Initially, the state of Utah had mandated a May deadline for website compliance from their government agencies. However, realizing that getting into compliance will take training, resources, and time to mature, Utah changed the requirement to have initiated a privacy program by December 31, 2025. At the Utah Data Governance Summit held in May at Utah Valley University, the Office of Data Privacy hosted a seminar to explain how government website privacy teams can take the first step in complying with data privacy laws, provide templated resources, and encourage questions. ObservePoint was pleased to have spoken at the session to provide additional resources to these government agencies in their journey to compliance.
Utah is taking strong steps toward digital privacy with two major legislative frameworks: the Government Data Privacy Act (GDPA) and the Government Records Access and Management Act (GRAMA). These laws work together to define how government agencies in the state collect, use, store, and share personal information. GDPA sets strict guidelines for how Utah state government agencies handle personal data, while GRAMA governs how agencies manage records and public access to them.
GDPA Key Points:
- Requires government agencies to document the type of personal data collected and provide clear reasons for its collection.
- Limits agencies to collecting only what is necessary for their specific purpose.
- Mandates data retention schedules and policies for deletion.
- Prohibits using personal data for unauthorized secondary purposes without consent or legal authority.
- Requires transparency about data practices and allows individuals to request information about what data is held on them.
GRAMA Key Points:
- Provides public access to government records, with some exceptions for privacy, security, or legal reasons.
- Classifies records into four types: public, private, controlled, and protected.
- Individuals can request access to records, but agencies can deny access if records contain sensitive personal or proprietary information.
- GRAMA is often used by journalists, citizens, and watchdog groups to ensure government transparency.
One of the stipulations of GDPA was for all agencies to have a privacy program, which is defined as “a structured collection of an agency’s privacy practices, policies, and procedures that govern its processing and protection of personal data to ensure compliance with applicable laws,” and identify areas of non-compliance. The first step in complying with this requirement is to provide a report on the current state of their privacy compliance, which would fulfill the Dec. 31 requirement of initiating their program.
ObservePoint is proud to be a technology partner of the Utah Office of Data Privacy to help government agencies get their websites into compliance. ObservePoint’s website scanning technology is being employed by the state to audit government websites and provide a complete inventory of tags and cookies. The tag and cookie inventory reports will assist agencies in:
- Creating accurate privacy policies for every government website, whether county, city, or village
- Understanding what trackers are collecting data and for what purpose
- Minimizing data collection to what is truly necessary
- Making sure no 3rd-party advertisers or social media platforms are taking advantage of user data
Privacy offices of other states interested in finding out how ObservePoint can help them get into compliance with recently enacted privacy laws can reach out to one of our representatives for a privacy compliance demo.
