SB0227 - Utah CONSUMER PRIVACY ACT
Bill Sponsor:
Sen. Cullimore, Kirk A.
Floor Sponsor:
Rep. Brammer, Brady
Substitute Sponsor: Sen. Cullimore, Kirk A.
Drafting Attorney: Christine R. Gilbert
Fiscal Analyst: Bidusha Mudbhari
Bill Tracking
Tracking Page
Bill Text
Introduced
Amended
Amended Pages Only
Enrolled (Currently Displayed)
Other Versions
S.B. 227
S.B. 227 1st Substitute
Related Documents
Fiscal Note
House Committee Amendment 1(passed)
SB0227S01 comparison
Information
Last Action: 24 Mar 2022, Governor Signed
Last Location: Lieutenant Governor's office for filing
Effective Date: 31 Dec 2023
Session Law Chapter: 462
Similar Bills
Business
Commerce and Trade
Department of Commerce
Consumer Protection
Sections Affected
13-2-1
Enrolled
Printer Friendly
S.B. 227
1
CONSUMER PRIVACY ACT
2
2022 GENERAL SESSION
3
STATE OF UTAH
4
Chief Sponsor: Kirk A. Cullimore
5
House Sponsor: Brady Brammer
6
7 LONG TITLE
8 General Description:
9 This bill enacts the Utah Consumer Privacy Act.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ provides consumers the right to:
14 • access and delete certain personal data maintained by certain businesses; and
15 • opt out of the collection and use of personal data for certain purposes;
16 ▸ requires certain businesses that control and process consumers' personal data to:
17 • safeguard consumers' personal data;
18 • provide clear information to consumers regarding how the consumers' personal
19 data are used; and
20 • accept and comply with a consumer's request to exercise the consumer's rights
21 under this bill;
22 ▸ creates a right for a consumer to know what personal data a business collects, how
23 the business uses the personal data, and whether the business sells the personal data;
24 ▸ upon request and subject to exceptions, requires a business to delete a consumer's
25 personal data or stop selling the consumer's personal data;
26 ▸ allows the Division of Consumer Protection to accept and investigate consumer
27 complaints regarding the processing of personal data;
28 ▸ authorizes the Office of the Attorney General to take enforcement action and
29 impose penalties; and
30 ▸ makes technical changes.
31 Money Appropriated in this Bill:
32 None
33 Other Special Clauses:
34 This bill provides a special effective date.
35 Utah Code Sections Affected:
36 AMENDS:
37 13-2-1, as last amended by Laws of Utah 2021, Chapter 266
38 ENACTS:
39 13-61-101, Utah Code Annotated 1953
40 13-61-102, Utah Code Annotated 1953
41 13-61-103, Utah Code Annotated 1953
42 13-61-201, Utah Code Annotated 1953
43 13-61-202, Utah Code Annotated 1953
44 13-61-203, Utah Code Annotated 1953
45 13-61-301, Utah Code Annotated 1953
46 13-61-302, Utah Code Annotated 1953
47 13-61-303, Utah Code Annotated 1953
48 13-61-304, Utah Code Annotated 1953
49 13-61-305, Utah Code Annotated 1953
50 13-61-401, Utah Code Annotated 1953
51 13-61-402, Utah Code Annotated 1953
52 13-61-403, Utah Code Annotated 1953
53 13-61-404, Utah Code Annotated 1953
54
55 Be it enacted by the Legislature of the state of Utah:
56 Section 1. Section 13-2-1 is amended to read:
57 13-2-1. Consumer protection division established -- Functions.
58 (1) There is established within the Department of Commerce the Division of Consumer
59 Protection.
60 (2) The division shall administer and enforce the following:
61 (a) Chapter 5, Unfair Practices Act;
62 (b) Chapter 10a, Music Licensing Practices Act;
63 (c) Chapter 11, Utah Consumer Sales Practices Act;
64 (d) Chapter 15, Business Opportunity Disclosure Act;
65 (e) Chapter 20, New Motor Vehicle Warranties Act;
66 (f) Chapter 21, Credit Services Organizations Act;
67 (g) Chapter 22, Charitable Solicitations Act;
68 (h) Chapter 23, Health Spa Services Protection Act;
69 (i) Chapter 25a, Telephone and Facsimile Solicitation Act;
70 (j) Chapter 26, Telephone Fraud Prevention Act;
71 (k) Chapter 28, Prize Notices Regulation Act;
72 (l) Chapter 32a, Pawnshop and Secondhand Merchandise Transaction Information Act;
73 (m) Chapter 34, Utah Postsecondary Proprietary School Act;
74 (n) Chapter 34a, Utah Postsecondary School State Authorization Act;
75 (o) Chapter 41, Price Controls During Emergencies Act;
76 (p) Chapter 42, Uniform Debt-Management Services Act;
77 (q) Chapter 49, Immigration Consultants Registration Act;
78 (r) Chapter 51, Transportation Network Company Registration Act;
79 (s) Chapter 52, Residential Solar Energy Disclosure Act;
80 (t) Chapter 53, Residential, Vocational and Life Skills Program Act;
81 (u) Chapter 54, Ticket Website Sales Act;
82 (v) Chapter 56, Ticket Transferability Act; [and]
83 (w) Chapter 57, Maintenance Funding Practices Act[.]; and
84 (x) Chapter 61, Utah Consumer Privacy Act.
85 Section 2. Section 13-61-101 is enacted to read:
86
CHAPTER 61. UTAH CONSUMER PRIVACY ACT
87
Part 1. General Provisions
88 13-61-101. Definitions.
89 As used in this chapter:
90 (1) "Account" means the Consumer Privacy Restricted Account established in Section
91 13-61-403.
92 (2) "Affiliate" means an entity that:
93 (a) controls, is controlled by, or is under common control with another entity; or
94 (b) shares common branding with another entity.
95 (3) "Aggregated data" means information that relates to a group or category of
96 consumers:
97 (a) from which individual consumer identities have been removed; and
98 (b) that is not linked or reasonably linkable to any consumer.
99 (4) "Air carrier" means the same as that term is defined in 49 U.S.C. Sec. 40102.
100 (5) "Authenticate" means to use reasonable means to determine that a consumer's
101 request to exercise the rights described in Section 13-61-201 is made by the consumer who is
102 entitled to exercise those rights.
103 (6) (a) "Biometric data" means data generated by automatic measurements of an
104 individual's unique biological characteristics.
105 (b) "Biometric data" includes data described in Subsection (6)(a) that are generated by
106 automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any
107 other unique biological pattern or characteristic that is used to identify a specific individual.
108 (c) "Biometric data" does not include:
109 (i) a physical or digital photograph;
110 (ii) a video or audio recording;
111 (iii) data generated from an item described in Subsection (6)(c)(i) or (ii);
112 (iv) information captured from a patient in a health care setting; or
113 (v) information collected, used, or stored for treatment, payment, or health care
114 operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.
115 (7) "Business associate" means the same as that term is defined in 45 C.F.R. Sec.
116 160.103.
117 (8) "Child" means an individual younger than 13 years old.
118 (9) "Consent" means an affirmative act by a consumer that unambiguously indicates
119 the consumer's voluntary and informed agreement to allow a person to process personal data
120 related to the consumer.
121 (10) (a) "Consumer" means an individual who is a resident of the state acting in an
122 individual or household context.
123 (b) "Consumer" does not include an individual acting in an employment or commercial
124 context.
125 (11) "Control" or "controlled" as used in Subsection (2) means:
126 (a) ownership of, or the power to vote, more than 50% of the outstanding shares of any
127 class of voting securities of an entity;
128 (b) control in any manner over the election of a majority of the directors or of the
129 individuals exercising similar functions; or
130 (c) the power to exercise controlling influence of the management of an entity.
131 (12) "Controller" means a person doing business in the state who determines the
132 purposes for which and the means by which personal data are processed, regardless of whether
133 the person makes the determination alone or with others.
134 (13) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec.
135 160.103.
136 (14) "Deidentified data" means data that:
137 (a) cannot reasonably be linked to an identified individual or an identifiable individual;
138 and
139 (b) are possessed by a controller who:
140 (i) takes reasonable measures to ensure that a person cannot associate the data with an
141 individual;
142 (ii) publicly commits to maintain and use the data only in deidentified form and not
143 attempt to reidentify the data; and
144 (iii) contractually obligates any recipients of the data to comply with the requirements
145 described in Subsections (14)(b)(i) and (ii).
146 (15) "Director" means the director of the Division of Consumer Protection.
147 (16) "Division" means the Division of Consumer Protection created in Section 13-2-1.
148 (17) "Governmental entity" means the same as that term is defined in Section
149 63G-2-103.
150 (18) "Health care facility" means the same as that term is defined in Section 26-21-2.
151 (19) "Health care provider" means the same as that term is defined in Section 26-21-2.
152 (20) "Identifiable individual" means an individual who can be readily identified,
153 directly or indirectly.
154 (21) "Institution of higher education" means a public or private institution of higher
155 education.
156 (22) "Local political subdivision" means the same as that term is defined in Section
157 11-14-102.
