13-81-202. Data interoperability requirements.
536 words·~2 min read·
/ut/title-13/chapter-81/13-81-202A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Effective 7/1/2027
13-81-202. Data interoperability requirements.
(1)A social media company shall implement a transparent, third-party-accessible interoperability interface or interfaces to allow users to choose to:
(a)share a common set of the user's personal data or a user-selected part of the user's personal data between the social media services designated by the user; and
(b)enable third parties to access personal data created by the user and to be notified when new or updated personal data is available, with the user's permission.
(2)A social media company shall reasonably secure all personal data obtained through an interoperability interface.
(3)To achieve interoperability under Subsection
(1), a social media company shall:
(a)utilize an open protocol;
(b)facilitate and maintain interoperability and continuous, real-time data sharing with other social media services through an interoperability interface, based on reasonable terms that do not discriminate between social media services;
(c)establish reasonable and proportionate thresholds related to the frequency, nature, and volume of requests, beyond which the social media company may assess a reasonable fee for such access; and
(d)disclose to other social media companies complete, accurate, and regularly updated documentation describing access to the interoperability interface required under this section.
(4)A social media company shall publicly disclose the open protocol that the social media company intends to use for purposes of Subsection (3)(a) .
(5)A social media company or third party shall safeguard the privacy and security of a user's personal data obtained from other social media services through the interoperability interface in accordance with the social media company's or third party's privacy notice and administrative, technical, and physical data security practices.
(6)A social media company or third party may not share or receive a user's personal data through the interoperability interface except with the user's consent, including when a user's personal data is intended to be shared in response to another user's request to share a social graph.
(a)A social media company shall adopt an accessible, prominent, and persistent method for users to give consent for data sharing with other social media services or third parties through the interoperability interface.
(b)The method described in Subsection (7)(a) shall allow users to provide consent:
(i)when the user initiates a transfer of the user's own personal data; and
(ii)before the user's personal data is shared as part of another user's social graph.
(c)A social media company shall implement the user's consent decisions within five business days.
(8)A social media company is not required to:
(a)provide access to:
(i)inferences, analyses, or derived data that the social media company has generated internally about a user; or
(ii)proprietary algorithms, ranking systems, or other internal operating mechanisms; or
(b)transmit personal data that:
(i)is stored or structured in a proprietary format; and
(ii)meets both of the following criteria:
(A)no open, industry-standard format is reasonably available; and
(B)transmitting the data would disclose information described in Subsection (8)(a).
(9)This chapter does not apply to an entity that is:
(a)owned, controlled, operated, or maintained by a religious organization; and
(b)exempt from property taxation under state law.
Amended by Chapter 316 , 2026 General Session