2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts the Utah Consumer Privacy Act.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ creates a right for a consumer to know what personal information a business
14 collects, how the business uses the personal information, and whether the business
15 sells the personal information;
16 ▸ allows a consumer to require a business to delete personal information with
17 exceptions;
18 ▸ allows a consumer to direct a business that sells personal information to stop selling
19 the consumer's personal information;
20 ▸ creates a cause of action for the Office of the Attorney General or the consumer to
21 recover damages, attorney fees, and costs from a business if the business fails to
22 disclose personal information collected or sold, to delete personal information upon
23 the consumer's request, or to stop selling a consumer's personal information upon
24 request;
25 ▸ prohibits an advertiser or a person initiating an email from sending unauthorized or
26 misleading commercial email from this state or to an email address within this state;
27 ▸ creates a cause of action for the Office of the Attorney General, the electronic mail
28 service provider, the recipient of the unsolicited commercial email, and any person that has the
29 person's name, brand, trademark, email address, or domain name used without permission to
30 recover damages related to unauthorized or misleading commercial email; and
31 ▸ permits the prevailing party to recover attorney fees and costs in an action related to
32 unauthorized or misleading commercial email.
33 Money Appropriated in this Bill:
34 None
35 Other Special Clauses:
36 None
37 Utah Code Sections Affected:
38 ENACTS:
39 13-57-101, Utah Code Annotated 1953
40 13-57-102, Utah Code Annotated 1953
41 13-57-201, Utah Code Annotated 1953
42 13-57-202, Utah Code Annotated 1953
43 13-57-301, Utah Code Annotated 1953
44 13-57-302, Utah Code Annotated 1953
45
46 Be it enacted by the Legislature of the state of Utah:
47 Section 1. Section 13-57-101 is enacted to read:
48
49
50 13-57-101. Title.
51 This chapter is known as the "Utah Consumer Privacy Act."
52 Section 2. Section 13-57-102 is enacted to read:
53 13-57-102. Definitions.
54 As used in this chapter:
55 (1) "Advertiser" means a person that advertises the person's product, service, or
56 website through the use of commercial email.
57 (2) "Collector" means a sole proprietorship, partnership, limited liability company,
58 corporation, association, or other legal entity that:
59 (a) is organized or operated for profit or for the financial benefit of the collector's
60 shareholders or other owners;
61 (b) collects personal information from consumers; and
62 (c) (i) has annual gross revenue of more than $25,000,000;
63 (ii) alone or in combination with wholly owned subsidiaries, buys, receives for the
64 entity's commercial purposes, sells, or shares for commercial purposes the personal information
65 of 50,000 or more residents of this state; or
66 (iii) derives 50% or more of the entity's annual revenue from selling personal
67 information from consumers.
68 (3) "Commercial email" means any email, the primary purpose of which is the
69 commercial advertisement or promotion of a commercial website, product, or service, or any
70 email that has the primary purpose of soliciting money, property, or personal information.
71 (4) "Consumer" means the same as that term is defined in Section 13-44-102.
72 (5) "Consumer request" means a written, notarized request that includes a consumer's
73 first and last name and at least one other piece of personal information from which a collector
74 can identify the consumer.
75 (6) "Domain name" means any alphanumeric designation that is registered with or
76 assigned by any domain name registrar, domain name registry, or other domain name
77 registration authority as part of an electronic address on the Internet.
78 (7) "Electronic mail service provider" means a company or a service that provides
79 routing, relaying, handling, storage, or support for email addresses and email inboxes.
80 (8) (a) "Header information" means the source, the destination, the routing information
81 attached to an email, and any other information that appears in the line identifying, or
82 purporting to identify, a person initiating the message.
83 (b) "Header information" includes the originating domain name and originating email
84 address.
85 (9) "Initiate" means an act of:
86 (a) originating, transmitting, or sending commercial email; or
87 (b) promising, paying, or providing other consideration for another person to originate,
88 transmit, or send a commercial email.
89 (10) "Initiator" means any person that:
90 (a) originates, transmits, or sends commercial email; or
91 (b) promises, pays, or provides other consideration for another person to originate,
92 transmit, or send commercial email.
93 (11) (a) "Personal information" means:
94 (i) any information that directly identifies an individual;
95 (ii) any representation of information that permits the direct or indirect identification of
96 the individual to whom the information applies; or
97 (iii) any information that permits physical or online contact with a specific individual.