158 (23) "Nonprofit corporation" means:
159 (a) the same as that term is defined in Section 16-6a-102; or
160 (b) a foreign nonprofit corporation as defined in Section 16-6a-102.
161 (24) (a) "Personal data" means information that is linked or reasonably linkable to an
162 identified individual or an identifiable individual.
163 (b) "Personal data" does not include deidentified data, aggregated data, or publicly
164 available information.
165 (25) "Process" means an operation or set of operations performed on personal data,
166 including collection, use, storage, disclosure, analysis, deletion, or modification of personal
167 data.
168 (26) "Processor" means a person who processes personal data on behalf of a controller.
169 (27) "Protected health information" means the same as that term is defined in 45 C.F.R.
170 Sec. 160.103.
171 (28) "Pseudonymous data" means personal data that cannot be attributed to a specific
172 individual without the use of additional information, if the additional information is:
173 (a) kept separate from the consumer's personal data; and
174 (b) subject to appropriate technical and organizational measures to ensure that the
175 personal data are not attributable to an identified individual or an identifiable individual.
176 (29) "Publicly available information" means information that a person:
177 (a) lawfully obtains from a record of a governmental entity;
178 (b) reasonably believes a consumer or widely distributed media has lawfully made
179 available to the general public; or
180 (c) if the consumer has not restricted the information to a specific audience, obtains
181 from a person to whom the consumer disclosed the information.
182 (30) "Right" means a consumer right described in Section 13-61-201.
183 (31) (a) "Sale," "sell," or "sold" means the exchange of personal data for monetary
184 consideration by a controller to a third party.
185 (b) "Sale," "sell," or "sold" does not include:
186 (i) a controller's disclosure of personal data to a processor who processes the personal
187 data on behalf of the controller;
188 (ii) a controller's disclosure of personal data to an affiliate of the controller;
189 (iii) considering the context in which the consumer provided the personal data to the
190 controller, a controller's disclosure of personal data to a third party if the purpose is consistent
191 with a consumer's reasonable expectations;
192 (iv) the disclosure or transfer of personal data when a consumer directs a controller to:
193 (A) disclose the personal data; or
194 (B) interact with one or more third parties;
195 (v) a consumer's disclosure of personal data to a third party for the purpose of
196 providing a product or service requested by the consumer or a parent or legal guardian of a
197 child;
198 (vi) the disclosure of information that the consumer:
199 (A) intentionally makes available to the general public via a channel of mass media;
200 and
201 (B) does not restrict to a specific audience; or
202 (vii) a controller's transfer of personal data to a third party as an asset that is part of a
203 proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes
204 control of all or part of the controller's assets.
205 (32) (a) "Sensitive data" means:
206 (i) personal data that reveals:
207 (A) an individual's racial or ethnic origin;
208 (B) an individual's religious beliefs;
209 (C) an individual's sexual orientation;
210 (D) an individual's citizenship or immigration status; or
211 (E) information regarding an individual's medical history, mental or physical health
212 condition, or medical treatment or diagnosis by a health care professional;
213 (ii) the processing of genetic personal data or biometric data, if the processing is for the
214 purpose of identifying a specific individual; or
215 (iii) specific geolocation data.
216 (b) "Sensitive data" does not include personal data that reveals an individual's:
217 (i) racial or ethnic origin, if the personal data are processed by a video communication
218 service; or
219 (ii) if the personal data are processed by a person licensed to provide health care under
220 Title 26, Chapter 21, Health Care Facility Licensing and Inspection Act, or Title 58,
221 Occupations and Professions, information regarding an individual's medical history, mental or
222 physical health condition, or medical treatment or diagnosis by a health care professional.
223 (33) (a) "Specific geolocation data" means information derived from technology,
224 including global position system level latitude and longitude coordinates, that directly
225 identifies an individual's specific location, accurate within a radius of 1,750 feet or less.
226 (b) "Specific geolocation data" does not include:
227 (i) the content of a communication; or
228 (ii) any data generated by or connected to advanced utility metering infrastructure
229 systems or equipment for use by a utility.
230 (34) (a) "Targeted advertising" means displaying an advertisement to a consumer
231 where the advertisement is selected based on personal data obtained from the consumer's
232 activities over time and across nonaffiliated websites or online applications to predict the
233 consumer's preferences or interests.
234 (b) "Targeted advertising" does not include advertising:
235 (i) based on a consumer's activities within a controller's website or online application
236 or any affiliated website or online application;
237 (ii) based on the context of a consumer's current search query or visit to a website or
238 online application;
239 (iii) directed to a consumer in response to the consumer's request for information,
240 product, a service, or feedback; or
241 (iv) processing personal data solely to measure or report advertising:
242 (A) performance;
243 (B) reach; or
244 (C) frequency.
245 (35) "Third party" means a person other than:
246 (a) the consumer, controller, or processor; or
247 (b) an affiliate or contractor of the controller or the processor.
248 (36) "Trade secret" means information, including a formula, pattern, compilation,
249 program, device, method, technique, or process, that:
250 (a) derives independent economic value, actual or potential, from not being generally
251 known to, and not being readily ascertainable by proper means by, other persons who can
252 obtain economic value from the information's disclosure or use; and
253 (b) is the subject of efforts that are reasonable under the circumstances to maintain the
254 information's secrecy.
255 Section 3. Section 13-61-102 is enacted to read:
256 13-61-102. Applicability.
257 (1) This chapter applies to any controller or processor who:
258 (a) (i) conducts business in the state; or
259 (ii) produces a product or service that is targeted to consumers who are residents of the
260 state;
261 (b) has annual revenue of $25,000,000 or more; and
262 (c) satisfies one or more of the following thresholds:
263 (i) during a calendar year, controls or processes personal data of 100,000 or more
264 consumers; or
265 (ii) derives over 50% of the entity's gross revenue from the sale of personal data and
266 controls or processes personal data of 25,000 or more consumers.
267 (2) This chapter does not apply to:
268 (a) a governmental entity or a third party under contract with a governmental entity
269 when the third party is acting on behalf of the governmental entity;
270 (b) a tribe;
271 (c) an institution of higher education;
272 (d) a nonprofit corporation;
273 (e) a covered entity;
274 (f) a business associate;
275 (g) information that meets the definition of:
276 (i) protected health information for purposes of the federal Health Insurance Portability
277 and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
278 (ii) patient identifying information for purposes of 42 C.F.R. Part 2;
279 (iii) identifiable private information for purposes of the Federal Policy for the
280 Protection of Human Subjects, 45 C.F.R. Part 46;
281 (iv) identifiable private information or personal data collected as part of human
282 subjects research pursuant to or under the same standards as:
283 (A) the good clinical practice guidelines issued by the International Council for
284 Harmonisation; or
285 (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review
286 Boards under 21 C.F.R. Part 56;
287 (v) personal data used or shared in research conducted in accordance with one or more
288 of the requirements described in Subsection (2)(g)(iv);
289 (vi) information and documents created specifically for, and collected and maintained
290 by, a committee listed in Section 26-1-7;
291 (vii) information and documents created for purposes of the federal Health Care
292 Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
293 (viii) patient safety work product for purposes of 42 C.F.R. Part 3; or
294 (ix) information that is:
295 (A) deidentified in accordance with the requirements for deidentification set forth in 45
296 C.F.R. Part 164; and
297 (B) derived from any of the health care-related information listed in this Subsection
298 (2)(g);
299 (h) information originating from, and intermingled to be indistinguishable with,
300 information under Subsection (2)(g) that is maintained by:
301 (i) a health care facility or health care provider; or
302 (ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
303 (i) information used only for public health activities and purposes as described in 45
304 C.F.R. Sec. 164.512;
305 (j) (i) an activity by:
306 (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
307 (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides
308 information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
309 (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
310 (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.
311 1681 et seq.; and
312 (iii) involving the collection, maintenance, disclosure, sale, communication, or use of
313 any personal data bearing on a consumer's:
314 (A) credit worthiness;
315 (B) credit standing;
316 (C) credit capacity;
317 (D) character;
318 (E) general reputation;
319 (F) personal characteristics; or
320 (G) mode of living;
321 (k) a financial institution or an affiliate of a financial institution governed by, or
322 personal data collected, processed, sold, or disclosed in accordance with, Title V of the
323 Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
324 (l) personal data collected, processed, sold, or disclosed in accordance with the federal
325 Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
326 (m) personal data regulated by the federal Family Education Rights and Privacy Act,
327 20 U.S.C. Sec. 1232g, and related regulations;
328 (n) personal data collected, processed, sold, or disclosed in accordance with the federal
329 Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;
330 (o) data that are processed or maintained:
331 (i) in the course of an individual applying to, being employed by, or acting as an agent
332 or independent contractor of a controller, processor, or third party, to the extent the collection
333 and use of the data are related to the individual's role;
334 (ii) as the emergency contact information of an individual described in Subsection
335 (2)(o)(i) and used for emergency contact purposes; or
336 (iii) to administer benefits for another individual relating to an individual described in
337 Subsection (2)(o)(i) and used for the purpose of administering the benefits;
338 (p) an individual's processing of personal data for purely personal or household
339 purposes; or
340 (q) an air carrier.
