2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts the Utah Consumer Privacy Act and Utah Commercial Email Act.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ provides consumers the right to access, correct, and delete certain personal data;
14 ▸ gives consumers the right to opt out of the collection and use of personal data for
15 certain purposes;
16 ▸ requires certain businesses that control and process personal data of consumers to:
17 • safeguard personal data;
18 • provide clear information to consumers regarding how the consumer's personal
19 data are used;
20 • accept consumer requests to exercise the consumer's rights under this bill;
21 • comply with a consumer's request to exercise the consumer's rights under this
22 bill; and
23 • maintain data protection assessments;
24 ▸ creates a process for a consumer to submit requests and appeal a business's decision
25 regarding the business's processing of the consumer's personal data;
26 ▸ allows the Division of Consumer Protection to accept and investigate consumer
27 complaints regarding the processing of personal data;
28 ▸ empowers the Office of the Attorney General to:
29 • obtain and evaluate a business's data protection assessments;
30 • take enforcement action against violators; and
31 • impose penalties for violations;
32 ▸ creates a right for a consumer to know what personal information a business
33 collects, how the business uses the personal information, and whether the business
34 sells the personal information;
35 ▸ allows a consumer to require a business to delete personal information, with
36 exceptions, and direct a business that sells personal information to stop selling the
37 consumer's personal information;
38 ▸ prohibits an advertiser or a person initiating an email from sending unauthorized or
39 misleading commercial email from this state or to an email address within this state;
40 ▸ creates a cause of action for the Office of the Attorney General, the electronic mail
41 service provider, the recipient of the unsolicited commercial email, and any person
42 whose brand, trademark, email address, or domain name is used without permission
43 to recover damages related to unauthorized or misleading commercial email;
44 ▸ permits the prevailing party to recover attorney fees and costs in an action related to
45 unauthorized or misleading commercial email; and
46 ▸ makes technical changes.
47 Money Appropriated in this Bill:
48 None
49 Other Special Clauses:
50 This bill provides a special effective date.
51 Utah Code Sections Affected:
52 AMENDS:
53 13-2-1, as last amended by Laws of Utah 2020, Chapter 118
54 63G-2-305, as last amended by Laws of Utah 2020, Chapters 112, 198, 339, 349, 382,
55 and 393
56 ENACTS:
57 13-58-101, Utah Code Annotated 1953
58 13-58-102, Utah Code Annotated 1953
59 13-58-201, Utah Code Annotated 1953
60 13-58-202, Utah Code Annotated 1953
61 13-58-203, Utah Code Annotated 1953
62 13-58-204, Utah Code Annotated 1953
63 13-58-205, Utah Code Annotated 1953
64 13-58-301, Utah Code Annotated 1953
65 13-58-302, Utah Code Annotated 1953
66 13-58-303, Utah Code Annotated 1953
67 13-58-304, Utah Code Annotated 1953
68 13-58-305, Utah Code Annotated 1953
69 13-58-306, Utah Code Annotated 1953
70 13-58-401, Utah Code Annotated 1953
71 13-58-402, Utah Code Annotated 1953
72 13-58-403, Utah Code Annotated 1953
73 13-58-404, Utah Code Annotated 1953
74 13-59-101, Utah Code Annotated 1953
75 13-59-102, Utah Code Annotated 1953
76 13-59-201, Utah Code Annotated 1953
77 13-59-202, Utah Code Annotated 1953
78
79 Be it enacted by the Legislature of the state of Utah:
80 Section 1. Section 13-2-1 is amended to read:
81 13-2-1. Consumer protection division established -- Functions.
82 (1) There is established within the Department of Commerce the Division of Consumer
