Utah Consumer Privacy Act: Key Provisions and Definitions, Lecture notes of Business

Download Utah Consumer Privacy Act: Key Provisions and Definitions and more Lecture notes Business in PDF only on Docsity! Enrolled Copy S.B. 227 1 CONSUMER PRIVACY ACT 2 2022 GENERAL SESSION 3 STATE OF UTAH 4 Chief Sponsor: Kirk A. Cullimore 5 House Sponsor: Brady Brammer 6 7 LONG TITLE 8 General Description: 9 This bill enacts the Utah Consumer Privacy Act. 10 Highlighted Provisions: 11 This bill: 12 < defines terms; 13 < provides consumers the right to: 14 C access and delete certain personal data maintained by certain businesses; and 15 C opt out of the collection and use of personal data for certain purposes; 16 < requires certain businesses that control and process consumers' personal data to: 17 C safeguard consumers' personal data; 18 C provide clear information to consumers regarding how the consumers' personal 19 data are used; and 20 C accept and comply with a consumer's request to exercise the consumer's rights 21 under this bill; 22 < creates a right for a consumer to know what personal data a business collects, how 23 the business uses the personal data, and whether the business sells the personal data; 24 < upon request and subject to exceptions, requires a business to delete a consumer's 25 personal data or stop selling the consumer's personal data; 26 < allows the Division of Consumer Protection to accept and investigate consumer 27 complaints regarding the processing of personal data; 28 < authorizes the Office of the Attorney General to take enforcement action and 29 impose penalties; and S.B. 227 Enrolled Copy - 2 - 30 < makes technical changes. 31 Money Appropriated in this Bill: 32 None 33 Other Special Clauses: 34 This bill provides a special effective date. 35 Utah Code Sections Affected: 36 AMENDS: 37 13-2-1, as last amended by Laws of Utah 2021, Chapter 266 38 ENACTS: 39 13-61-101, Utah Code Annotated 1953 40 13-61-102, Utah Code Annotated 1953 41 13-61-103, Utah Code Annotated 1953 42 13-61-201, Utah Code Annotated 1953 43 13-61-202, Utah Code Annotated 1953 44 13-61-203, Utah Code Annotated 1953 45 13-61-301, Utah Code Annotated 1953 46 13-61-302, Utah Code Annotated 1953 47 13-61-303, Utah Code Annotated 1953 48 13-61-304, Utah Code Annotated 1953 49 13-61-305, Utah Code Annotated 1953 50 13-61-401, Utah Code Annotated 1953 51 13-61-402, Utah Code Annotated 1953 52 13-61-403, Utah Code Annotated 1953 53 13-61-404, Utah Code Annotated 1953 54 55 Be it enacted by the Legislature of the state of Utah: 56 Section 1. Section 13-2-1 is amended to read: 57 13-2-1. Consumer protection division established -- Functions. Enrolled Copy S.B. 227 - 5 - 114 operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164. 115 (7) "Business associate" means the same as that term is defined in 45 C.F.R. Sec. 116 160.103. 117 (8) "Child" means an individual younger than 13 years old. 118 (9) "Consent" means an affirmative act by a consumer that unambiguously indicates 119 the consumer's voluntary and informed agreement to allow a person to process personal data 120 related to the consumer. 121 (10) (a) "Consumer" means an individual who is a resident of the state acting in an 122 individual or household context. 123 (b) "Consumer" does not include an individual acting in an employment or commercial 124 context. 125 (11) "Control" or "controlled" as used in Subsection (2) means: 126 (a) ownership of, or the power to vote, more than 50% of the outstanding shares of any 127 class of voting securities of an entity; 128 (b) control in any manner over the election of a majority of the directors or of the 129 individuals exercising similar functions; or 130 (c) the power to exercise controlling influence of the management of an entity. 131 (12) "Controller" means a person doing business in the state who determines the 132 purposes for which and the means by which personal data are processed, regardless of whether 133 the person makes the determination alone or with others. 134 (13) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec. 135 160.103. 136 (14) "Deidentified data" means data that: 137 (a) cannot reasonably be linked to an identified individual or an identifiable individual; 138 and 139 (b) are possessed by a controller who: 140 (i) takes reasonable measures to ensure that a person cannot associate the data with an 141 individual; S.B. 227 Enrolled Copy - 6 - 142 (ii) publicly commits to maintain and use the data only in deidentified form and not 143 attempt to reidentify the data; and 144 (iii) contractually obligates any recipients of the data to comply with the requirements 145 described in Subsections (14)(b)(i) and (ii). 146 (15) "Director" means the director of the Division of Consumer Protection. 147 (16) "Division" means the Division of Consumer Protection created in Section 13-2-1. 148 (17) "Governmental entity" means the same as that term is defined in Section 149 63G-2-103. 150 (18) "Health care facility" means the same as that term is defined in Section 26-21-2. 