341 (3) A controller is in compliance with any obligation to obtain parental consent under
342 this chapter if the controller complies with the verifiable parental consent mechanisms under
343 the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's
344 implementing regulations and exemptions.
345 (4) This chapter does not require a person to take any action in conflict with the federal
346 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., or
347 related regulations.
348 Section 4. Section 13-61-103 is enacted to read:
349 13-61-103. Preemption -- Reference to other laws.
350 (1) This chapter supersedes and preempts any ordinance, resolution, rule, or other
351 regulation adopted by a local political subdivision regarding the processing of personal data by
352 a controller or processor.
353 (2) Any reference to federal law in this chapter includes any rules or regulations
354 promulgated under the federal law.
355 Section 5. Section 13-61-201 is enacted to read:
356
Part 2. Rights Relating to Personal Data
357 13-61-201. Consumer rights -- Access -- Deletion -- Portability -- Opt out of
358 certain processing.
359 (1) A consumer has the right to:
360 (a) confirm whether a controller is processing the consumer's personal data; and
361 (b) access the consumer's personal data.
362 (2) A consumer has the right to delete the consumer's personal data that the consumer
363 provided to the controller.
364 (3) A consumer has the right to obtain a copy of the consumer's personal data, that the
365 consumer previously provided to the controller, in a format that:
366 (a) to the extent technically feasible, is portable;
367 (b) to the extent practicable, is readily usable; and
368 (c) allows the consumer to transmit the data to another controller without impediment,
369 where the processing is carried out by automated means.
370 (4) A consumer has the right to opt out of the processing of the consumer's personal
371 data for purposes of:
372 (a) targeted advertising; or
373 (b) the sale of personal data.
374 (5) Nothing in this section requires a person to cause a breach of security system as
375 defined in Section 13-44-102.
376 Section 6. Section 13-61-202 is enacted to read:
377 13-61-202. Exercising consumer rights.
378 (1) A consumer may exercise a right by submitting a request to a controller, by means
379 prescribed by the controller, specifying the right the consumer intends to exercise.
380 (2) In the case of processing personal data concerning a known child, the parent or
381 legal guardian of the known child shall exercise a right on the child's behalf.
382 (3) In the case of processing personal data concerning a consumer subject to
383 guardianship, conservatorship, or other protective arrangement under Title 75, Chapter 5,
384 Protection of Persons Under Disability and Their Property, the guardian or the conservator of
385 the consumer shall exercise a right on the consumer's behalf.
386 Section 7. Section 13-61-203 is enacted to read:
387 13-61-203. Controller's response to requests.
388 (1) Subject to the other provisions of this chapter, a controller shall comply with a
389 consumer's request under Section 13-61-202 to exercise a right.
390 (2) (a) Within 45 days after the day on which a controller receives a request to exercise
391 a right, the controller shall:
392 (i) take action on the consumer's request; and
393 (ii) inform the consumer of any action taken on the consumer's request.
394 (b) The controller may extend once the initial 45-day period by an additional 45 days if
395 reasonably necessary due to the complexity of the request or the volume of the requests
396 received by the controller.
397 (c) If a controller extends the initial 45-day period, before the initial 45-day period
398 expires, the controller shall:
399 (i) inform the consumer of the extension, including the length of the extension; and
400 (ii) provide the reasons the extension is reasonably necessary as described in
401 Subsection (2)(b).
402 (d) The 45-day period does not apply if the controller reasonably suspects the
403 consumer's request is fraudulent and the controller is not able to authenticate the request before
404 the 45-day period expires.
405 (3) If, in accordance with this section, a controller chooses not to take action on a
406 consumer's request, the controller shall within 45 days after the day on which the controller
407 receives the request, inform the consumer of the reasons for not taking action.
408 (4) (a) A controller may not charge a fee for information in response to a request,
409 unless the request is the consumer's second or subsequent request during the same 12-month
410 period.
411 (b) (i) Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to
412 cover the administrative costs of complying with a request or refuse to act on a request, if:
413 (A) the request is excessive, repetitive, technically infeasible, or manifestly unfounded;
414 (B) the controller reasonably believes the primary purpose in submitting the request
415 was something other than exercising a right; or
416 (C) the request, individually or as part of an organized effort, harasses, disrupts, or
417 imposes undue burden on the resources of the controller's business.
418 (ii) A controller that charges a fee or refuses to act in accordance with this Subsection
419 (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria
420 described in Subsection (4)(b)(i).
421 (5) If a controller is unable to authenticate a consumer request to exercise a right
422 described in Section 13-61-201 using commercially reasonable efforts, the controller:
423 (a) is not required to comply with the request; and
424 (b) may request that the consumer provide additional information reasonably necessary
425 to authenticate the request.
426 Section 8. Section 13-61-301 is enacted to read:
427
Part 3. Requirements for Controllers and Processors
428 13-61-301. Responsibility according to role.
429 (1) A processor shall:
430 (a) adhere to the controller's instructions; and
431 (b) taking into account the nature of the processing and information available to the
432 processor, by appropriate technical and organizational measures, insofar as reasonably
433 practicable, assist the controller in meeting the controller's obligations, including obligations
434 related to the security of processing personal data and notification of a breach of security
435 system described in Section 13-44-202.
436 (2) Before a processor performs processing on behalf of a controller, the processor and
437 controller shall enter into a contract that:
438 (a) clearly sets forth instructions for processing personal data, the nature and purpose
439 of the processing, the type of data subject to processing, the duration of the processing, and the
440 parties' rights and obligations;
441 (b) requires the processor to ensure each person processing personal data is subject to a
442 duty of confidentiality with respect to the personal data; and
443 (c) requires the processor to engage any subcontractor pursuant to a written contract
444 that requires the subcontractor to meet the same obligations as the processor with respect to the
445 personal data.
446 (3) (a) Determining whether a person is acting as a controller or processor with respect
447 to a specific processing of data is a fact-based determination that depends upon the context in
448 which personal data are to be processed.
449 (b) A processor that adheres to a controller's instructions with respect to a specific
450 processing of personal data remains a processor.
451 Section 9. Section 13-61-302 is enacted to read:
452 13-61-302. Responsibilities of controllers -- Transparency -- Purpose specification
453 and data minimization -- Consent for secondary use -- Security -- Nondiscrimination --
454 Nonretaliation -- Nonwaiver of consumer rights.
455 (1) (a) A controller shall provide consumers with a reasonably accessible and clear
456 privacy notice that includes:
457 (i) the categories of personal data processed by the controller;
458 (ii) the purposes for which the categories of personal data are processed;
459 (iii) how consumers may exercise a right;
460 (iv) the categories of personal data that the controller shares with third parties, if any;
461 and
462 (v) the categories of third parties, if any, with whom the controller shares personal data.
463 (b) If a controller sells a consumer's personal data to one or more third parties or
464 engages in targeted advertising, the controller shall clearly and conspicuously disclose to the
465 consumer the manner in which the consumer may exercise the right to opt out of the:
466 (i) sale of the consumer's personal data; or
467 (ii) processing for targeted advertising.
468 (2) (a) A controller shall establish, implement, and maintain reasonable administrative,
469 technical, and physical data security practices designed to:
470 (i) protect the confidentiality and integrity of personal data; and
471 (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing
472 of personal data.
473 (b) Considering the controller's business size, scope, and type, a controller shall use
474 data security practices that are appropriate for the volume and nature of the personal data at
475 issue.
476 (3) Except as otherwise provided in this chapter, a controller may not process sensitive
477 data collected from a consumer without:
478 (a) first presenting the consumer with clear notice and an opportunity to opt out of the
479 processing; or
480 (b) in the case of the processing of personal data concerning a known child, processing
481 the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C.
482 Sec. 6501 et seq., and the act's implementing regulations and exemptions.
483 (4) (a) A controller may not discriminate against a consumer for exercising a right by:
484 (i) denying a good or service to the consumer;
485 (ii) charging the consumer a different price or rate for a good or service; or
486 (iii) providing the consumer a different level of quality of a good or service.
487 (b) This Subsection (4) does not prohibit a controller from offering a different price,
488 rate, level, quality, or selection of a good or service to a consumer, including offering a good or
489 service for no fee or at a discount, if:
490 (i) the consumer has opted out of targeted advertising; or
491 (ii) the offer is related to the consumer's voluntary participation in a bona fide loyalty,
492 rewards, premium features, discounts, or club card program.
493 (5) A controller is not required to provide a product, service, or functionality to a
494 consumer if:
495 (a) the consumer's personal data are or the processing of the consumer's personal data
496 is reasonably necessary for the controller to provide the consumer the product, service, or
497 functionality; and
498 (b) the consumer does not:
499 (i) provide the consumer's personal data to the controller; or
500 (ii) allow the controller to process the consumer's personal data.
501 (6) Any provision of a contract that purports to waive or limit a consumer's right under
502 this chapter is void.
503 Section 10. Section 13-61-303 is enacted to read:
504 13-61-303. Processing deidentified data or pseudonymous data.
