First-ever Utah privacy audit finds 66% of government entities failed to meet compliance requirements

The results of a recent audit in Utah showed that 66% of organizations failed to meet a requirement of the state's privacy statute.
Utah State Capitol Building
The Utah State Capitol in Salt Lake City (Getty Images)

Utah’s Office of the State Auditor on Monday announced that the state’s privacy officer had completed a comprehensive privacy review of governmental entities and nonprofit organizations in the state. The results showed that 66% of those reviewed failed to meet a requirement of the state’s privacy statute.

The review examined more than 1,600 organizations — including counties, cities, school districts, charter schools, water districts and nonprofits — for compliance with a section of the state’s Governmental Internet Information Privacy Act. The act requires organizations post a clearly written privacy policy statements on their websites if they collect personally identifiable information. Only 34% were compliant with this requirement.

Utah State Privacy Officer Whitney Phillips told StateScoop in an email that she’ll help the non-compliant organizations come into compliance. She said her office did not assess whether the organizations were actually following the guidelines laid out in their privacy policy statements — if they had one — but only assessed if policies had been published.

According to the Governmental Internet Information Privacy Act, an organization’s privacy policy statement should include: the identity and contact information of the website operator; the personal information that is being collected; a summary of how it is used; practices related to the sharing of personal information; the procedures — if any — of how users may request access to or correct their information; and security measures to protect the information from unintended sharing.


Phillips said initial data from the assessment will help to “set a baseline” so she can target support and measure the improvement over the coming months.

“We plan to first reach out to all government entities to provide them with their compliance determination, as well as additional resources (template, checklist, and training modules) to either become compliant, or improve upon their privacy policy statement,” Phillips wrote.

Phillips said her office has also analyzed compliance by organization type, but has not made that information publicly available.

Along with providing targeted support, Phillips said she hopes the review will improve transparency and accountability across the state, which is one Utah’s fundamental privacy principles, by the time the next assessment comes around.

“I hope to see significant improvement of compliance when we reassess in 6 months. I especially want to see an increase in compliance with government entities that pose a higher-risk level,” Phillips wrote. “Being transparent about how personally-identifiable information (PII) is collected, used, shared, and protected can build the public’s trust in Utah’s government entities.”

Keely Quinlan

Written by Keely Quinlan

Keely Quinlan reports on privacy and digital government for StateScoop. She was an investigative news reporter with Clarksville Now in Tennessee, where she resides, and her coverage included local crimes, courts, public education and public health. Her work has appeared in Teen Vogue, Stereogum and other outlets. She earned her bachelor’s in journalism and master’s in social and cultural analysis from New York University.

Latest Podcasts