87-1127.

Controller or processor; requirements of act; applicability.

(1) The requirements imposed on any controller or processor under the Data Privacy Act shall not restrict a controller's or processor's ability to collect, use, or retain data to:

(a) Conduct internal research to develop, improve, or repair products, services, or technology;

(b) Effect a product recall;

(c) Identify and repair technical errors that impair existing or intended functionality; or

(d) Perform internal operations that:

(i) Are reasonably aligned with the expectations of the consumer;

(ii) Are reasonably anticipated based on the consumer's existing relationship with the controller; or

(iii) Are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(2) A requirement imposed on a controller or processor under the Data Privacy Act shall not apply if compliance with the requirement by the controller or processor, as applicable, would violate an evidentiary privilege under any law of this state.