505 (1) The provisions of this chapter do not require a controller or processor to:
506 (a) reidentify deidentified data or pseudonymous data;
507 (b) maintain data in identifiable form or obtain, retain, or access any data or technology
508 for the purpose of allowing the controller or processor to associate a consumer request with
509 personal data; or
510 (c) comply with an authenticated consumer request to exercise a right described in
511 Subsections 13-61-202(1) through (3), if:
512 (i) (A) the controller is not reasonably capable of associating the request with the
513 personal data; or
514 (B) it would be unreasonably burdensome for the controller to associate the request
515 with the personal data;
516 (ii) the controller does not:
517 (A) use the personal data to recognize or respond to the consumer who is the subject of
518 the personal data; or
519 (B) associate the personal data with other personal data about the consumer; and
520 (iii) the controller does not sell or otherwise disclose the personal data to any third
521 party other than a processor, except as otherwise permitted in this section.
522 (2) The rights described in Subsections 13-61-201(1) through (3) do not apply to
523 pseudonymous data if a controller demonstrates that any information necessary to identify a
524 consumer is kept:
525 (a) separately; and
526 (b) subject to appropriate technical and organizational measures to ensure the personal
527 data are not attributed to an identified individual or an identifiable individual.
528 (3) A controller who uses pseudonymous data or deidentified data shall take reasonable
529 steps to ensure the controller:
530 (a) complies with any contractual obligations to which the pseudonymous data or
531 deidentified data are subject; and
532 (b) promptly addresses any breach of a contractual obligation described in Subsection
533 (3)(a).
534 Section 11. Section 13-61-304 is enacted to read:
535 13-61-304. Limitations.
536 (1) The requirements described in this chapter do not restrict a controller's or
537 processor's ability to:
538 (a) comply with a federal, state, or local law, rule, or regulation;
539 (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
540 summons by a federal, state, local, or other governmental entity;
541 (c) cooperate with a law enforcement agency concerning activity that the controller or
542 processor reasonably and in good faith believes may violate federal, state, or local laws, rules,
543 or regulations;
544 (d) investigate, establish, exercise, prepare for, or defend a legal claim;
545 (e) provide a product or service requested by a consumer or a parent or legal guardian
546 of a child;
547 (f) perform a contract to which the consumer or the parent or legal guardian of a child
548 is a party, including fulfilling the terms of a written warranty or taking steps at the request of
549 the consumer or parent or legal guardian before entering into the contract with the consumer;
550 (g) take immediate steps to protect an interest that is essential for the life or physical
551 safety of the consumer or of another individual;
552 (h) (i) detect, prevent, protect against, or respond to a security incident, identity theft,
553 fraud, harassment, malicious or deceptive activity, or any illegal activity; or
554 (ii) investigate, report, or prosecute a person responsible for an action described in
555 Subsection (1)(h)(i);
556 (i) (i) preserve the integrity or security of systems; or
557 (ii) investigate, report, or prosecute a person responsible for harming or threatening the
558 integrity or security of systems, as applicable;
559 (j) if the controller discloses the processing in a notice described in Section 13-61-302,
560 engage in public or peer-reviewed scientific, historical, or statistical research in the public
561 interest that adheres to all other applicable ethics and privacy laws;
562 (k) assist another person with an obligation described in this subsection;
563 (l) process personal data to:
564 (i) conduct internal analytics or other research to develop, improve, or repair a
565 controller's or processor's product, service, or technology;
566 (ii) identify and repair technical errors that impair existing or intended functionality; or
567 (iii) effectuate a product recall;
568 (m) process personal data to perform an internal operation that is:
569 (i) reasonably aligned with the consumer's expectations based on the consumer's
570 existing relationship with the controller; or
571 (ii) otherwise compatible with processing to aid the controller or processor in
572 providing a product or service specifically requested by a consumer or a parent or legal
573 guardian of a child or the performance of a contract to which the consumer or a parent or legal
574 guardian of a child is a party; or
575 (n) retain a consumer's email address to comply with the consumer's request to exercise
576 a right.
577 (2) This chapter does not apply if a controller's or processor's compliance with this
578 chapter:
579 (a) violates an evidentiary privilege under Utah law;
580 (b) as part of a privileged communication, prevents a controller or processor from
581 providing personal data concerning a consumer to a person covered by an evidentiary privilege
582 under Utah law; or
583 (c) adversely affects the privacy or other rights of any person.
584 (3) A controller or processor is not in violation of this chapter if:
585 (a) the controller or processor discloses personal data to a third party controller or
586 processor in compliance with this chapter;
587 (b) the third party processes the personal data in violation of this chapter; and
588 (c) the disclosing controller or processor did not have actual knowledge of the third
589 party's intent to commit a violation of this chapter.
590 (4) If a controller processes personal data under an exemption described in Subsection
591 (1), the controller bears the burden of demonstrating that the processing qualifies for the
592 exemption.
593 (5) Nothing in this chapter requires a controller, processor, third party, or consumer to
594 disclose a trade secret.
595 Section 12. Section 13-61-305 is enacted to read:
596 13-61-305. No private cause of action.
597 A violation of this chapter does not provide a basis for, nor is a violation of this chapter
598 subject to, a private right of action under this chapter or any other law.
599 Section 13. Section 13-61-401 is enacted to read:
600
Part 4. Enforcement
601 13-61-401. Investigative powers of division.
602 (1) The division shall establish and administer a system to receive consumer
603 complaints regarding a controller's or processor's alleged violation of this chapter.
604 (2) (a) The division may investigate a consumer complaint to determine whether the
605 controller or processor violated or is violating this chapter.
606 (b) If the director has reasonable cause to believe that substantial evidence exists that a
607 person identified in a consumer complaint is in violation of this chapter, the director shall refer
608 the matter to the attorney general.
609 (c) Upon request, the division shall provide consultation and assistance to the attorney
610 general in enforcing this chapter.
611 Section 14. Section 13-61-402 is enacted to read:
612 13-61-402. Enforcement powers of the attorney general.
613 (1) The attorney general has the exclusive authority to enforce this chapter.
614 (2) Upon referral from the division, the attorney general may initiate an enforcement
615 action against a controller or processor for a violation of this chapter.
616 (3) (a) At least 30 days before the day on which the attorney general initiates an
617 enforcement action against a controller or processor, the attorney general shall provide the
618 controller or processor:
619 (i) written notice identifying each provision of this chapter the attorney general alleges
620 the controller or processor has violated or is violating; and
621 (ii) an explanation of the basis for each allegation.
622 (b) The attorney general may not initiate an action if the controller or processor:
623 (i) cures the noticed violation within 30 days after the day on which the controller or
624 processor receives the written notice described in Subsection (3)(a); and
625 (ii) provides the attorney general an express written statement that:
626 (A) the violation has been cured; and
627 (B) no further violation of the cured violation will occur.
628 (c) The attorney general may initiate an action against a controller or processor who:
629 (i) fails to cure a violation after receiving the notice described in Subsection (3)(a); or
630 (ii) after curing a noticed violation and providing a written statement in accordance
631 with Subsection (3)(b), continues to violate this chapter.
632 (d) In an action described in Subsection (3)(c), the attorney general may recover:
633 (i) actual damages to the consumer; and
634 (ii) for each violation described in Subsection (3)(c), an amount not to exceed $7,500.
635 (4) All money received from an action under this chapter shall be deposited into the
636 Consumer Privacy Account established in Section 13-61-403.
637 (5) If more than one controller or processor are involved in the same processing in
638 violation of this chapter, the liability for the violation shall be allocated among the controllers
639 or processors according to the principles of comparative fault.
640 Section 15. Section 13-61-403 is enacted to read:
641 13-61-403. Consumer Privacy Restricted Account.
642 (1) There is created a restricted account known as the "Consumer Privacy Account."
643 (2) The account shall be funded by money received through civil enforcement actions
644 under this chapter.
645 (3) Upon appropriation, the division or the attorney general may use money deposited
646 into the account for:
647 (a) investigation and administrative costs incurred by the division in investigating
648 consumer complaints alleging violations of this chapter;
649 (b) recovery of costs and attorney fees accrued by the attorney general in enforcing this
650 chapter; and
651 (c) providing consumer and business education regarding:
652 (i) consumer rights under this chapter; and
653 (ii) compliance with the provisions of this chapter for controllers and processors.
654 (4) If the balance in the account exceeds $4,000,000 at the close of any fiscal year, the
655 Division of Finance shall transfer the amount that exceeds $4,000,000 into the General Fund.
656 Section 16. Section 13-61-404 is enacted to read:
657 13-61-404. Attorney general report.
658 (1) The attorney general and the division shall compile a report:
659 (a) evaluating the liability and enforcement provisions of this chapter, including the
660 effectiveness of the attorney general's and the division's efforts to enforce this chapter; and
661 (b) summarizing the data protected and not protected by this chapter including, with
662 reasonable detail, a list of the types of information that are publicly available from local, state,
663 and federal government sources.
664 (2) The attorney general and the division may update the report as new information
665 becomes available.
666 (3) The attorney general and the division shall submit the report to the Business and
667 Labor Interim Committee before July 1, 2025.
668 Section 17. Effective date.
669 This bill takes effect on December 31, 2023.
Sen. Cullimore, Kirk A.