151 (19) "Health care provider" means the same as that term is defined in Section 26-21-2. 152 (20) "Identifiable individual" means an individual who can be readily identified, 153 directly or indirectly. 154 (21) "Institution of higher education" means a public or private institution of higher 155 education. 156 (22) "Local political subdivision" means the same as that term is defined in Section 157 11-14-102. 158 (23) "Nonprofit corporation" means: 159 (a) the same as that term is defined in Section 16-6a-102; or 160 (b) a foreign nonprofit corporation as defined in Section 16-6a-102. 161 (24) (a) "Personal data" means information that is linked or reasonably linkable to an 162 identified individual or an identifiable individual. 163 (b) "Personal data" does not include deidentified data, aggregated data, or publicly 164 available information. 165 (25) "Process" means an operation or set of operations performed on personal data, 166 including collection, use, storage, disclosure, analysis, deletion, or modification of personal 167 data. 168 (26) "Processor" means a person who processes personal data on behalf of a controller. 169 (27) "Protected health information" means the same as that term is defined in 45 C.F.R. Enrolled Copy S.B. 227 - 7 - 170 Sec. 160.103. 171 (28) "Pseudonymous data" means personal data that cannot be attributed to a specific 172 individual without the use of additional information, if the additional information is: 173 (a) kept separate from the consumer's personal data; and 174 (b) subject to appropriate technical and organizational measures to ensure that the 175 personal data are not attributable to an identified individual or an identifiable individual. 176 (29) "Publicly available information" means information that a person: 177 (a) lawfully obtains from a record of a governmental entity; 178 (b) reasonably believes a consumer or widely distributed media has lawfully made 179 available to the general public; or 180 (c) if the consumer has not restricted the information to a specific audience, obtains 181 from a person to whom the consumer disclosed the information. 182 (30) "Right" means a consumer right described in Section 13-61-201. 183 (31) (a) "Sale," "sell," or "sold" means the exchange of personal data for monetary 184 consideration by a controller to a third party. 185 (b) "Sale," "sell," or "sold" does not include: 186 (i) a controller's disclosure of personal data to a processor who processes the personal 187 data on behalf of the controller; 188 (ii) a controller's disclosure of personal data to an affiliate of the controller; 189 (iii) considering the context in which the consumer provided the personal data to the 190 controller, a controller's disclosure of personal data to a third party if the purpose is consistent 191 with a consumer's reasonable expectations; 192 (iv) the disclosure or transfer of personal data when a consumer directs a controller to: 193 (A) disclose the personal data; or 194 (B) interact with one or more third parties; 195 (v) a consumer's disclosure of personal data to a third party for the purpose of 196 providing a product or service requested by the consumer or a parent or legal guardian of a 197 child; S.B. 227 Enrolled Copy - 10 - 254 information's secrecy. 255 Section 3. Section 13-61-102 is enacted to read: 256 13-61-102. Applicability. 257 (1) This chapter applies to any controller or processor who: 258 (a) (i) conducts business in the state; or 259 (ii) produces a product or service that is targeted to consumers who are residents of the 260 state; 261 (b) has annual revenue of $25,000,000 or more; and 262 (c) satisfies one or more of the following thresholds: 263 (i) during a calendar year, controls or processes personal data of 100,000 or more 264 consumers; or 265 (ii) derives over 50% of the entity's gross revenue from the sale of personal data and 266 controls or processes personal data of 25,000 or more consumers. 267 (2) This chapter does not apply to: 268 (a) a governmental entity or a third party under contract with a governmental entity 269 when the third party is acting on behalf of the governmental entity; 270 (b) a tribe; 271 (c) an institution of higher education; 272 (d) a nonprofit corporation; 273 (e) a covered entity; 274 (f) a business associate; 275 (g) information that meets the definition of: 276 (i) protected health information for purposes of the federal Health Insurance Portability 277 and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations; 278 (ii) patient identifying information for purposes of 42 C.F.R. Part 2; 279 (iii) identifiable private information for purposes of the Federal Policy for the 280 Protection of Human Subjects, 45 C.F.R. Part 46; 281 (iv) identifiable private information or personal data collected as part of human Enrolled Copy S.B. 227 - 11 - 282 subjects research pursuant to or under the same standards as: 283 (A) the good clinical practice guidelines issued by the International Council for 284 Harmonisation; or 285 (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review 286 