98 (b) "Personal information" includes:
99 (i) a name;
100 (ii) an address;
101 (iii) a social security number or other identifying number or code;
102 (iv) a telephone number; and
103 (v) an email address.
104 (12) "Preexisting or current business relationship" means a situation where the
105 recipient has:
106 (a) made an inquiry and provided an email address; or
107 (b) made an application, a purchase, or a transaction, with or without consideration,
108 related to a product or a service offered by the advertiser.
109 (13) "Recipient" means an addressee of an unsolicited email.
110 (14) "Right to opt out" means the right to direct a collector that sells personal
111 information not to sell the consumer's personal information.
112 (15) "Unsolicited commercial email" means a commercial email sent to a recipient
113 that:
114 (a) has not provided direct consent to the advertiser to receive the commercial email;
115 and
116 (b) does not have a preexisting or current relationship with the advertiser.
117 (16) "Utah email address" means an email address that is:
118 (a) provided by an electronic mail service provider that sends bills for providing and
119 maintaining that email address to a mailing address in this state;
120 (b) ordinarily accessed from a computer located in this state; or
121 (c) provided to an individual who is currently a resident of this state.
122 Section 3. Section 13-57-201 is enacted to read:
123
124 13-57-201. Disclosure of personal information -- Prohibited collection and selling
125 of personal information.
126 (1) On or before the collection of personal information, a collector shall inform a
127 consumer of:
128 (a) the categories of personal information that the collector will collect; and
129 (b) any purpose for which the collector will use the categories of personal information.
130 (2) (a) Except as provided in Subsection (2)(c), a consumer may make a consumer
131 request that a collector disclose to the consumer:
132 (i) the categories of personal information that the collector has collected or obtained
133 from a third party;
134 (ii) the specific personal information that the collector has collected or obtained from a
135 third party regarding the consumer;
136 (iii) the source of the information described in Subsection (2)(a)(ii); or
137 (iv) any third party to which the collector disclosed the consumer's personal
138 information.
139 (b) (i) A collector shall disclose to a consumer the information described in
140 Subsections (2)(a)(ii) through (iv) only after receiving a consumer request.
141 (ii) Subject to Subsection (2)(b)(iii), the collector shall make a disclosure in response
142 to a request under this Subsection (2):
143 (A) promptly;
144 (B) free of charge;
145 (C) by mail or electronically; and
146 (D) if provided electronically, in a portable and, to the extent technically feasible,
147 readily useable format.
148 (iii) A collector is required to comply with this Subsection (2) only twice in a 12-month
149 period with respect to each consumer.
150 (iv) In making the disclosure required by this Subsection (2), a collector is required to
151 search the collector's data only for the consumer's personal information that is provided in the
152 consumer request.
153 (c) A collector may not be required to retain any personal information that the collector
154 collects for a one-time transaction, if the collector does not:
155 (i) sell or retain the personal information; or
156 (ii) use the personal information to reidentify or to link other information that the
157 collector maintains in a manner that would not be considered personal information.
158 (3) (a) A consumer may make a consumer request for a collector to delete and to not
159 make further use of any of the consumer's personal information that the collector collects from
160 the consumer or obtains from a third party.
161 (b) A collector that receives a request described in Subsection (3)(a) shall delete the
162 consumer's personal information from the collector's records unless the collector needs to retain
163 the consumer's personal information to:
164 (i) complete the transaction for which the collector collects the personal information;
165 (ii) fulfill the terms of a written warranty or perform a contact between the collector
166 and the consumer;
167 (iii) conduct a product recall in accordance with federal law;
168 (iv) provide a good or a service requested by the consumer or reasonably anticipated
169 within the context of the collector's ongoing business relationship with the consumer;
170 (v) detect security incidents;
171 (vi) protect against malicious, deceptive, fraudulent, or illegal activity or prosecute an
172 individual responsible for malicious, deceptive, fraudulent, or illegal activity;
173 (vii) engage in public or peer-reviewed scientific, historic, or statistical research in the
174 public interest if:
175 (A) deletion of the personal information is likely to seriously impair or make
176 impossible the completion of the scientific, historic, or statistical research; and
177 (B) the consumer provides informed consent;
178 (viii) comply with a legal obligation; or
179 (ix) for consumer provided personal information, use the consumer's personal
180 information internally and in a lawful manner compatible with the context in which the
181 consumer provided the information.
182 (c) In making the deletion described in this Subsection (3), a collector is required to
183 search the collector's data only for the consumer's personal information that is provided in the
184 consumer request.