Floor Sponsor:
Rep. Brammer, Brady
Substitute Sponsor: Sen. Cullimore, Kirk A.
Drafting Attorney: Christine R. Gilbert
Fiscal Analyst: Bidusha Mudbhari
Bill Tracking
Tracking Page
Bill Text
Introduced
Amended
Amended Pages Only
Enrolled (Currently Displayed)
Other Versions
S.B. 227
S.B. 227 1st Substitute
Related Documents
Fiscal Note
House Committee Amendment 1(passed)
SB0227S01 comparison
Information
Last Action: 24 Mar 2022, Governor Signed
Last Location: Lieutenant Governor's office for filing
Effective Date: 31 Dec 2023
Session Law Chapter: 462
Similar Bills
Business
Commerce and Trade
Department of Commerce
Consumer Protection
Sections Affected
13-2-1
Enrolled
Printer Friendly
S.B. 227
1
CONSUMER PRIVACY ACT
2
2022 GENERAL SESSION
3
STATE OF UTAH
4
Chief Sponsor: Kirk A. Cullimore
5
House Sponsor: Brady Brammer
6
7 LONG TITLE
8 General Description:
9 This bill enacts the Utah Consumer Privacy Act.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ provides consumers the right to:
14 • access and delete certain personal data maintained by certain businesses; and
15 • opt out of the collection and use of personal data for certain purposes;
16 ▸ requires certain businesses that control and process consumers' personal data to:
17 • safeguard consumers' personal data;
18 • provide clear information to consumers regarding how the consumers' personal
19 data are used; and
20 • accept and comply with a consumer's request to exercise the consumer's rights
21 under this bill;
22 ▸ creates a right for a consumer to know what personal data a business collects, how
23 the business uses the personal data, and whether the business sells the personal data;
24 ▸ upon request and subject to exceptions, requires a business to delete a consumer's
25 personal data or stop selling the consumer's personal data;
26 ▸ allows the Division of Consumer Protection to accept and investigate consumer
27 complaints regarding the processing of personal data;
28 ▸ authorizes the Office of the Attorney General to take enforcement action and
29 impose penalties; and
30 ▸ makes technical changes.
31 Money Appropriated in this Bill:
32 None
33 Other Special Clauses:
34 This bill provides a special effective date.
35 Utah Code Sections Affected:
36 AMENDS:
37 13-2-1, as last amended by Laws of Utah 2021, Chapter 266
38 ENACTS:
39 13-61-101, Utah Code Annotated 1953
40 13-61-102, Utah Code Annotated 1953
41 13-61-103, Utah Code Annotated 1953
42 13-61-201, Utah Code Annotated 1953
43 13-61-202, Utah Code Annotated 1953
44 13-61-203, Utah Code Annotated 1953
45 13-61-301, Utah Code Annotated 1953
46 13-61-302, Utah Code Annotated 1953
47 13-61-303, Utah Code Annotated 1953
48 13-61-304, Utah Code Annotated 1953
49 13-61-305, Utah Code Annotated 1953
50 13-61-401, Utah Code Annotated 1953
51 13-61-402, Utah Code Annotated 1953
52 13-61-403, Utah Code Annotated 1953
53 13-61-404, Utah Code Annotated 1953
54
55 Be it enacted by the Legislature of the state of Utah:
56 Section 1. Section 13-2-1 is amended to read:
57 13-2-1. Consumer protection division established -- Functions.
58 (1) There is established within the Department of Commerce the Division of Consumer
59 Protection.
60 (2) The division shall administer and enforce the following:
61 (a) Chapter 5, Unfair Practices Act;
62 (b) Chapter 10a, Music Licensing Practices Act;
63 (c) Chapter 11, Utah Consumer Sales Practices Act;
64 (d) Chapter 15, Business Opportunity Disclosure Act;
65 (e) Chapter 20, New Motor Vehicle Warranties Act;
66 (f) Chapter 21, Credit Services Organizations Act;
67 (g) Chapter 22, Charitable Solicitations Act;
68 (h) Chapter 23, Health Spa Services Protection Act;
69 (i) Chapter 25a, Telephone and Facsimile Solicitation Act;
70 (j) Chapter 26, Telephone Fraud Prevention Act;
71 (k) Chapter 28, Prize Notices Regulation Act;
72 (l) Chapter 32a, Pawnshop and Secondhand Merchandise Transaction Information Act;
73 (m) Chapter 34, Utah Postsecondary Proprietary School Act;
74 (n) Chapter 34a, Utah Postsecondary School State Authorization Act;
75 (o) Chapter 41, Price Controls During Emergencies Act;
76 (p) Chapter 42, Uniform Debt-Management Services Act;
77 (q) Chapter 49, Immigration Consultants Registration Act;
78 (r) Chapter 51, Transportation Network Company Registration Act;
79 (s) Chapter 52, Residential Solar Energy Disclosure Act;
80 (t) Chapter 53, Residential, Vocational and Life Skills Program Act;
81 (u) Chapter 54, Ticket Website Sales Act;
82 (v) Chapter 56, Ticket Transferability Act; [and]
83 (w) Chapter 57, Maintenance Funding Practices Act[.]; and
84 (x) Chapter 61, Utah Consumer Privacy Act.
85 Section 2. Section 13-61-101 is enacted to read:
86
CHAPTER 61. UTAH CONSUMER PRIVACY ACT
87
Part 1. General Provisions
88 13-61-101. Definitions.
89 As used in this chapter:
90 (1) "Account" means the Consumer Privacy Restricted Account established in Section
91 13-61-403.
92 (2) "Affiliate" means an entity that:
93 (a) controls, is controlled by, or is under common control with another entity; or
94 (b) shares common branding with another entity.
95 (3) "Aggregated data" means information that relates to a group or category of
96 consumers:
97 (a) from which individual consumer identities have been removed; and
98 (b) that is not linked or reasonably linkable to any consumer.
99 (4) "Air carrier" means the same as that term is defined in 49 U.S.C. Sec. 40102.
100 (5) "Authenticate" means to use reasonable means to determine that a consumer's
101 request to exercise the rights described in Section 13-61-201 is made by the consumer who is
102 entitled to exercise those rights.
103 (6) (a) "Biometric data" means data generated by automatic measurements of an
104 individual's unique biological characteristics.
105 (b) "Biometric data" includes data described in Subsection (6)(a) that are generated by
106 automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any
107 other unique biological pattern or characteristic that is used to identify a specific individual.
108 (c) "Biometric data" does not include:
109 (i) a physical or digital photograph;
110 (ii) a video or audio recording;
111 (iii) data generated from an item described in Subsection (6)(c)(i) or (ii);
112 (iv) information captured from a patient in a health care setting; or
113 (v) information collected, used, or stored for treatment, payment, or health care
114 operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.
115 (7) "Business associate" means the same as that term is defined in 45 C.F.R. Sec.
116 160.103.
117 (8) "Child" means an individual younger than 13 years old.
118 (9) "Consent" means an affirmative act by a consumer that unambiguously indicates
119 the consumer's voluntary and informed agreement to allow a person to process personal data
120 related to the consumer.
121 (10) (a) "Consumer" means an individual who is a resident of the state acting in an
122 individual or household context.
123 (b) "Consumer" does not include an individual acting in an employment or commercial
124 context.
125 (11) "Control" or "controlled" as used in Subsection (2) means:
126 (a) ownership of, or the power to vote, more than 50% of the outstanding shares of any
127 class of voting securities of an entity;
128 (b) control in any manner over the election of a majority of the directors or of the
129 individuals exercising similar functions; or
130 (c) the power to exercise controlling influence of the management of an entity.
131 (12) "Controller" means a person doing business in the state who determines the
132 purposes for which and the means by which personal data are processed, regardless of whether
133 the person makes the determination alone or with others.
134 (13) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec.
135 160.103.
136 (14) "Deidentified data" means data that:
137 (a) cannot reasonably be linked to an identified individual or an identifiable individual;
138 and
139 (b) are possessed by a controller who:
140 (i) takes reasonable measures to ensure that a person cannot associate the data with an
141 individual;
142 (ii) publicly commits to maintain and use the data only in deidentified form and not
143 attempt to reidentify the data; and
144 (iii) contractually obligates any recipients of the data to comply with the requirements
145 described in Subsections (14)(b)(i) and (ii).
146 (15) "Director" means the director of the Division of Consumer Protection.
147 (16) "Division" means the Division of Consumer Protection created in Section 13-2-1.
148 (17) "Governmental entity" means the same as that term is defined in Section
149 63G-2-103.
150 (18) "Health care facility" means the same as that term is defined in Section 26-21-2.
151 (19) "Health care provider" means the same as that term is defined in Section 26-21-2.
152 (20) "Identifiable individual" means an individual who can be readily identified,
153 directly or indirectly.
154 (21) "Institution of higher education" means a public or private institution of higher
155 education.
156 (22) "Local political subdivision" means the same as that term is defined in Section
157 11-14-102.