83 Protection.
84 (2) The division shall administer and enforce the following:
85 (a) Chapter 5, Unfair Practices Act;
86 (b) Chapter 10a, Music Licensing Practices Act;
87 (c) Chapter 11, Utah Consumer Sales Practices Act;
88 (d) Chapter 15, Business Opportunity Disclosure Act;
89 (e) Chapter 20, New Motor Vehicle Warranties Act;
90 (f) Chapter 21, Credit Services Organizations Act;
91 (g) Chapter 22, Charitable Solicitations Act;
92 (h) Chapter 23, Health Spa Services Protection Act;
93 (i) Chapter 25a, Telephone and Facsimile Solicitation Act;
94 (j) Chapter 26, Telephone Fraud Prevention Act;
95 (k) Chapter 28, Prize Notices Regulation Act;
96 (l) Chapter 32a, Pawnshop and Secondhand Merchandise Transaction Information Act;
97 (m) Chapter 34, Utah Postsecondary Proprietary School Act;
98 (n) Chapter 34a, Utah Postsecondary School State Authorization Act;
99 (o) Chapter 39, Child Protection Registry;
100 (p) Chapter 41, Price Controls During Emergencies Act;
101 (q) Chapter 42, Uniform Debt-Management Services Act;
102 (r) Chapter 49, Immigration Consultants Registration Act;
103 (s) Chapter 51, Transportation Network Company Registration Act;
104 (t) Chapter 52, Residential Solar Energy Disclosure Act;
105 (u) Chapter 53, Residential, Vocational and Life Skills Program Act;
106 (v) Chapter 54, Ticket Website Sales Act;
107 (w) Chapter 56, Ticket Transferability Act; [
108 (x) Chapter 57, Maintenance Funding Practices Act[
109 (y) Chapter 58, Utah Consumer Privacy Act.
110 Section 2. Section 13-58-101 is enacted to read:
111
112
113 13-58-101. Title.
114 This chapter is known as the "Utah Consumer Privacy Act."
115 Section 3. Section 13-58-102 is enacted to read:
116 13-58-102. Definitions.
117 As used in this chapter:
118 (1) (a) "Affiliate" means a person who directly or indirectly through one or more
119 intermediaries controls, or is controlled by, or is under common control with, the person
120 specified.
121 (b) "Affiliate" includes a subsidiary.
122 (2) "Authenticate" means to use reasonable means to determine that a consumer's
123 request to exercise the rights described in Section 13-58-202 is made by the consumer who is
124 entitled to exercise those rights.
125 (3) "Business associate" means the same as that term is defined in 45 C.F.R. Sec.
126 160.103.
127 (4) "Child" means an individual younger than 13 years old.
128 (5) "Consent" means an affirmative act by a consumer that unambiguously indicates
129 the consumer's voluntary and informed agreement to allow a person to process personal data
130 related to the consumer.
131 (6) (a) "Consumer" means an individual who is a resident of the state acting in an
132 individual or household context.
133 (b) "Consumer" does not include an individual acting in an employment or commercial
134 context.
135 (7) (a) "Controller" means a person doing business in the state who determines the
136 purposes for which and the means by which personal data is processed, regardless of whether
137 the person makes the determination alone or with others.
138 (b) "Controller" does not include a person who processes personal data solely for the
139 purposes described in Subsections 13-58-305(1)(a) through (d), or (f).
140 (8) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec. 160.103.
141 (9) "Deidentified data" means data that:
142 (a) cannot reasonably be linked to an identifiable individual; and
143 (b) are possessed by a controller who:
144 (i) takes reasonable measures to ensure that a person cannot associate the data with an
145 identifiable individual;
146 (ii) publicly commits to maintain and use the data only in deidentified form and not
147 attempt to reidentify the data; and
148 (iii) contractually obligates any recipients of the data to comply with the requirements
149 described in Subsections (9)(b)(i) and (ii).
150 (10) "Director" means the director of the Division of Consumer Protection.
151 (11) "Division" means the Division of Consumer Protection created in Section 13-2-1.
152 (12) "Health care facility" means the same as that term is defined in Section 26-21-2.
153 (13) "Health care provider" means the same as that term is defined in Section 26-21-2.
154 (14) "Identifiable individual" means an individual who can be readily identified,
155 directly or indirectly.
156 (15) "Local political subdivision" means the same as that term is defined in Section
157 11-14-102.
158 (16) "Nonprofit corporation" means the same as that term is defined in Section
159 16-6a-102.
160 (17) (a) "Personal data" means any information that:
161 (i) identifies or describes an identifiable individual; or
162 (ii) is reasonably capable of identifying or describing an identifiable individual.
163 (b) "Personal data" does not include deidentified data, anonymous or pseudonymous
164 data, or publicly available information.
165 (18) "Process" means an operation or set of operations performed on personal data,
166 including collection, use, storage, disclosure, analysis, deletion, or modification of personal
167 data.
168 (19) "Processor" means a person who processes personal data on behalf of a controller.
