The GDPA establishes standardized requirements for regulated governmental entities, and creates or updates various state entities with the jurisdiction to evaluate state data privacy policy and coordinate implementation of privacy protections. Among other requirements, these entities must implement and maintain a privacy program by May 1, 2025, create ongoing privacy training for employees, identify noncompliant areas and propose a strategy to meet legal expectations.

The law creates the role of Data Privacy Ombudsperson, the first of its kind, to help consumers navigate Utah privacy remedies and even mediate between governmental entities and complainants. The law also outlines notification requirements for governmental entities when a data breach affects 500 or more people, including contacting the data subject, Utah attorney general, and Utah Cyber Center and providing certain information. Additionally, the amendments limit data collection and use; prohibit selling or sharing data unless expressly permitted by law; and give individuals the right to access and correct personal data. Notably, the law codifies Utah’s dedication to an individual’s “fundamental interest in and expectation of privacy regarding the personal data” provided to a governmental entity.