158 (23) "Nonprofit corporation" means:
159 (a) the same as that term is defined in Section 16-6a-102; or
160 (b) a foreign nonprofit corporation as defined in Section 16-6a-102.
161 (24) (a) "Personal data" means information that is linked or reasonably linkable to an
162 identified individual or an identifiable individual.
163 (b) "Personal data" does not include deidentified data, aggregated data, or publicly
164 available information.
165 (25) "Process" means an operation or set of operations performed on personal data,
166 including collection, use, storage, disclosure, analysis, deletion, or modification of personal
167 data.
168 (26) "Processor" means a person who processes personal data on behalf of a controller.
169 (27) "Protected health information" means the same as that term is defined in 45 C.F.R.
170 Sec. 160.103.
171 (28) "Pseudonymous data" means personal data that cannot be attributed to a specific
172 individual without the use of additional information, if the additional information is:
173 (a) kept separate from the consumer's personal data; and
174 (b) subject to appropriate technical and organizational measures to ensure that the
175 personal data are not attributable to an identified individual or an identifiable individual.
176 (29) "Publicly available information" means information that a person:
177 (a) lawfully obtains from a record of a governmental entity;
178 (b) reasonably believes a consumer or widely distributed media has lawfully made
179 available to the general public; or
180 (c) if the consumer has not restricted the information to a specific audience, obtains
181 from a person to whom the consumer disclosed the information.
182 (30) "Right" means a consumer right described in Section 13-61-201.
183 (31) (a) "Sale," "sell," or "sold" means the exchange of personal data for monetary
184 consideration by a controller to a third party.
185 (b) "Sale," "sell," or "sold" does not include:
186 (i) a controller's disclosure of personal data to a processor who processes the personal
187 data on behalf of the controller;
188 (ii) a controller's disclosure of personal data to an affiliate of the controller;
189 (iii) considering the context in which the consumer provided the personal data to the
190 controller, a controller's disclosure of personal data to a third party if the purpose is consistent
191 with a consumer's reasonable expectations;
192 (iv) the disclosure or transfer of personal data when a consumer directs a controller to:
193 (A) disclose the personal data; or
194 (B) interact with one or more third parties;
195 (v) a consumer's disclosure of personal data to a third party for the purpose of
196 providing a product or service requested by the consumer or a parent or legal guardian of a
197 child;
198 (vi) the disclosure of information that the consumer:
199 (A) intentionally makes available to the general public via a channel of mass media;
200 and
201 (B) does not restrict to a specific audience; or
202 (vii) a controller's transfer of personal data to a third party as an asset that is part of a
203 proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes
204 control of all or part of the controller's assets.
205 (32) (a) "Sensitive data" means:
206 (i) personal data that reveals:
207 (A) an individual's racial or ethnic origin;
208 (B) an individual's religious beliefs;
209 (C) an individual's sexual orientation;
210 (D) an individual's citizenship or immigration status; or
211 (E) information regarding an individual's medical history, mental or physical health
212 condition, or medical treatment or diagnosis by a health care professional;
213 (ii) the processing of genetic personal data or biometric data, if the processing is for the
214 purpose of identifying a specific individual; or
215 (iii) specific geolocation data.
216 (b) "Sensitive data" does not include personal data that reveals an individual's:
217 (i) racial or ethnic origin, if the personal data are processed by a video communication
218 service; or
219 (ii) if the personal data are processed by a person licensed to provide health care under
220 Title 26, Chapter 21, Health Care Facility Licensing and Inspection Act, or Title 58,
221 Occupations and Professions, information regarding an individual's medical history, mental or
222 physical health condition, or medical treatment or diagnosis by a health care professional.
223 (33) (a) "Specific geolocation data" means information derived from technology,
224 including global position system level latitude and longitude coordinates, that directly
225 identifies an individual's specific location, accurate within a radius of 1,750 feet or less.
226 (b) "Specific geolocation data" does not include:
227 (i) the content of a communication; or
228 (ii) any data generated by or connected to advanced utility metering infrastructure
229 systems or equipment for use by a utility.
230 (34) (a) "Targeted advertising" means displaying an advertisement to a consumer
231 where the advertisement is selected based on personal data obtained from the consumer's
232 activities over time and across nonaffiliated websites or online applications to predict the
233 consumer's preferences or interests.
234 (b) "Targeted advertising" does not include advertising:
235 (i) based on a consumer's activities within a controller's website or online application
236 or any affiliated website or online application;
237 (ii) based on the context of a consumer's current search query or visit to a website or
238 online application;
239 (iii) directed to a consumer in response to the consumer's request for information,
240 product, a service, or feedback; or
241 (iv) processing personal data solely to measure or report advertising:
242 (A) performance;
243 (B) reach; or
244 (C) frequency.
245 (35) "Third party" means a person other than:
246 (a) the consumer, controller, or processor; or
247 (b) an affiliate or contractor of the controller or the processor.
248 (36) "Trade secret" means information, including a formula, pattern, compilation,
249 program, device, method, technique, or process, that:
250 (a) derives independent economic value, actual or potential, from not being generally
251 known to, and not being readily ascertainable by proper means by, other persons who can
252 obtain economic value from the information's disclosure or use; and
253 (b) is the subject of efforts that are reasonable under the circumstances to maintain the
254 information's secrecy.
255 Section 3. Section 13-61-102 is enacted to read:
256 13-61-102. Applicability.
257 (1) This chapter applies to any controller or processor who:
258 (a) (i) conducts business in the state; or
259 (ii) produces a product or service that is targeted to consumers who are residents of the
260 state;
261 (b) has annual revenue of $25,000,000 or more; and
262 (c) satisfies one or more of the following thresholds:
263 (i) during a calendar year, controls or processes personal data of 100,000 or more
264 consumers; or
265 (ii) derives over 50% of the entity's gross revenue from the sale of personal data and
266 controls or processes personal data of 25,000 or more consumers.
267 (2) This chapter does not apply to:
268 (a) a governmental entity or a third party under contract with a governmental entity
269 when the third party is acting on behalf of the governmental entity;
270 (b) a tribe;
271 (c) an institution of higher education;
272 (d) a nonprofit corporation;
273 (e) a covered entity;
274 (f) a business associate;
275 (g) information that meets the definition of:
276 (i) protected health information for purposes of the federal Health Insurance Portability
277 and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
278 (ii) patient identifying information for purposes of 42 C.F.R. Part 2;
279 (iii) identifiable private information for purposes of the Federal Policy for the
280 Protection of Human Subjects, 45 C.F.R. Part 46;
281 (iv) identifiable private information or personal data collected as part of human
282 subjects research pursuant to or under the same standards as:
283 (A) the good clinical practice guidelines issued by the International Council for
284 Harmonisation; or
285 (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review
286 Boards under 21 C.F.R. Part 56;
287 (v) personal data used or shared in research conducted in accordance with one or more
288 of the requirements described in Subsection (2)(g)(iv);
289 (vi) information and documents created specifically for, and collected and maintained
290 by, a committee listed in Section 26-1-7;
291 (vii) information and documents created for purposes of the federal Health Care
292 Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
293 (viii) patient safety work product for purposes of 42 C.F.R. Part 3; or
294 (ix) information that is:
295 (A) deidentified in accordance with the requirements for deidentification set forth in 45
296 C.F.R. Part 164; and
297 (B) derived from any of the health care-related information listed in this Subsection
298 (2)(g);
299 (h) information originating from, and intermingled to be indistinguishable with,
300 information under Subsection (2)(g) that is maintained by:
301 (i) a health care facility or health care provider; or
302 (ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
303 (i) information used only for public health activities and purposes as described in 45
304 C.F.R. Sec. 164.512;
305 (j) (i) an activity by:
306 (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
307 (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides
308 information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
309 (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
310 (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.
311 1681 et seq.; and
312 (iii) involving the collection, maintenance, disclosure, sale, communication, or use of
313 any personal data bearing on a consumer's:
314 (A) credit worthiness;
315 (B) credit standing;
316 (C) credit capacity;
317 (D) character;
318 (E) general reputation;
319 (F) personal characteristics; or
320 (G) mode of living;
321 (k) a financial institution or an affiliate of a financial institution governed by, or
322 personal data collected, processed, sold, or disclosed in accordance with, Title V of the
323 Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
324 (l) personal data collected, processed, sold, or disclosed in accordance with the federal
325 Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
326 (m) personal data regulated by the federal Family Education Rights and Privacy Act,
327 20 U.S.C. Sec. 1232g, and related regulations;
328 (n) personal data collected, processed, sold, or disclosed in accordance with the federal
329 Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;
330 (o) data that are processed or maintained:
331 (i) in the course of an individual applying to, being employed by, or acting as an agent
332 or independent contractor of a controller, processor, or third party, to the extent the collection
333 and use of the data are related to the individual's role;
334 (ii) as the emergency contact information of an individual described in Subsection
335 (2)(o)(i) and used for emergency contact purposes; or
336 (iii) to administer benefits for another individual relating to an individual described in
337 Subsection (2)(o)(i) and used for the purpose of administering the benefits;
338 (p) an individual's processing of personal data for purely personal or household
339 purposes; or
340 (q) an air carrier.