169 (20) "Profiling" means automated processing of personal data to evaluate, analyze, or
170 predict personal aspects concerning an identifiable individual's:
171 (a) economic situation;
172 (b) health;
173 (c) personal preferences;
174 (d) interests;
175 (e) reliability;
176 (f) behavior;
177 (g) location; or
178 (h) movements.
179 (21) "Protected health information" means the same as that term is defined in 45 C.F.R.
180 Sec. 160.103.
181 (22) "Pseudonymous data" means personal data that cannot be attributed to a specific
182 individual without the use of additional information, if the additional information is:
183 (a) kept separate from the consumer's personal data; and
184 (b) subject to appropriate technical and organizational measures to ensure that the
185 personal data are not attributable to an identifiable individual.
186 (23) "Publicly available information" means information that a person:
187 (a) lawfully obtains from a federal, state, or local political subdivision record;
188 (b) reasonably believes a consumer or widely distributed media has lawfully made
189 available to the general public; or
190 (c) if the consumer has not restricted the information to a specific audience, obtains
191 from a person to whom the consumer disclosed the information.
192 (24) "Right" means a consumer right described in Section 13-58-202.
193 (25) (a) "Sale," "sell," or "sold" means the exchange of personal data for monetary
194 consideration by a controller to a third party.
195 (b) "Sale" does not include:
196 (i) a controller's disclosure of personal data to a processor who processes the personal
197 data on behalf of the controller;
198 (ii) a controller's disclosure of personal data to an affiliate of the controller;
199 (iii) considering the context in which the consumer provided the personal data to the
200 controller, a controller's disclosure of personal data to a third party if the purpose is consistent
201 with a consumer's reasonable expectations;
202 (iv) a consumer's disclosure of personal data to a third party for the purpose of
203 providing a product or service requested by the consumer;
204 (v) a consumer's disclosure of information that the consumer:
205 (A) intentionally makes available to the general public via a channel of mass media;
206 and
207 (B) does not restrict to a specific audience; or
208 (vi) a controller's transfer of personal data to a third party as an asset that is part of a
209 proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes
210 control of all or part of the controller's assets.
211 (26) (a) "Sensitive data" means:
212 (i) personal data that reveals an individual's:
213 (A) racial or ethnic origin;
214 (B) religious beliefs;
215 (C) diagnosed mental or physical health condition;
216 (D) sexual orientation; or
217 (E) citizenship or immigration status;
218 (ii) the processing of genetic or biometric personal data for the purpose of identifying
219 an individual;
220 (iii) the personal data of a known child; or
221 (iv) specific geolocation data.
222 (b) "Sensitive data" does not include personal data that reveals an individual's racial or
223 ethnic origin, if the personal data is processed by a video communication service.
224 (27) (a) "Specific geolocation data" means information:
225 (i) derived from technology; and
226 (ii) used or intended to be used to identify the specific location of a consumer within a
227 geographic area with a radius of 1,850 feet or less.
228 (b) "Specific geolocation data" does not include the content of a communication.
229 (28) (a) "Targeted advertising" means displaying an advertisement to a consumer
230 where the advertisement is selected based on personal data obtained from the consumer's
231 activities over time and across nonaffiliated websites or online applications to predict the
232 consumer's preferences or interests.
233 (b) "Targeted advertising" does not include advertising:
234 (i) based on a consumer's activities within a controller's or an affiliate of the
235 controller's websites or online applications;
236 (ii) based on the context of a consumer's current search query or visit to a website or
237 online application;
238 (iii) directed to a consumer in response to the consumer's request for information,
239 product, a service, or feedback; or
240 (iv) used solely to measure or report advertising:
241 (A) performance;
242 (B) reach; or
243 (C) frequency.
244 (29) "Third party" means a person other than:
245 (a) the consumer, controller, or processor; or
246 (b) an affiliate or contractor of the controller or the processor.
247 Section 4. Section 13-58-201 is enacted to read:
248
249 13-58-201. Applicability.
250 (1) This chapter applies to any controller or processor who:
251 (a) (i) conducts business in the state; or
252 (ii) produces a product or service that is targeted to residents of the state; and
253 (b) satisfies one or more of the following thresholds:
254 (i) during a calendar year, controls or processes personal data of 100,000 or more
255 consumers; or
256 (ii) derives over 50% of the entity's gross revenue from the sale of personal data and
257 controls or processes personal data of 25,000 or more consumers.
