- (1) An individual who makes a data privacy complaint shall first submit the complaint to the chief administrative officer of the governmental entity that is the subject of the complaint.
- (2) Upon receipt of a data privacy complaint under Subsection (1), the chief administrative officer shall attempt to resolve the complaint with the individual.
- (3) If the chief administrative officer is unable to resolve a data privacy complaint with the individual under Subsection (2), the individual or the governmental entity may request mediation with the ombudsperson in accordance with Section 63A-19-501.
(4) If an individual submits a data privacy complaint directly to the ombudsperson, the ombudsperson shall:
- (a) notify the individual and the governmental entity that the complaint will be referred to the chief administrative officer of the governmental entity; and
- (b) refer the complaint to the chief administrative officer.
(5) This section does not apply to a complaint about data privacy that is within the authority of:
- (a) the Government Records Office created in Section 63A-12-202; or
- (b) the government records ombudsman established in Section 63A-12-204.
- (6) An employee of a governmental entity may submit a confidential and anonymous data privacy complaint directly to the attorney general.
- (7) An employee of a governmental entity who submits a complaint under Subsection (6) is entitled to the protections described in Title 67, Chapter 21, Utah Protection of Public Employees Act.
Enacted by Chapter 202, 2026 General Session