Boards under 21 C.F.R. Part 56; 287 (v) personal data used or shared in research conducted in accordance with one or more 288 of the requirements described in Subsection (2)(g)(iv); 289 (vi) information and documents created specifically for, and collected and maintained 290 by, a committee listed in Section 26-1-7; 291 (vii) information and documents created for purposes of the federal Health Care 292 Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations; 293 (viii) patient safety work product for purposes of 42 C.F.R. Part 3; or 294 (ix) information that is: 295 (A) deidentified in accordance with the requirements for deidentification set forth in 45 296 C.F.R. Part 164; and 297 (B) derived from any of the health care-related information listed in this Subsection 298 (2)(g); 299 (h) information originating from, and intermingled to be indistinguishable with, 300 information under Subsection (2)(g) that is maintained by: 301 (i) a health care facility or health care provider; or 302 (ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11; 303 (i) information used only for public health activities and purposes as described in 45 304 C.F.R. Sec. 164.512; 305 (j) (i) an activity by: 306 (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a; 307 (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides 308 information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or 309 (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b; S.B. 227 Enrolled Copy - 12 - 310 (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec. 311 1681 et seq.; and 312 (iii) involving the collection, maintenance, disclosure, sale, communication, or use of 313 any personal data bearing on a consumer's: 314 (A) credit worthiness; 315 (B) credit standing; 316 (C) credit capacity; 317 (D) character; 318 (E) general reputation; 319 (F) personal characteristics; or 320 (G) mode of living; 321 (k) a financial institution or an affiliate of a financial institution governed by, or 322 personal data collected, processed, sold, or disclosed in accordance with, Title V of the 323 Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations; 324 (l) personal data collected, processed, sold, or disclosed in accordance with the federal 325 Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.; 326 (m) personal data regulated by the federal Family Education Rights and Privacy Act, 327 20 U.S.C. Sec. 1232g, and related regulations; 328 (n) personal data collected, processed, sold, or disclosed in accordance with the federal 329 Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.; 330 (o) data that are processed or maintained: 331 (i) in the course of an individual applying to, being employed by, or acting as an agent 332 or independent contractor of a controller, processor, or third party, to the extent the collection 333 and use of the data are related to the individual's role; 334 (ii) as the emergency contact information of an individual described in Subsection 335 (2)(o)(i) and used for emergency contact purposes; or 336 (iii) to administer benefits for another individual relating to an individual described in 337 Subsection (2)(o)(i) and used for the purpose of administering the benefits; Enrolled Copy S.B. 227 - 15 - 394 (b) The controller may extend once the initial 45-day period by an additional 45 days if 395 reasonably necessary due to the complexity of the request or the volume of the requests 396 received by the controller. 397 (c) If a controller extends the initial 45-day period, before the initial 45-day period 398 expires, the controller shall: 399 (i) inform the consumer of the extension, including the length of the extension; and 400 (ii) provide the reasons the extension is reasonably necessary as described in 401 Subsection (2)(b). 402 (d) The 45-day period does not apply if the controller reasonably suspects the 403 consumer's request is fraudulent and the controller is not able to authenticate the request before 404 the 45-day period expires. 405 (3) If, in accordance with this section, a controller chooses not to take action on a 406 consumer's request, the controller shall within 45 days after the day on which the controller 407 receives the request, inform the consumer of the reasons for not taking action. 408 (4) (a) A controller may not charge a fee for information in response to a request, 409 unless the request is the consumer's second or subsequent request during the same 12-month 410 period. 411 (b) (i) Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to 412 cover the administrative costs of complying with a request or refuse to act on a request, if: 413 (A) the request is excessive, repetitive, technically infeasible, or manifestly unfounded; 414 (B) the controller reasonably believes the primary purpose in submitting the request 415 was something other than exercising a right; or 416 (C) the request, individually or as part of an organized effort, harasses, disrupts, or 417 imposes undue burden on the resources of the controller's business. 