341 (3) A controller is in compliance with any obligation to obtain parental consent under
342 this chapter if the controller complies with the verifiable parental consent mechanisms under
343 the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's
344 implementing regulations and exemptions.
345 (4) This chapter does not require a person to take any action in conflict with the federal
346 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., or
347 related regulations.
348 Section 4. Section 13-61-103 is enacted to read:
349 13-61-103. Preemption -- Reference to other laws.
350 (1) This chapter supersedes and preempts any ordinance, resolution, rule, or other
351 regulation adopted by a local political subdivision regarding the processing of personal data by
352 a controller or processor.
353 (2) Any reference to federal law in this chapter includes any rules or regulations
354 promulgated under the federal law.
355 Section 5. Section 13-61-201 is enacted to read:
356
Part 2. Rights Relating to Personal Data
357 13-61-201. Consumer rights -- Access -- Deletion -- Portability -- Opt out of
358 certain processing.
359 (1) A consumer has the right to:
360 (a) confirm whether a controller is processing the consumer's personal data; and
361 (b) access the consumer's personal data.
362 (2) A consumer has the right to delete the consumer's personal data that the consumer
363 provided to the controller.
364 (3) A consumer has the right to obtain a copy of the consumer's personal data, that the
365 consumer previously provided to the controller, in a format that:
366 (a) to the extent technically feasible, is portable;
367 (b) to the extent practicable, is readily usable; and
368 (c) allows the consumer to transmit the data to another controller without impediment,
369 where the processing is carried out by automated means.
370 (4) A consumer has the right to opt out of the processing of the consumer's personal
371 data for purposes of:
372 (a) targeted advertising; or
373 (b) the sale of personal data.
374 (5) Nothing in this section requires a person to cause a breach of security system as
375 defined in Section 13-44-102.
376 Section 6. Section 13-61-202 is enacted to read:
377 13-61-202. Exercising consumer rights.
378 (1) A consumer may exercise a right by submitting a request to a controller, by means
379 prescribed by the controller, specifying the right the consumer intends to exercise.
380 (2) In the case of processing personal data concerning a known child, the parent or
381 legal guardian of the known child shall exercise a right on the child's behalf.
382 (3) In the case of processing personal data concerning a consumer subject to
383 guardianship, conservatorship, or other protective arrangement under Title 75, Chapter 5,
384 Protection of Persons Under Disability and Their Property, the guardian or the conservator of
385 the consumer shall exercise a right on the consumer's behalf.
386 Section 7. Section 13-61-203 is enacted to read:
387 13-61-203. Controller's response to requests.
388 (1) Subject to the other provisions of this chapter, a controller shall comply with a
389 consumer's request under Section 13-61-202 to exercise a right.
390 (2) (a) Within 45 days after the day on which a controller receives a request to exercise
391 a right, the controller shall:
392 (i) take action on the consumer's request; and
393 (ii) inform the consumer of any action taken on the consumer's request.
394 (b) The controller may extend once the initial 45-day period by an additional 45 days if
395 reasonably necessary due to the complexity of the request or the volume of the requests
396 received by the controller.
397 (c) If a controller extends the initial 45-day period, before the initial 45-day period
398 expires, the controller shall:
399 (i) inform the consumer of the extension, including the length of the extension; and
400 (ii) provide the reasons the extension is reasonably necessary as described in
401 Subsection (2)(b).
402 (d) The 45-day period does not apply if the controller reasonably suspects the
403 consumer's request is fraudulent and the controller is not able to authenticate the request before
404 the 45-day period expires.
405 (3) If, in accordance with this section, a controller chooses not to take action on a
406 consumer's request, the controller shall within 45 days after the day on which the controller
407 receives the request, inform the consumer of the reasons for not taking action.
408 (4) (a) A controller may not charge a fee for information in response to a request,
409 unless the request is the consumer's second or subsequent request during the same 12-month
410 period.
411 (b) (i) Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to
412 cover the administrative costs of complying with a request or refuse to act on a request, if:
413 (A) the request is excessive, repetitive, technically infeasible, or manifestly unfounded;
414 (B) the controller reasonably believes the primary purpose in submitting the request
415 was something other than exercising a right; or
416 (C) the request, individually or as part of an organized effort, harasses, disrupts, or
417 imposes undue burden on the resources of the controller's business.
418 (ii) A controller that charges a fee or refuses to act in accordance with this Subsection
419 (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria
420 described in Subsection (4)(b)(i).
421 (5) If a controller is unable to authenticate a consumer request to exercise a right
422 described in Section 13-61-201 using commercially reasonable efforts, the controller:
423 (a) is not required to comply with the request; and
424 (b) may request that the consumer provide additional information reasonably necessary
425 to authenticate the request.
426 Section 8. Section 13-61-301 is enacted to read:
427
Part 3. Requirements for Controllers and Processors
428 13-61-301. Responsibility according to role.
429 (1) A processor shall:
430 (a) adhere to the controller's instructions; and
431 (b) taking into account the nature of the processing and information available to the
432 processor, by appropriate technical and organizational measures, insofar as reasonably
433 practicable, assist the controller in meeting the controller's obligations, including obligations
434 related to the security of processing personal data and notification of a breach of security
435 system described in Section 13-44-202.
436 (2) Before a processor performs processing on behalf of a controller, the processor and
437 controller shall enter into a contract that:
438 (a) clearly sets forth instructions for processing personal data, the nature and purpose
439 of the processing, the type of data subject to processing, the duration of the processing, and the
440 parties' rights and obligations;
441 (b) requires the processor to ensure each person processing personal data is subject to a
442 duty of confidentiality with respect to the personal data; and
443 (c) requires the processor to engage any subcontractor pursuant to a written contract
444 that requires the subcontractor to meet the same obligations as the processor with respect to the
445 personal data.
446 (3) (a) Determining whether a person is acting as a controller or processor with respect
447 to a specific processing of data is a fact-based determination that depends upon the context in
448 which personal data are to be processed.
449 (b) A processor that adheres to a controller's instructions with respect to a specific
450 processing of personal data remains a processor.
451 Section 9. Section 13-61-302 is enacted to read:
452 13-61-302. Responsibilities of controllers -- Transparency -- Purpose specification
453 and data minimization -- Consent for secondary use -- Security -- Nondiscrimination --
454 Nonretaliation -- Nonwaiver of consumer rights.
455 (1) (a) A controller shall provide consumers with a reasonably accessible and clear
456 privacy notice that includes:
457 (i) the categories of personal data processed by the controller;
458 (ii) the purposes for which the categories of personal data are processed;
459 (iii) how consumers may exercise a right;
460 (iv) the categories of personal data that the controller shares with third parties, if any;
461 and
462 (v) the categories of third parties, if any, with whom the controller shares personal data.
463 (b) If a controller sells a consumer's personal data to one or more third parties or
464 engages in targeted advertising, the controller shall clearly and conspicuously disclose to the
465 consumer the manner in which the consumer may exercise the right to opt out of the:
466 (i) sale of the consumer's personal data; or
467 (ii) processing for targeted advertising.
468 (2) (a) A controller shall establish, implement, and maintain reasonable administrative,
469 technical, and physical data security practices designed to:
470 (i) protect the confidentiality and integrity of personal data; and
471 (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing
472 of personal data.
473 (b) Considering the controller's business size, scope, and type, a controller shall use
474 data security practices that are appropriate for the volume and nature of the personal data at
475 issue.
476 (3) Except as otherwise provided in this chapter, a controller may not process sensitive
477 data collected from a consumer without:
478 (a) first presenting the consumer with clear notice and an opportunity to opt out of the
479 processing; or
480 (b) in the case of the processing of personal data concerning a known child, processing
481 the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C.
482 Sec. 6501 et seq., and the act's implementing regulations and exemptions.
483 (4) (a) A controller may not discriminate against a consumer for exercising a right by:
484 (i) denying a good or service to the consumer;
485 (ii) charging the consumer a different price or rate for a good or service; or
486 (iii) providing the consumer a different level of quality of a good or service.
487 (b) This Subsection (4) does not prohibit a controller from offering a different price,
488 rate, level, quality, or selection of a good or service to a consumer, including offering a good or
489 service for no fee or at a discount, if:
490 (i) the consumer has opted out of targeted advertising; or
491 (ii) the offer is related to the consumer's voluntary participation in a bona fide loyalty,
492 rewards, premium features, discounts, or club card program.
493 (5) A controller is not required to provide a product, service, or functionality to a
494 consumer if:
495 (a) the consumer's personal data are or the processing of the consumer's personal data
496 is reasonably necessary for the controller to provide the consumer the product, service, or
497 functionality; and
498 (b) the consumer does not:
499 (i) provide the consumer's personal data to the controller; or
500 (ii) allow the controller to process the consumer's personal data.
501 (6) Any provision of a contract that purports to waive or limit a consumer's right under
502 this chapter is void.
503 Section 10. Section 13-61-303 is enacted to read:
504 13-61-303. Processing deidentified data or pseudonymous data.