185 (4) (a) A collector that sells a consumer's personal information to a third party shall
186 notify the consumer at or before the time when the collector collects the consumer's personal
187 information that:
188 (i) the collector may sell the consumer's personal information; and
189 (ii) the consumer may exercise the right to opt out.
190 (b) A collector may not sell the personal information of a consumer who exercises the
191 right to opt out unless the consumer subsequently provides express authorization to the
192 collector for the sale of the consumer's personal information.
193 (c) A consumer may exercise a right to opt out at any time.
194 Section 4. Section 13-57-202 is enacted to read:
195 13-57-202. Cause of action.
196 (1) The Office of the Attorney General or a consumer may bring a claim against a
197 collector that violates this section to recover:
198 (a) actual damages to the consumer;
199 (b) except as provided in Subsection (2), liquidated damages of $1,000 for each
200 violation; and
201 (c) if the Office of the Attorney General or the consumer is the prevailing party,
202 reasonable attorney fees and costs.
203 (2) (a) If a court finds that the collector used due diligence to establish and implement
204 practices and procedures reasonably designed to respond to a consumer request under
205 Subsection 13-57-201(2) or (3), the court shall reduce the liquidated damages to $100 for each
206 violation of Subsection 13-57-201(2) or (3).
207 (b) If a court finds that the collector used due diligence to establish and implement
208 practices and procedures reasonably designed to respond to a consumer exercise of the right to
209 opt out under Subsection 13-57-201(4), the court shall reduce the liquidated damages to $100
210 for each violation of Subsection 13-57-201(4).
211 Section 5. Section 13-57-301 is enacted to read:
212
213 13-57-301. Prohibited uses of email address.
214 An advertiser or an initiator may not initiate or advertise in a commercial email sent
215 from this state or sent to a Utah email address under the following circumstances:
216 (1) the commercial email contains or is accompanied by a third party's domain name
217 without the permission of the third party;
218 (2) the commercial email contains or is accompanied by false, misrepresented, or
219 forged header information, even if the commercial email contains truthful identifying
220 information for the advertiser in the body of the email; or
221 (3) the commercial email has a subject line that is likely to mislead a recipient, acting
222 reasonably under the circumstances, about a material fact regarding the identity of the
223 advertiser, the contents, or the subject matter of the commercial email.
224 Section 6. Section 13-57-302 is enacted to read:
225 13-57-302. Cause of action.
226 (1) (a) The following persons may bring a claim against any advertiser or initiator that
227 violates this section:
228 (i) the Office of the Attorney General;
229 (ii) an electronic mail service provider;
230 (iii) a recipient of an unsolicited commercial email; or
231 (iv) a person that has the person's name, brand, trademark, email address, or domain
232 name used, without authorization, in the header information.
233 (b) (i) There is a rebuttable presumption that any commercial email that violates
234 Section 13-57-301 is an unsolicited commercial email.
235 (ii) The burden of proving that a commercial email is not an unsolicited commercial
236 email is on the defendant.
237 (2) (a) A person described in Subsections (1)(a)(i) through (iii) may recover:
238 (i) actual damages; and
239 (ii) except as provided in Subsection (2)(c), liquidated damages of $1,000 for each
240 unsolicited commercial email transmitted in violation of this section.
241 (b) If an addressee of an unsolicited commercial email has more than one email address
242 to which an advertiser or an initiator sends an unsolicited commercial email, the addressee shall
243 be considered a separate recipient for each email address to which the advertiser or the initiator
244 sends the unsolicited commercial email.
245 (c) If a court finds that an advertiser or an initiator used due diligence to establish and
246 implement practices and procedures to effectively prevent unsolicited commercial emails that
247 are in violation of this section, the court shall reduce the liquidated damages to $100 for each
248 violation.
249 (3) A person described in Subsection (1)(a)(i) or (iv) may recover:
250 (a) actual damages; and
251 (b) liquidated damages of $1,000 for each commercial email transmitted in violation of
252 this section that uses, without authorization, a person's name, brand, trademark, email address,
253 or domain name in the header information.
254 (4) The prevailing party in an action brought under this section may recover reasonable
255 attorney fees and costs.
256 (5) (a) There shall be a cause of action under this section against each advertiser or
257 initiator, and each shall be jointly and severably liable.
258 (b) There is not a cause of action under this section against an electronic mail service
259 provider that is involved only in the routine transmission or conveyance of commercial email
260 over the electronic mail service provider's computer network.