258 (2) This chapter does not apply to:
259 (a) a government entity;
260 (b) a tribe;
261 (c) a nonprofit corporation;
262 (d) information that meets the definition of:
263 (i) protected health information for purposes of the federal Health Insurance Portability
264 and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
265 (ii) patient identifying information for purposes of 42 C.F.R. Part 2;
266 (iii) identifiable private information for purposes of the Federal Policy for the
267 Protection of Human Subjects, 45 C.F.R. Part 46;
268 (iv) identifiable private information or personal data collected as part of human
269 subjects research pursuant to or under the same standards as:
270 (A) the good clinical practice guidelines issued by the International Council for
271 Harmonisation; or
272 (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review
273 Boards under 21 C.F.R. Part 56;
274 (v) personal data used or shared in research conducted in accordance with one or more
275 of the requirements described in Subsection (2)(e)(iv);
276 (vi) information and documents created specifically for, and collected and maintained
277 by, a committee listed in Section 26-1-7;
278 (vii) information and documents created for purposes of the federal Health Care
279 Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
280 (viii) patient safety work product for purposes of 42 C.F.R. Part 3; or
281 (ix) information that is:
282 (A) deidentified in accordance with the requirements for deidentification set forth in 45
283 C.F.R. Part 164; and
284 (B) derived from any of the health care-related information listed in this Subsection
285 (2)(d);
286 (e) information originating from, and intermingled to be indistinguishable with,
287 information under Subsection (2)(d) that is maintained by:
288 (i) a covered entity or business associate;
289 (ii) a health care facility or health care provider; or
290 (iii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
291 (f) information used only for public health activities and purposes as described in 45
292 C.F.R. Sec. 164.512;
293 (g) (i) an activity by:
294 (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
295 (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides
296 information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
297 (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
298 (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.
299 1681 et seq.; and
300 (iii) involving the collection, maintenance, disclosure, sale, communication, or use of
301 any personal information bearing on a consumer's:
302 (A) credit worthiness;
303 (B) credit standing;
304 (C) credit capacity;
305 (D) character;
306 (E) general reputation;
307 (F) personal characteristics; or
308 (G) mode of living;
309 (h) a financial institution or an affiliate of a financial institution governed by Title V of
310 the federal Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
311 (i) personal data collected, processed, sold, or disclosed in accordance with the federal
312 Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
313 (j) personal data regulated by the federal Family Education Rights and Privacy Act, 20
314 U.S.C. Sec. 1232g, and related regulations;
315 (k) personal data collected, processed, sold, or disclosed in accordance with the federal
316 Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;
317 (l) data maintained for employment records purposes;
318 (m) an individual's processing of personal data for purely personal or household
319 purposes; or
320 (n) an air carrier.
321 (3) A controller is in compliance with any obligation to obtain parental consent under
322 this chapter if the controller complies with the verifiable parental consent mechanisms under
323 the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and its implementing
324 regulations.
325 Section 5. Section 13-58-202 is enacted to read:
326 13-58-202. Consumer rights -- Access -- Correction -- Deletion -- Portability -- Opt
327 out of certain processing.
328 (1) A consumer has the right to:
329 (a) confirm whether a controller is processing personal data concerning the consumer;
330 and
331 (b) obtain information regarding the categories of personal data concerning the
332 consumer the controller has collected.
333 (2) A consumer has the right to correct inaccurate personal data concerning the
334 consumer, taking into account the nature of the personal data and the purposes of the
335 processing of the personal data.
336 (3) A consumer has the right to delete the consumer's personal data that the consumer
337 provided to the controller.
338 (4) A consumer has the right to obtain a copy of the consumer's personal data, that the
339 consumer previously provided to the controller, in a format that:
340 (a) is portable;
341 (b) to the extent practicable, is readily-usable; and
342 (c) allows the consumer to transmit the data to another controller without impediment,
343 where the processing is carried out by automated means.
344 (5) A consumer has the right to opt out of the processing of the consumer's personal
345 data for purposes of:
346 (a) targeted advertising;
347 (b) the sale of personal data; or
348 (c) profiling in furtherance of decisions regarding:
349 (i) enrollment in an educational institution;
350 (ii) criminal justice;
351 (iii) employment opportunities;
352 (iv) health care services; or
353 (v) access to basic necessities.