505 (1) The provisions of this chapter do not require a controller or processor to:
506 (a) reidentify deidentified data or pseudonymous data;
507 (b) maintain data in identifiable form or obtain, retain, or access any data or technology
508 for the purpose of allowing the controller or processor to associate a consumer request with
509 personal data; or
510 (c) comply with an authenticated consumer request to exercise a right described in
511 Subsections 13-61-202(1) through (3), if:
512 (i) (A) the controller is not reasonably capable of associating the request with the
513 personal data; or
514 (B) it would be unreasonably burdensome for the controller to associate the request
515 with the personal data;
516 (ii) the controller does not:
517 (A) use the personal data to recognize or respond to the consumer who is the subject of
518 the personal data; or
519 (B) associate the personal data with other personal data about the consumer; and
520 (iii) the controller does not sell or otherwise disclose the personal data to any third
521 party other than a processor, except as otherwise permitted in this section.
522 (2) The rights described in Subsections 13-61-201(1) through (3) do not apply to
523 pseudonymous data if a controller demonstrates that any information necessary to identify a
524 consumer is kept:
525 (a) separately; and
526 (b) subject to appropriate technical and organizational measures to ensure the personal
527 data are not attributed to an identified individual or an identifiable individual.
528 (3) A controller who uses pseudonymous data or deidentified data shall take reasonable
529 steps to ensure the controller:
530 (a) complies with any contractual obligations to which the pseudonymous data or
531 deidentified data are subject; and
532 (b) promptly addresses any breach of a contractual obligation described in Subsection
533 (3)(a).
534 Section 11. Section 13-61-304 is enacted to read:
535 13-61-304. Limitations.
536 (1) The requirements described in this chapter do not restrict a controller's or
537 processor's ability to:
538 (a) comply with a federal, state, or local law, rule, or regulation;
539 (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
540 summons by a federal, state, local, or other governmental entity;
541 (c) cooperate with a law enforcement agency concerning activity that the controller or
542 processor reasonably and in good faith believes may violate federal, state, or local laws, rules,
543 or regulations;
544 (d) investigate, establish, exercise, prepare for, or defend a legal claim;
545 (e) provide a product or service requested by a consumer or a parent or legal guardian
546 of a child;
547 (f) perform a contract to which the consumer or the parent or legal guardian of a child
548 is a party, including fulfilling the terms of a written warranty or taking steps at the request of
549 the consumer or parent or legal guardian before entering into the contract with the consumer;
550 (g) take immediate steps to protect an interest that is essential for the life or physical
551 safety of the consumer or of another individual;
552 (h) (i) detect, prevent, protect against, or respond to a security incident, identity theft,
553 fraud, harassment, malicious or deceptive activity, or any illegal activity; or
554 (ii) investigate, report, or prosecute a person responsible for an action described in
555 Subsection (1)(h)(i);
556 (i) (i) preserve the integrity or security of systems; or
557 (ii) investigate, report, or prosecute a person responsible for harming or threatening the
558 integrity or security of systems, as applicable;
559 (j) if the controller discloses the processing in a notice described in Section 13-61-302,
560 engage in public or peer-reviewed scientific, historical, or statistical research in the public
561 interest that adheres to all other applicable ethics and privacy laws;
562 (k) assist another person with an obligation described in this subsection;
563 (l) process personal data to:
564 (i) conduct internal analytics or other research to develop, improve, or repair a
565 controller's or processor's product, service, or technology;
566 (ii) identify and repair technical errors that impair existing or intended functionality; or
567 (iii) effectuate a product recall;
568 (m) process personal data to perform an internal operation that is:
569 (i) reasonably aligned with the consumer's expectations based on the consumer's
570 existing relationship with the controller; or
571 (ii) otherwise compatible with processing to aid the controller or processor in
572 providing a product or service specifically requested by a consumer or a parent or legal
573 guardian of a child or the performance of a contract to which the consumer or a parent or legal
574 guardian of a child is a party; or
575 (n) retain a consumer's email address to comply with the consumer's request to exercise
576 a right.
577 (2) This chapter does not apply if a controller's or processor's compliance with this
578 chapter:
579 (a) violates an evidentiary privilege under Utah law;
580 (b) as part of a privileged communication, prevents a controller or processor from
581 providing personal data concerning a consumer to a person covered by an evidentiary privilege
582 under Utah law; or
583 (c) adversely affects the privacy or other rights of any person.
584 (3) A controller or processor is not in violation of this chapter if:
585 (a) the controller or processor discloses personal data to a third party controller or
586 processor in compliance with this chapter;
587 (b) the third party processes the personal data in violation of this chapter; and
588 (c) the disclosing controller or processor did not have actual knowledge of the third
589 party's intent to commit a violation of this chapter.
590 (4) If a controller processes personal data under an exemption described in Subsection
591 (1), the controller bears the burden of demonstrating that the processing qualifies for the
592 exemption.
593 (5) Nothing in this chapter requires a controller, processor, third party, or consumer to
594 disclose a trade secret.
595 Section 12. Section 13-61-305 is enacted to read:
596 13-61-305. No private cause of action.
597 A violation of this chapter does not provide a basis for, nor is a violation of this chapter
598 subject to, a private right of action under this chapter or any other law.
599 Section 13. Section 13-61-401 is enacted to read:
600
Part 4. Enforcement
601 13-61-401. Investigative powers of division.
602 (1) The division shall establish and administer a system to receive consumer
603 complaints regarding a controller's or processor's alleged violation of this chapter.
604 (2) (a) The division may investigate a consumer complaint to determine whether the
605 controller or processor violated or is violating this chapter.
606 (b) If the director has reasonable cause to believe that substantial evidence exists that a
607 person identified in a consumer complaint is in violation of this chapter, the director shall refer
608 the matter to the attorney general.
609 (c) Upon request, the division shall provide consultation and assistance to the attorney
610 general in enforcing this chapter.
611 Section 14. Section 13-61-402 is enacted to read:
612 13-61-402. Enforcement powers of the attorney general.
613 (1) The attorney general has the exclusive authority to enforce this chapter.
614 (2) Upon referral from the division, the attorney general may initiate an enforcement
615 action against a controller or processor for a violation of this chapter.
616 (3) (a) At least 30 days before the day on which the attorney general initiates an
617 enforcement action against a controller or processor, the attorney general shall provide the
618 controller or processor:
619 (i) written notice identifying each provision of this chapter the attorney general alleges
620 the controller or processor has violated or is violating; and
621 (ii) an explanation of the basis for each allegation.
622 (b) The attorney general may not initiate an action if the controller or processor:
623 (i) cures the noticed violation within 30 days after the day on which the controller or
624 processor receives the written notice described in Subsection (3)(a); and
625 (ii) provides the attorney general an express written statement that:
626 (A) the violation has been cured; and
627 (B) no further violation of the cured violation will occur.
628 (c) The attorney general may initiate an action against a controller or processor who:
629 (i) fails to cure a violation after receiving the notice described in Subsection (3)(a); or
630 (ii) after curing a noticed violation and providing a written statement in accordance
631 with Subsection (3)(b), continues to violate this chapter.
632 (d) In an action described in Subsection (3)(c), the attorney general may recover:
633 (i) actual damages to the consumer; and
634 (ii) for each violation described in Subsection (3)(c), an amount not to exceed $7,500.
635 (4) All money received from an action under this chapter shall be deposited into the
636 Consumer Privacy Account established in Section 13-61-403.
637 (5) If more than one controller or processor are involved in the same processing in
638 violation of this chapter, the liability for the violation shall be allocated among the controllers
639 or processors according to the principles of comparative fault.
640 Section 15. Section 13-61-403 is enacted to read:
641 13-61-403. Consumer Privacy Restricted Account.
642 (1) There is created a restricted account known as the "Consumer Privacy Account."
643 (2) The account shall be funded by money received through civil enforcement actions
644 under this chapter.
645 (3) Upon appropriation, the division or the attorney general may use money deposited
646 into the account for:
647 (a) investigation and administrative costs incurred by the division in investigating
648 consumer complaints alleging violations of this chapter;
649 (b) recovery of costs and attorney fees accrued by the attorney general in enforcing this
650 chapter; and
651 (c) providing consumer and business education regarding:
652 (i) consumer rights under this chapter; and
653 (ii) compliance with the provisions of this chapter for controllers and processors.
654 (4) If the balance in the account exceeds $4,000,000 at the close of any fiscal year, the
655 Division of Finance shall transfer the amount that exceeds $4,000,000 into the General Fund.
656 Section 16. Section 13-61-404 is enacted to read:
657 13-61-404. Attorney general report.
658 (1) The attorney general and the division shall compile a report:
659 (a) evaluating the liability and enforcement provisions of this chapter, including the
660 effectiveness of the attorney general's and the division's efforts to enforce this chapter; and
661 (b) summarizing the data protected and not protected by this chapter including, with
662 reasonable detail, a list of the types of information that are publicly available from local, state,
663 and federal government sources.
664 (2) The attorney general and the division may update the report as new information
665 becomes available.
666 (3) The attorney general and the division shall submit the report to the Business and
667 Labor Interim Committee before July 1, 2025.
668 Section 17. Effective date.
669 This bill takes effect on December 31, 2023.