418 (ii) A controller that charges a fee or refuses to act in accordance with this Subsection 419 (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria 420 described in Subsection (4)(b)(i). 421 (5) If a controller is unable to authenticate a consumer request to exercise a right S.B. 227 Enrolled Copy - 16 - 422 described in Section 13-61-201 using commercially reasonable efforts, the controller: 423 (a) is not required to comply with the request; and 424 (b) may request that the consumer provide additional information reasonably necessary 425 to authenticate the request. 426 Section 8. Section 13-61-301 is enacted to read: 427 Part 3. Requirements for Controllers and Processors 428 13-61-301. Responsibility according to role. 429 (1) A processor shall: 430 (a) adhere to the controller's instructions; and 431 (b) taking into account the nature of the processing and information available to the 432 processor, by appropriate technical and organizational measures, insofar as reasonably 433 practicable, assist the controller in meeting the controller's obligations, including obligations 434 related to the security of processing personal data and notification of a breach of security 435 system described in Section 13-44-202. 436 (2) Before a processor performs processing on behalf of a controller, the processor and 437 controller shall enter into a contract that: 438 (a) clearly sets forth instructions for processing personal data, the nature and purpose 439 of the processing, the type of data subject to processing, the duration of the processing, and the 440 parties' rights and obligations; 441 (b) requires the processor to ensure each person processing personal data is subject to a 442 duty of confidentiality with respect to the personal data; and 443 (c) requires the processor to engage any subcontractor pursuant to a written contract 444 that requires the subcontractor to meet the same obligations as the processor with respect to the 445 personal data. 446 (3) (a) Determining whether a person is acting as a controller or processor with respect 447 to a specific processing of data is a fact-based determination that depends upon the context in 448 which personal data are to be processed. 449 (b) A processor that adheres to a controller's instructions with respect to a specific Enrolled Copy S.B. 227 - 17 - 450 processing of personal data remains a processor. 451 Section 9. Section 13-61-302 is enacted to read: 452 13-61-302. Responsibilities of controllers -- Transparency -- Purpose specification 453 and data minimization -- Consent for secondary use -- Security -- Nondiscrimination -- 454 Nonretaliation -- Nonwaiver of consumer rights. 455 (1) (a) A controller shall provide consumers with a reasonably accessible and clear 456 privacy notice that includes: 457 (i) the categories of personal data processed by the controller; 458 (ii) the purposes for which the categories of personal data are processed; 459 (iii) how consumers may exercise a right; 460 (iv) the categories of personal data that the controller shares with third parties, if any; 461 and 462 (v) the categories of third parties, if any, with whom the controller shares personal data. 463 (b) If a controller sells a consumer's personal data to one or more third parties or 464 engages in targeted advertising, the controller shall clearly and conspicuously disclose to the 465 consumer the manner in which the consumer may exercise the right to opt out of the: 466 (i) sale of the consumer's personal data; or 467 (ii) processing for targeted advertising. 468 (2) (a) A controller shall establish, implement, and maintain reasonable administrative, 469 technical, and physical data security practices designed to: 470 (i) protect the confidentiality and integrity of personal data; and 471 (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing 472 of personal data. 473 (b) Considering the controller's business size, scope, and type, a controller shall use 474 data security practices that are appropriate for the volume and nature of the personal data at 475 issue. 476 (3) Except as otherwise provided in this chapter, a controller may not process sensitive 477 data collected from a consumer without: S.B. 227 Enrolled Copy - 20 - 534 Section 11. Section 13-61-304 is enacted to read: 535 13-61-304. Limitations. 536 (1) The requirements described in this chapter do not restrict a controller's or 537 processor's ability to: 538 (a) comply with a federal, state, or local law, rule, or regulation; 539 (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or 540 summons by a federal, state, local, or other governmental entity; 541 (c) cooperate with a law enforcement agency concerning activity that the controller or 542 processor reasonably and in good faith believes may violate federal, state, or local laws, rules, 543 or regulations; 544 (d) investigate, establish, exercise, prepare for, or defend a legal claim; 545 (e) provide a product or service requested by a consumer or a parent or legal guardian 546 of a child; 547 (f) perform a contract to which the consumer or the parent or legal