354 Section 6. Section 13-58-203 is enacted to read:
355 13-58-203. Exercising consumer rights.
356 (1) A consumer may exercise a right by submitting a request to a controller specifying
357 the right the consumer intends to exercise.
358 (2) In the case of processing personal data concerning a known child, the parent or
359 legal guardian of the known child shall exercise a right on the child's behalf.
360 (3) In the case of processing personal data concerning a consumer subject to
361 guardianship, conservatorship, or other protective arrangement under Title 75, Chapter 5,
362 Protection of Persons Under Disability and Their Property, the guardian or the conservator of
363 the consumer shall exercise a right on the consumer's behalf.
364 Section 7. Section 13-58-204 is enacted to read:
365 13-58-204. Controller's response to requests.
366 (1) A controller shall comply with a consumer's request to exercise a right.
367 (2) (a) A controller shall provide one or more secure and reliable means for a consumer
368 to submit a request to exercise a right, including an email address to which a consumer may
369 submit a request.
370 (b) In providing the means described in Subsection (2)(a), a controller shall consider:
371 (i) the ways in which consumers interact with the controller; and
372 (ii) the need for secure and reliable communication of the requests.
373 (c) A controller may not require a consumer to create a new account to exercise a right.
374 (d) A controller may require a consumer to use an existing account to exercise a right.
375 (3) (a) Within 45 days after the day on which a controller receives a request to exercise
376 a right, the controller shall:
377 (i) take action on the consumer's request; and
378 (ii) inform the consumer of any action taken on the consumer's request under Section
379 13-58-203.
380 (b) The controller may extend once the initial 45-day period by an additional 45 days if
381 reasonably necessary due to the complexity of the request or the volume of the requests
382 received by the controller.
383 (c) If a controller extends the initial 45-day period, before the initial 45-day period
384 expires, the controller shall:
385 (i) inform the consumer of the extension, including the length of the extension; and
386 (ii) provide the reasons the extension is reasonably necessary as described in
387 Subsection (3)(b).
388 (d) If a controller chooses not to take action on a consumer's request, the controller
389 shall:
390 (i) within 45 days after the day on which the controller receives the request, inform the
391 consumer of the reasons for not taking action; and
392 (ii) provide instructions for how to appeal the controller's decision in accordance with
393 Section 13-58-205.
394 (e) A controller may not charge a fee for information in response to a request, unless
395 the request is the consumer's second or subsequent request during the same 12-month period.
396 (f) Notwithstanding Subsection (3)(e), if a request is duplicative, the controller may:
397 (i) charge a reasonable fee to cover the administrative costs of complying with the
398 request; or
399 (ii) refuse to act on the request.
400 (g) The controller bears the burden of demonstrating the duplicative nature of a
401 request.
402 (h) If a controller is unable to authenticate a request to exercise a right described in
403 Section 13-58-202 using commercially reasonable efforts, the controller:
404 (i) is not required to comply with the request; and
405 (ii) may request that the consumer provide additional information reasonably necessary
406 to authenticate the request.
407 Section 8. Section 13-58-205 is enacted to read:
408 13-58-205. Consumer appeal process.
409 (1) A controller shall establish an internal process that allows a consumer to appeal the
410 controller's failure to comply with Section 13-58-204.
411 (2) The controller shall ensure that the appeal process described in Subsection (1) is:
412 (a) conspicuously available; and
413 (b) equally easy to use as the process for submitting a request under Section 13-58-203.
414 (3) (a) Within 60 days after the day on which a controller receives an appeal, the
415 controller shall:
416 (i) inform the consumer of any action taken in response to the appeal; and
417 (ii) provide a written explanation of the reasons in support of the controller's action or
418 inaction.
419 (b) The controller may extend once the initial 60-day period by an additional 60 days if
420 reasonably necessary due to the complexity of the request or number of the requests serving as
421 the basis for the appeal.
422 (c) If a controller extends the initial 60-day period, before the initial 60-day period
423 expires, the controller shall:
424 (i) inform the consumer of the extension, including the length of the extension; and
425 (ii) provide the reasons the extension is reasonably necessary as described in
426 Subsection (3)(b).
427 (4) When informing a consumer of any action taken or not taken by the controller in
428 response to an appeal, the controller shall:
429 (a) inform the consumer of the consumer's right to appeal the decision to the division;
430 and
431 (b) upon request, provide to the consumer the controller's written explanation of the
432 reasons in support of the controller's action.
