-vehicle interface; and (2) is stored locally on the motor vehicle and accessible through the in-vehicle interface.
  • Vehicle data collection system: a technology system or device installed in or on a motor vehicle that collects, transmits, or stores a consumer or occupant’s personal data. This could include, for example, GPS tracking or information collected regarding driving behavior.

In-Vehicle Privacy Controls

For model years beginning in 2030, the amendment obligates OEMs to provide in-vehicle privacy controls that allow consumers to:

  • View the categories of personal data collected by the vehicle data collection system.
  • View the categories of third parties with whom the OEM shares personal data.
  • Opt out of the sale of personal data or targeted advertising relating to data collected through the vehicle itself.
  • Delete readily accessible data.

The in-vehicle privacy controls must be accessible through the motor vehicle’s in-vehicle interface, accessible to any individual operating the vehicle, and clearly labeled and easy to locate within the interface. The settings selected by a consumer must remain in effect until the consumer changes them.

While an OEM may additionally offer privacy controls through a website or mobile application, they may not require the consumer to use a website or mobile application to exercise the rights described in the statute. Notably, an OEM is not required to comply with these in-vehicle privacy control requirements for a specific motor vehicle model if it demonstrates that the model is not technologically capable of providing the required controls (for example, if an OEM offers a “dumb” version of a model that is not capable of connecting to the OEM or if the vehicle has no in-vehicle interface). If an OEM receives a court order requiring the deletion of personal data or a request that includes a copy of a legally issued protective order, the OEM must delete all personal data within five business days after receiving the court order or request.

Exemptions

The amendment exempts certain categories of data from the UCPA’s consent requirements. Specifically, the consent requirements do not apply to personal data collected for the purpose of:

  • Improving the OEM’s product if the OEM (1) collects only the minimum personal data necessary to accomplish the purpose; and (2) uses the personal data only for internal product improvement purposes.
  • Vehicle safety, including airbag deployment, operational safety, passenger safety, collision avoidance, or other safety features required by federal law.
  • Vehicle operation, including engine control, battery level, transmission operation, or other mechanical functions necessary to operate the motor vehicle.
  • Complying with a federal or state law, rule, or regulation.

Additionally, the consent requirements do not apply to personal data that a vehicle data collection system processes temporarily and does not transmit outside the motor vehicle or store for longer than necessary.

While not explicitly stated, any collection or use of personal data for these purposes will likely need to be described in the OEM’s privacy notice.

Notification Requirements

The amendment also directs the Motor Vehicle Division to provide information on its website regarding the data privacy rights of motor vehicle owners. This public-facing requirement is likely intended to increase consumer awareness of the rights available to them under the statute.

Important Dates

January 1, 2027: The amendment takes effect.

Model Year 2030: OEMs must begin providing in-vehicle privacy controls for vehicles with a model year of 2030 or later.

The above is only a high-level overview of the Amendments to Motor Vehicle Data Privacy, and OEMs subject to the law will need to review the law more closely and revise their compliance programs. If you are concerned that the UCPA may apply to your business and are interested in learning more about how to ensure your business complies with the UCPA, please reach out to the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

 

In Case You Missed It:

  • Litigation Practices Featured in Q&As as Finalists for 2026 Southeastern Legal Awards
    April 24, 2026 | Daily Report | Law.com
  • Sooner Rather Than Later: Oklahoma Stakes Its Claim in Consumer Privacy
    April 23, 2026 | Firm Publication
  • Healthcare Technology M&A Pulse Newsletter – April 2026
    April 15, 2026 | Firm Publication