Section 13-61-304 - Limitations(1) The requirements described in this chapter do not restrict a controller's or processor's ability to: (a) comply with a federal, state, or local law, rule, or regulation;(b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;(c) cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;(d) investigate, establish, exercise, prepare for, or defend a legal claim;(e) provide a product or service requested by a consumer or a parent or legal guardian of a child;(f) perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer;(g) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual;(h)(i) detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or(ii) investigate, report, or prosecute a person responsible for an action described in Subsection (1)(h)(i);(i)(i) preserve the integrity or security of systems; or(ii) investigate, report, or prosecute a person responsible for harming or threatening the integrity or security of systems, as applicable;(j) if the controller discloses the processing in a notice described in Section 13-61-302, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws;(k) assist another person with an obligation described in this subsection;(l) process personal data to: (i) conduct internal analytics or other research to develop, improve, or repair a controller's or processor's product, service, or technology;(ii) identify and repair technical errors that impair existing or intended functionality; or(iii) effectuate a product recall;(m) process personal data to perform an internal operation that is: (i) reasonably aligned with the consumer's expectations based on the consumer's existing relationship with the controller; or(ii) otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer or a parent or legal guardian of a child or the performance of a contract to which the consumer or a parent or legal guardian of a child is a party; or(n) retain a consumer's email address to comply with the consumer's request to exercise a right.(2) This chapter does not apply if a controller's or processor's compliance with this chapter: (a) violates an evidentiary privilege under Utah law;(b) as part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law; or(c) adversely affects the privacy or other rights of any person.(3) A controller or processor is not in violation of this chapter if: (a) the controller or processor discloses personal data to a third party controller or processor in compliance with this chapter;(b) the third party processes the personal data in violation of this chapter; and(c) the disclosing controller or processor did not have actual knowledge of the third party's intent to commit a violation of this chapter.(4) If a controller processes personal data under an exemption described in Subsection (1), the controller bears the burden of demonstrating that the processing qualifies for the exemption.(5) Nothing in this chapter requires a controller, processor, third party, or consumer to disclose a trade secret.Added by Chapter 462, 2022 General Session ,§ 11, eff. 12/31/2023.