Chief Sponsor: Kirk A. Cullimore

House Sponsor: ____________


8     General Description:
9          This bill enacts the Utah Consumer Privacy Act.
10     Highlighted Provisions:
11          This bill:
12          ▸     defines terms;
13          ▸     creates a right for a consumer to know what personal information a business
14     collects, how the business uses the personal information, and whether the business
15     sells the personal information;
16          ▸     allows a consumer to require a business to delete personal information with
17     exceptions;
18          ▸     allows a consumer to direct a business that sells personal information to stop selling
19     the consumer's personal information;
20          ▸     creates a cause of action for the Office of the Attorney General or the consumer to
21     recover damages, attorney fees, and costs from a business if the business fails to
22     disclose personal information collected or sold, to delete personal information upon
23     the consumer's request, or to stop selling a consumer's personal information upon
24     request;
25          ▸     prohibits an advertiser or a person initiating an email from sending unauthorized or
26     misleading commercial email from this state or to an email address within this state;
27          ▸     creates a cause of action for the Office of the Attorney General, the electronic mail

28     service provider, the recipient of the unsolicited commercial email, and any person that has the
29     person's name, brand, trademark, email address, or domain name used without permission to
30     recover damages related to unauthorized or misleading commercial email; and
31          ▸     permits the prevailing party to recover attorney fees and costs in an action related to
32     unauthorized or misleading commercial email.
33     Money Appropriated in this Bill:
34          None
35     Other Special Clauses:
36          None
37     Utah Code Sections Affected:
38     ENACTS:
39          13-57-101, Utah Code Annotated 1953
40          13-57-102, Utah Code Annotated 1953
41          13-57-201, Utah Code Annotated 1953
42          13-57-202, Utah Code Annotated 1953
43          13-57-301, Utah Code Annotated 1953
44          13-57-302, Utah Code Annotated 1953

46     Be it enacted by the Legislature of the state of Utah:
47          Section 1. Section 13-57-101 is enacted to read:

Part 1. General Provisions

50          13-57-101. Title.
51          This chapter is known as the "Utah Consumer Privacy Act."
52          Section 2. Section 13-57-102 is enacted to read:
53          13-57-102. Definitions.
54          As used in this chapter:
55          (1) "Advertiser" means a person that advertises the person's product, service, or
56     website through the use of commercial email.
57          (2) "Collector" means a sole proprietorship, partnership, limited liability company,
58     corporation, association, or other legal entity that:

59          (a) is organized or operated for profit or for the financial benefit of the collector's
60     shareholders or other owners;
61          (b) collects personal information from consumers; and
62          (c) (i) has annual gross revenue of more than $25,000,000;
63          (ii) alone or in combination with wholly owned subsidiaries, buys, receives for the
64     entity's commercial purposes, sells, or shares for commercial purposes the personal information
65     of 50,000 or more residents of this state; or
66          (iii) derives 50% or more of the entity's annual revenue from selling personal
67     information from consumers.
68          (3) "Commercial email" means any email, the primary purpose of which is the
69     commercial advertisement or promotion of a commercial website, product, or service, or any
70     email that has the primary purpose of soliciting money, property, or personal information.
71          (4) "Consumer" means the same as that term is defined in Section 13-44-102.
72          (5) "Consumer request" means a written, notarized request that includes a consumer's
73     first and last name and at least one other piece of personal information from which a collector
74     can identify the consumer.
75          (6) "Domain name" means any alphanumeric designation that is registered with or
76     assigned by any domain name registrar, domain name registry, or other domain name
77     registration authority as part of an electronic address on the Internet.
78          (7) "Electronic mail service provider" means a company or a service that provides
79     routing, relaying, handling, storage, or support for email addresses and email inboxes.
80          (8) (a) "Header information" means the source, the destination, the routing information
81     attached to an email, and any other information that appears in the line identifying, or
82     purporting to identify, a person initiating the message.
83          (b) "Header information" includes the originating domain name and originating email
84     address.
85          (9) "Initiate" means an act of:
86          (a) originating, transmitting, or sending commercial email; or
87          (b) promising, paying, or providing other consideration for another person to originate,
88     transmit, or send a commercial email.
89          (10) "Initiator" means any person that:

