Utah Legislature SB0232

1     MINOR DATA PROTECTION AMENDMENTS
2     2024 GENERAL SESSION
3     STATE OF UTAH
4     Chief Sponsor: Ronald M. Winterton
5     House Sponsor: ____________
6

7     LONG TITLE
8     General Description:
9          This bill modifies the Protection of Personal Information Act.
10     Highlighted Provisions:
11          This bill:
12          ▸     defines terms;
13          ▸     creates a standard for how the personal information of a minor is maintained;
14          ▸     creates a standard for how the personal information of a minor is destroyed; and
15          ▸     makes technical changes.
16     Money Appropriated in this Bill:
17          None
18     Other Special Clauses:
19          None
20     Utah Code Sections Affected:
21     AMENDS:
22          13-44-201, as last amended by Laws of Utah 2019, Chapter 348
23

24     Be it enacted by the Legislature of the state of Utah:
25          Section 1. Section 13-44-201 is amended to read:
26          13-44-201. Protection of personal information.
27          (1) As used in this section:

28          (a) "Endpoint detection and response" means the same as that term is defined in
29     Section 63A-16-214.
30          (b) "Multi-factor authentication" means the same as that term is defined in Section
31     63A-16-214.
32          (c) "Personal information" means the same as that term is defined in Section
33     13-44-102.
34          (d) "Zero trust architecture" means the same as that term is defined in Section
35     63A-16-214.
36          (2) [~~Any~~] A person who conducts business in the state and maintains personal
37     information shall implement and maintain reasonable procedures to:
38          (a) prevent unlawful use or disclosure of personal information collected or maintained
39     in the regular course of business; and
40          (b) destroy, or arrange for the destruction of, records containing personal information
41     that are not to be retained by the person.
42          (3) A person who conducts business or offers services in the state, including
43     educational services or healthcare, that collects or maintains the personal information of a
44     minor, shall implement and maintain reasonable procedures to:
45          (a) prevent unlawful use or disclosure of a minor's personal information collected or
46     maintained in the regular course of business, including:
47          (i) endpoint detection and response;
48          (ii) multi-factor authentication; and
49          (iii) zero trust architecture; and
50          (b) destroy, or arrange for the destruction of, records containing a minor's personal
51     information that will not be retained by the person.
52          [~~(2)~~] (4) The destruction of records under [~~Subsection (1)(b)~~] Subsections (2)(b) and
53     (3)(b) shall be by:
54          (a) shredding;
55          (b) erasing; or
56          (c) otherwise modifying the personal information to make the information
57     indecipherable.
58          Section 2. Effective date.

59 This bill takes effect on May 1, 2024.