guardian of a child 548 is a party, including fulfilling the terms of a written warranty or taking steps at the request of 549 the consumer or parent or legal guardian before entering into the contract with the consumer; 550 (g) take immediate steps to protect an interest that is essential for the life or physical 551 safety of the consumer or of another individual; 552 (h) (i) detect, prevent, protect against, or respond to a security incident, identity theft, 553 fraud, harassment, malicious or deceptive activity, or any illegal activity; or 554 (ii) investigate, report, or prosecute a person responsible for an action described in 555 Subsection (1)(h)(i); 556 (i) (i) preserve the integrity or security of systems; or 557 (ii) investigate, report, or prosecute a person responsible for harming or threatening the 558 integrity or security of systems, as applicable; 559 (j) if the controller discloses the processing in a notice described in Section 13-61-302, 560 engage in public or peer-reviewed scientific, historical, or statistical research in the public 561 interest that adheres to all other applicable ethics and privacy laws; Enrolled Copy S.B. 227 - 21 - 562 (k) assist another person with an obligation described in this subsection; 563 (l) process personal data to: 564 (i) conduct internal analytics or other research to develop, improve, or repair a 565 controller's or processor's product, service, or technology; 566 (ii) identify and repair technical errors that impair existing or intended functionality; or 567 (iii) effectuate a product recall; 568 (m) process personal data to perform an internal operation that is: 569 (i) reasonably aligned with the consumer's expectations based on the consumer's 570 existing relationship with the controller; or 571 (ii) otherwise compatible with processing to aid the controller or processor in 572 providing a product or service specifically requested by a consumer or a parent or legal 573 guardian of a child or the performance of a contract to which the consumer or a parent or legal 574 guardian of a child is a party; or 575 (n) retain a consumer's email address to comply with the consumer's request to exercise 576 a right. 577 (2) This chapter does not apply if a controller's or processor's compliance with this 578 chapter: 579 (a) violates an evidentiary privilege under Utah law; 580 (b) as part of a privileged communication, prevents a controller or processor from 581 providing personal data concerning a consumer to a person covered by an evidentiary privilege 582 under Utah law; or 583 (c) adversely affects the privacy or other rights of any person. 584 (3) A controller or processor is not in violation of this chapter if: 585 (a) the controller or processor discloses personal data to a third party controller or 586 processor in compliance with this chapter; 587 (b) the third party processes the personal data in violation of this chapter; and 588 (c) the disclosing controller or processor did not have actual knowledge of the third 589 party's intent to commit a violation of this chapter. S.B. 227 Enrolled Copy - 22 - 590 (4) If a controller processes personal data under an exemption described in Subsection 591 (1), the controller bears the burden of demonstrating that the processing qualifies for the 592 exemption. 593 (5) Nothing in this chapter requires a controller, processor, third party, or consumer to 594 disclose a trade secret. 595 Section 12. Section 13-61-305 is enacted to read: 596 13-61-305. No private cause of action. 597 A violation of this chapter does not provide a basis for, nor is a violation of this chapter 598 subject to, a private right of action under this chapter or any other law. 599 Section 13. Section 13-61-401 is enacted to read: 600 Part 4. Enforcement 601 13-61-401. Investigative powers of division. 602 (1) The division shall establish and administer a system to receive consumer 603 complaints regarding a controller's or processor's alleged violation of this chapter. 604 (2) (a) The division may investigate a consumer complaint to determine whether the 605 controller or processor violated or is violating this chapter. 606 (b) If the director has reasonable cause to believe that substantial evidence exists that a 607 person identified in a consumer complaint is in violation of this chapter, the director shall refer 608 the matter to the attorney general. 609 (c) Upon request, the division shall provide consultation and assistance to the attorney 610 general in enforcing this chapter. 611 Section 14. Section 13-61-402 is enacted to read: 612 13-61-402. Enforcement powers of the attorney general. 613 (1) The attorney general has the exclusive authority to enforce this chapter. 614 (2) Upon referral from the division, the attorney general may initiate an enforcement 615 action against a controller or processor for a violation of this chapter. 616 (3) (a) At least 30 days before the day on which the attorney general initiates an 617 enforcement action against a controller or processor, the attorney general shall provide the