90          (a) originates, transmits, or sends commercial email; or
91          (b) promises, pays, or provides other consideration for another person to originate,
92     transmit, or send commercial email.
93          (11) (a) "Personal information" means:
94          (i) any information that directly identifies an individual;
95          (ii) any representation of information that permits the direct or indirect identification of
96     the individual to whom the information applies; or
97          (iii) any information that permits physical or online contact with a specific individual.
98          (b) "Personal information" includes:
99          (i) a name;
100          (ii) an address;
101          (iii) a social security number or other identifying number or code;
102          (iv) a telephone number; and
103          (v) an email address.
104          (12) "Preexisting or current business relationship" means a situation where the
105     recipient has:
106          (a) made an inquiry and provided an email address; or
107          (b) made an application, a purchase, or a transaction, with or without consideration,
108     related to a product or a service offered by the advertiser.
109          (13) "Recipient" means an addressee of an unsolicited email.
110          (14) "Right to opt out" means the right to direct a collector that sells personal
111     information not to sell the consumer's personal information.
112          (15) "Unsolicited commercial email" means a commercial email sent to a recipient
113     that:
114          (a) has not provided direct consent to the advertiser to receive the commercial email;
115     and
116          (b) does not have a preexisting or current relationship with the advertiser.
117          (16) "Utah email address" means an email address that is:
118          (a) provided by an electronic mail service provider that sends bills for providing and
119     maintaining that email address to a mailing address in this state;
120          (b) ordinarily accessed from a computer located in this state; or

121          (c) provided to an individual who is currently a resident of this state.
122          Section 3. Section 13-57-201 is enacted to read:
Part 2. Rights Relating to Personal Information

124          13-57-201. Disclosure of personal information -- Prohibited collection and selling
125     of personal information.
126          (1) On or before the collection of personal information, a collector shall inform a
127     consumer of:
128          (a) the categories of personal information that the collector will collect; and
129          (b) any purpose for which the collector will use the categories of personal information.
130          (2) (a) Except as provided in Subsection (2)(c), a consumer may make a consumer
131     request that a collector disclose to the consumer:
132          (i) the categories of personal information that the collector has collected or obtained
133     from a third party;
134          (ii) the specific personal information that the collector has collected or obtained from a
135     third party regarding the consumer;
136          (iii) the source of the information described in Subsection (2)(a)(ii); or
137          (iv) any third party to which the collector disclosed the consumer's personal
138     information.
139          (b) (i) A collector shall disclose to a consumer the information described in
140     Subsections (2)(a)(ii) through (iv) only after receiving a consumer request.
141          (ii) Subject to Subsection (2)(b)(iii), the collector shall make a disclosure in response
142     to a request under this Subsection (2):
143          (A) promptly;
144          (B) free of charge;
145          (C) by mail or electronically; and
146          (D) if provided electronically, in a portable and, to the extent technically feasible,
147     readily useable format.
148          (iii) A collector is required to comply with this Subsection (2) only twice in a 12-month
149     period with respect to each consumer.
150          (iv) In making the disclosure required by this Subsection (2), a collector is required to
151     search the collector's data only for the consumer's personal information that is provided in the

152     consumer request.
153          (c) A collector may not be required to retain any personal information that the collector
154     collects for a one-time transaction, if the collector does not:
155          (i) sell or retain the personal information; or
156          (ii) use the personal information to reidentify or to link other information that the
157     collector maintains in a manner that would not be considered personal information.
158          (3) (a) A consumer may make a consumer request for a collector to delete and to not
159     make further use of any of the consumer's personal information that the collector collects from
160     the consumer or obtains from a third party.
161          (b) A collector that receives a request described in Subsection (3)(a) shall delete the
162     consumer's personal information from the collector's records unless the collector needs to retain
163     the consumer's personal information to:
164          (i) complete the transaction for which the collector collects the personal information;
165          (ii) fulfill the terms of a written warranty or perform a contact between the collector
166     and the consumer;
167          (iii) conduct a product recall in accordance with federal law;
168          (iv) provide a good or a service requested by the consumer or reasonably anticipated
169     within the context of the collector's ongoing business relationship with the consumer;
170          (v) detect security incidents;
171          (vi) protect against malicious, deceptive, fraudulent, or illegal activity or prosecute an
172     individual responsible for malicious, deceptive, fraudulent, or illegal activity;
173          (vii) engage in public or peer-reviewed scientific, historic, or statistical research in the
174     public interest if:
175          (A) deletion of the personal information is likely to seriously impair or make
176     impossible the completion of the scientific, historic, or statistical research; and
177          (B) the consumer provides informed consent;
178          (viii) comply with a legal obligation; or
179          (ix) for consumer provided personal information, use the consumer's personal
180     information internally and in a lawful manner compatible with the context in which the
181     consumer provided the information.
182          (c) In making the deletion described in this Subsection (3), a collector is required to

