US Lawyer Database

Effective 12/31/2023
13-61-304. Limitations.

  • (1) The requirements described in this chapter do not restrict a controller’s or processor’s ability to:
    • (a) comply with a federal, state, or local law, rule, or regulation;
    • (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;
    • (c) cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
    • (d) investigate, establish, exercise, prepare for, or defend a legal claim;
    • (e) provide a product or service requested by a consumer or a parent or legal guardian of a child;
    • (f) perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer;
    • (g) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual;
    • (h)
      • (i) detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or
      • (ii) investigate, report, or prosecute a person responsible for an action described in Subsection (1)(h)(i);
    • (i)
      • (i) preserve the integrity or security of systems; or
      • (ii) investigate, report, or prosecute a person responsible for harming or threatening the integrity or security of systems, as applicable;
    • (j) if the controller discloses the processing in a notice described in Section 13-61-302, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws;
    • (k) assist another person with an obligation described in this subsection;
    • (l) process personal data to:
      • (i) conduct internal analytics or other research to develop, improve, or repair a controller’s or processor’s product, service, or technology;
      • (ii) identify and repair technical errors that impair existing or intended functionality; or
      • (iii) effectuate a product recall;
    • (m) process personal data to perform an internal operation that is:
      • (i) reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller; or
      • (ii) otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer or a parent or legal guardian of a child or the performance of a contract to which the consumer or a parent or legal guardian of a child is a party; or
    • (n) retain a consumer’s email address to comply with the consumer’s request to exercise a right.
  • (2) This chapter does not apply if a controller’s or processor’s compliance with this chapter:
    • (a) violates an evidentiary privilege under Utah law;
    • (b) as part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law; or
    • (c) adversely affects the privacy or other rights of any person.
  • (3) A controller or processor is not in violation of this chapter if:
    • (a) the controller or processor discloses personal data to a third party controller or processor in compliance with this chapter;
    • (b) the third party processes the personal data in violation of this chapter; and
    • (c) the disclosing controller or processor did not have actual knowledge of the third party’s intent to commit a violation of this chapter.
  • (4) If a controller processes personal data under an exemption described in Subsection (1), the controller bears the burden of demonstrating that the processing qualifies for the exemption.
  • (5) Nothing in this chapter requires a controller, processor, third party, or consumer to disclose a trade secret.

Enacted by Chapter 462, 2022 General Session