Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ensure that my company is compliant with expanding privacy protections in Utah? What are the requirements?

Requirements for Ensuring Compliance with Expanding Privacy Protections in Utah

To ensure compliance with expanding privacy protections in Utah, companies must adhere to the following requirements:

  1. Agency Privacy Policies - State agencies may issue privacy policies that provide additional detail to, but do not conflict with the terms of the Privacy Policy Statement for State of Utah Websites [1.1]. When a State agency is required by a federal statute, federal regulation, or State statute to collect or use the personally identifiable information of those accessing its website in a manner that is inconsistent with the Privacy Policy Statement, it shall issue a privacy policy of its own [1.1].
  2. Notification and Posting Requirements - If a State agency issues an agency privacy policy for its website as permitted under the Privacy Policy Statement, then the agency shall conspicuously post that information on the Web pages where personally identifiable information is collected or on the home page of its Website [1.2]. The agency privacy policy shall indicate the name of the issuing agency, a statement that the agency privacy policy applies to its own website only, a statement about what personally identifiable information the policy specifically applies to, and a statement defining how its agency privacy policy differs from the Privacy Policy Statement [1.2].
  3. Consumer Privacy Restricted Account - The Consumer Privacy Account is a restricted account created to fund investigation and administrative costs incurred by the division in investigating consumer complaints alleging violations of this chapter, recovery of costs and attorney fees accrued by the attorney general in enforcing this chapter, and providing consumer and business education regarding consumer rights under this chapter and compliance with the provisions of this chapter for controllers and processors [3.1].
  4. Personal Privacy Oversight Commission - The Personal Privacy Oversight Commission is composed of 12 members appointed by the governor, state auditor, and attorney general. The commission shall meet up to seven times a year to accomplish the duties described in Section 63C-24-202 [5.1].
  5. General Compliance - Covered entities shall comply with the privacy requirements of 45 CFR Part 164, Subpart E in dealing with individually identifiable health information and the subjects of that information [2.2].

Companies must also comply with the limitations described in UTCO 13-61-304, which do not restrict a controller’s or processor’s ability to comply with a federal, state, or local law, rule, or regulation, cooperate with a law enforcement agency, investigate, establish, exercise, prepare for, or defend a legal claim, provide a product or service requested by a consumer or a parent or legal guardian of a child, take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual, detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity, preserve the integrity or security of systems, or retain a consumer’s email address to comply with the consumer’s request to exercise a right [3.2].

Conclusion

To ensure compliance with expanding privacy protections in Utah, companies must adhere to agency privacy policies, notification and posting requirements, the Consumer Privacy Restricted Account, the Personal Privacy Oversight Commission, general compliance requirements, and limitations described in UTCO 13-61-304.

Source(s):
Jurisdiction

Utah