183     search the collector's data only for the consumer's personal information that is provided in the
184     consumer request.
185          (4) (a) A collector that sells a consumer's personal information to a third party shall
186     notify the consumer at or before the time when the collector collects the consumer's personal
187     information that:
188          (i) the collector may sell the consumer's personal information; and
189          (ii) the consumer may exercise the right to opt out.
190          (b) A collector may not sell the personal information of a consumer who exercises the
191     right to opt out unless the consumer subsequently provides express authorization to the
192     collector for the sale of the consumer's personal information.
193          (c) A consumer may exercise a right to opt out at any time.
194          Section 4. Section 13-57-202 is enacted to read:
195          13-57-202. Cause of action.
196          (1) The Office of the Attorney General or a consumer may bring a claim against a
197     collector that violates this section to recover:
198          (a) actual damages to the consumer;
199          (b) except as provided in Subsection (2), liquidated damages of $1,000 for each
200     violation; and
201          (c) if the Office of the Attorney General or the consumer is the prevailing party,
202     reasonable attorney fees and costs.
203          (2) (a) If a court finds that the collector used due diligence to establish and implement
204     practices and procedures reasonably designed to respond to a consumer request under
205     Subsection 13-57-201(2) or (3), the court shall reduce the liquidated damages to $100 for each
206     violation of Subsection 13-57-201(2) or (3).
207          (b) If a court finds that the collector used due diligence to establish and implement
208     practices and procedures reasonably designed to respond to a consumer exercise of the right to
209     opt out under Subsection 13-57-201(4), the court shall reduce the liquidated damages to $100
210     for each violation of Subsection 13-57-201(4).
211          Section 5. Section 13-57-301 is enacted to read:
Part 3. Restrictions on Commercial Email

213          13-57-301. Prohibited uses of email address.

214          An advertiser or an initiator may not initiate or advertise in a commercial email sent
215     from this state or sent to a Utah email address under the following circumstances:
216          (1) the commercial email contains or is accompanied by a third party's domain name
217     without the permission of the third party;
218          (2) the commercial email contains or is accompanied by false, misrepresented, or
219     forged header information, even if the commercial email contains truthful identifying
220     information for the advertiser in the body of the email; or
221          (3) the commercial email has a subject line that is likely to mislead a recipient, acting
222     reasonably under the circumstances, about a material fact regarding the identity of the
223     advertiser, the contents, or the subject matter of the commercial email.
224          Section 6. Section 13-57-302 is enacted to read:
225          13-57-302. Cause of action.
226          (1) (a) The following persons may bring a claim against any advertiser or initiator that
227     violates this section:
228          (i) the Office of the Attorney General;
229          (ii) an electronic mail service provider;
230          (iii) a recipient of an unsolicited commercial email; or
231          (iv) a person that has the person's name, brand, trademark, email address, or domain
232     name used, without authorization, in the header information.
233          (b) (i) There is a rebuttable presumption that any commercial email that violates
234     Section 13-57-301 is an unsolicited commercial email.
235          (ii) The burden of proving that a commercial email is not an unsolicited commercial
236     email is on the defendant.
237          (2) (a) A person described in Subsections (1)(a)(i) through (iii) may recover:
238          (i) actual damages; and
239          (ii) except as provided in Subsection (2)(c), liquidated damages of $1,000 for each
240     unsolicited commercial email transmitted in violation of this section.
241          (b) If an addressee of an unsolicited commercial email has more than one email address
242     to which an advertiser or an initiator sends an unsolicited commercial email, the addressee shall
243     be considered a separate recipient for each email address to which the advertiser or the initiator
244     sends the unsolicited commercial email.

245          (c) If a court finds that an advertiser or an initiator used due diligence to establish and
246     implement practices and procedures to effectively prevent unsolicited commercial emails that
247     are in violation of this section, the court shall reduce the liquidated damages to $100 for each
248     violation.
249          (3) A person described in Subsection (1)(a)(i) or (iv) may recover:
250          (a) actual damages; and
251          (b) liquidated damages of $1,000 for each commercial email transmitted in violation of
252     this section that uses, without authorization, a person's name, brand, trademark, email address,
253     or domain name in the header information.
254          (4) The prevailing party in an action brought under this section may recover reasonable
255     attorney fees and costs.
256          (5) (a) There shall be a cause of action under this section against each advertiser or
257     initiator, and each shall be jointly and severably liable.
258          (b) There is not a cause of action under this section against an electronic mail service
259     provider that is involved only in the routine transmission or conveyance of commercial email
260     over the electronic mail service provider's computer network.