DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: UT)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (UCPA definition per Utah Code § 13-61-101): Check all that apply: (1) Personal data revealing racial or ethnic origin; (2) Religious beliefs; (3) Sexual orientation; (4) Citizenship or immigration status; (5) Mental or physical health condition, diagnosis, or medical treatment or diagnosis by health care professional; (6) Specific geolocation data (precise geolocation of individual within radius of 1,750 feet); (7) Genetic personal data or biometric data for purposes of uniquely identifying individual (subject to limited exceptions). Note: Unlike other state privacy laws, UCPA provides consumers right to opt out (not opt-in consent) for processing sensitive data (except for children's data).
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. UCPA definitions: "Sale" = exchange of personal data for monetary consideration (narrower than CA/CO/CT which include "other valuable consideration"; same as VA); "Targeted advertising" = displaying to consumer advertisement selected based on personal data obtained from consumer's activities over time and across nonaffiliated websites/applications to predict consumer preferences or interests; "Profiling" = automated processing of personal data to evaluate, analyze, or predict personal aspects related to consumer.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Utah Consumer Privacy Act (UCPA), Utah Code § 13-61-101 et seq., effective December 31, 2023.
• Applicability thresholds: For-profit entity that conducts business in Utah or targets Utah residents AND has annual revenue of at least $25,000,000 (unique revenue threshold among state laws), AND meets one of: (1) Controls or processes personal data of 100,000+ Utah consumers annually; OR (2) Derives over 50% of gross revenue from sale of personal data AND controls or processes personal data of 25,000+ consumers. Note: UCPA is unique in requiring BOTH financial threshold ($25M revenue) AND data volume threshold. Consumer definition: Utah residents acting in individual or household context (not commercial or employment context).
• Entity type exemptions: GLBA-covered financial institutions and data subject to GLBA, HIPAA-covered entities/business associates for protected health information and data subject to HIPAA, nonprofit organizations, higher education institutions (public or private) and data subject to FERPA, government entities, consumer reporting agencies subject to FCRA, employment-related information.
• Consumer rights covered: (1) Right to access personal data; (2) Right to delete personal data; (3) Right to data portability (portable and readily usable format); (4) Right to opt out of sale of personal data, targeted advertising, and processing of sensitive data. Note: UCPA does NOT provide: (a) right to correct personal data (unlike CA/CO/CT/VA); (b) right to appeal denial of request (unlike other state laws); (c) right to opt out of profiling (unlike other state laws). Response timeline: 45 days (with one 45-day extension if reasonably necessary and consumer is notified). Authentication: Reasonable efforts to verify consumer identity and request authenticity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Opt-out (not opt-in) required for processing sensitive data (UCPA is less consumer-protective than CA/CO/CT/VA which require affirmative consent); (2) Parental consent required for processing children's data; (3) Opt-out required for sale and targeted advertising; (4) Must provide clear notice and opportunity to opt out.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how consumers may exercise rights, categories of personal data shared with third parties, categories of third parties. Must provide method for submitting consumer rights requests and opting out.
• Contracts with processors/service providers: Data processing agreement required per Utah Code § 13-61-302. Must include: instructions for processing data, nature and purpose of processing, type of personal data subject to processing, duration of processing, rights and obligations of both parties, requirement that processor deletes or returns data upon completion of processing, requirement that processor makes available information necessary to demonstrate compliance.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence, vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• Reasonable security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• Note: UCPA does NOT require data protection assessments (unlike CA/CO/CT/VA), but conducting risk assessments remains best practice for documenting reasonable security practices and demonstrating accountability.

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, privacy-by-design checklist, security assessments].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Utah Code §§ 13-44-101 et seq. (Protection of Personal Information Act); recent amendments via S.B. 98 effective May 1, 2024.
• Timeline: Notice to affected Utah residents required in most expedient time possible without unreasonable delay, considering legitimate investigative needs of law enforcement and after determining scope of breach. No fixed deadline (unlike CA 30 days, CO 30 days, CT 60 days, TX 60 days).
• Notification triggers: Person who owns or licenses computerized data including personal information must conduct good faith, reasonable, prompt investigation when becomes aware of breach to determine likelihood that personal information has been or will be misused for identity theft or fraud. If misuse occurred or is reasonably likely to occur, provide notification to each affected Utah resident. Personal information = Utah resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/state ID number; (c) Financial account/credit/debit card number with security code/access code/password/PIN; (d) Health insurance information; (e) Information regarding individual's medical history, mental or physical condition, or medical treatment/diagnosis by health care professional.
• Encryption safe harbor: Notification not required if personal information was encrypted and encryption key was not acquired and could not reasonably have been acquired.
• Regulator/AG/Cyber Center notice: If misuse relates to 500+ Utah residents, must provide notification to Utah Attorney General's Office and Utah Cyber Center. May 2024 amendments updated content requirements for AG/Cyber Center notifications and clarified confidentiality/classification under public records law.
• Content requirements: Notice to residents must include: general description of incident; type of personal information subject to breach; general description of controller's efforts to investigate, mitigate, and remediate; toll-free numbers and addresses of major credit reporting agencies (if applicable); toll-free number, address, and website address of controller from which resident may obtain additional information and assistance.
• Permitted delays: Notice may be delayed for legitimate investigative needs of law enforcement. Notice must be made in most expedient time possible after determining scope of breach.
• Third-party service providers: If third party maintains computerized data on behalf of controller, third party must notify controller in most expedient time possible following discovery of breach if personal information was or may have been acquired by unauthorized person.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (UT)

• Applicability thresholds and exemptions: UNIQUE DUAL THRESHOLD: $25M+ annual revenue AND (100,000+ consumers OR 25,000+ consumers + >50% revenue from sale). Only state with revenue threshold. Consumers = UT residents in individual/household context (not commercial/employment). Exemptions: GLBA financial institutions and data, HIPAA covered entities (for PHI) and data, nonprofits, higher education and FERPA data, government entities, consumer reporting agencies under FCRA, employment data.
• Sensitive data definition and consent/opt-out requirements: 7 categories of sensitive data (see Section 2 above): racial/ethnic origin, religious beliefs, sexual orientation, citizenship/immigration, health condition/diagnosis/treatment, specific geolocation (1,750 ft), genetic/biometric data. UCPA provides opt-out right (NOT opt-in consent requirement like CA/CO/CT/VA), making it most business-friendly. Parental consent required only for children's data.
• Consumer rights and response timelines/appeals: Access, delete, portability, opt-out of sale/targeted ads/sensitive data processing. Response: 45 days + one 45-day extension (with notice). NO RIGHT TO: (1) correct inaccuracies (unlike other state laws); (2) appeal denial (unlike CA/CO/CT/VA); (3) opt out of profiling (unlike other state laws). UCPA is most business-friendly comprehensive state privacy law.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide clear and conspicuous method for opting out of sale and targeted advertising. NO opt-out right for profiling (unlike other state laws). Controllers must respond to opt-out requests.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Data processing agreement required per Utah Code § 13-61-302. Must include: processing instructions, nature/purpose, data type, duration, parties' rights/obligations, deletion/return upon completion, processor's obligation to make available information demonstrating compliance.
• Data Protection Assessment / Risk Assessment triggers: UCPA does NOT require data protection assessments for any processing activities (unlike CA/CO/CT/VA which require DPAs for sensitive data, sales, targeted advertising, profiling). This is significant business-friendly distinction. However, conducting internal risk assessments remains best practice for demonstrating reasonable security and accountability.
• Security measures expectations (reasonable security; specific mandates if any): Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. No specific security mandates beyond "reasonable" practices. Document security controls in internal assessments even though not legally required to submit to AG.
• Breach notice timeline and content requirements: Most expedient time possible without unreasonable delay to residents; concurrent notice to AG and Cyber Center if 500+ residents affected. Content: incident description, PI types involved, investigation/mitigation/remediation efforts, credit agency contacts (if applicable), controller contact info. No fixed deadline unlike other states.
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children requires parental consent before processing. Controllers must comply with COPPA requirements for data of children under 13.
• Non-discrimination/retaliation prohibitions under state law: Utah Code § 13-61-301. Controller may not discriminate against consumer for exercising UCPA rights, including denying goods/services, charging different prices/rates, or providing different level/quality of goods/services. Financial incentives, bona fide loyalty/rewards/premium programs permitted with reasonable relationship to value provided by consumer's data and notice.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: No DPA requirement under UCPA (business-friendly distinction). Maintain documentation of consumer request responses. No appeal tracking required (no appeal right under UCPA). Document compliance with permanent 30-day cure period (does not sunset, unlike CA/CO which had sunset provisions). Attorney General has exclusive enforcement authority; violations subject to penalties. No private right of action.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs.
• Internal risk assessments (best practice even though not legally required under UCPA).
• Security practices documentation.
• State-specific notices/links and breach templates.