433 Section 9. Section 13-58-301 is enacted to read:
434
435 13-58-301. Responsibility according to role.
436 (1) A processor shall:
437 (a) adhere to the controller's instructions; and
438 (b) assist the controller to meet the controller's obligations under this chapter by
439 providing information to the controller that is necessary to enable the controller to conduct and
440 document any data protection assessments required under Section 13-58-304.
441 (2) A processor shall:
442 (a) taking into account the context in which the personal data are to be processed,
443 implement and maintain reasonable security procedures and practices to protect personal data;
444 (b) ensure that each person processing personal data is subject to a duty of
445 confidentiality with respect to the personal data; and
446 (c) engage a subcontractor only pursuant to a written contract that requires the
447 subcontractor to meet the same obligations as the processor with respect to the personal data.
448 (3) Determining whether a person is acting as a controller or processor with respect to
449 a specific processing of data is a fact-based determination that depends upon the context in
450 which personal data are to be processed.
451 Section 10. Section 13-58-302 is enacted to read:
452 13-58-302. Responsibilities of controllers -- Transparency -- Purpose specification
453 and data minimization -- Consent for secondary use -- Security -- Nondiscrimination --
454 Nonretaliation -- Nonwaiver of consumer rights.
455 (1) (a) A controller shall provide consumers with a reasonably accessible and clear
456 privacy notice that includes:
457 (i) the categories of personal data processed by the controller;
458 (ii) the purposes for which the categories of personal data are processed;
459 (iii) how and where consumers may exercise a right, including how a consumer may
460 appeal a controller's action with regard to the consumer's request to exercise a right;
461 (iv) the categories of personal data that the controller shares with third parties, if any;
462 and
463 (v) the categories of third parties, if any, with whom the controller shares personal data.
464 (b) If a controller sells personal data to one or more third parties or processes personal
465 data for targeted advertising, the controller shall clearly and conspicuously disclose to the
466 consumer the manner in which the consumer may exercise the right to opt out of the:
467 (i) sale of the consumer's personal data; or
468 (ii) processing for targeted advertising.
469 (2) A controller may not collect personal data, unless:
470 (a) the collection is:
471 (i) relevant to the purposes for which the controller is processing the personal data; and
472 (ii) as disclosed to the consumer, limited to the personal data reasonably necessary to
473 achieve the purposes for which the controller is processing the personal data; or
474 (b) the controller obtains the consumer's consent.
475 (3) (a) A controller shall establish, implement, and maintain reasonable administrative,
476 technical, and physical data security practices designed to:
477 (i) protect the confidentiality and integrity of personal data; and
478 (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing
479 of personal data.
480 (b) Considering the controller's business size, scope, and type, a controller shall use
481 data security practices that are appropriate for the volume and nature of the personal data at
482 issue.
483 (4) Except as otherwise provided in this chapter, a controller may not process sensitive
484 data concerning a consumer without obtaining:
485 (a) the consumer's consent; or
486 (b) in the case of the processing of personal data concerning a known child, the consent
487 of the child's parent or lawful guardian in accordance with the federal Children's Online
488 Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq.
489 (5) (a) A controller may not discriminate against a consumer for exercising a right by:
490 (i) denying a good or service to the consumer;
491 (ii) charging the consumer a different price or rate for a good or service; or
492 (iii) providing the consumer a different level of quality of a good or service.
493 (b) This Subsection (5) does not prohibit a controller from offering a different price,
494 rate, level, quality, or selection of goods or services to a consumer, including offering goods or
495 services for no fee or at a discount, as part of the consumer's voluntary participation in a bona
496 fide loyalty, rewards, premium features, discounts, or club card program.
497 (6) Any provision of a contract that purports to waive or limit a consumer's right under
498 this chapter is void.
499 Section 11. Section 13-58-303 is enacted to read:
500 13-58-303. Processing deidentified data or pseudonymous data.
501 (1) The provisions of this chapter do not require a controller or processor to:
502 (a) reidentify deidentified data;
503 (b) comply with an authenticated consumer request to exercise a right described in
504 Subsections 13-58-202(1) through (4), if:
505 (i) (A) the controller is not reasonably capable of associating the request with the
506 personal data; or
507 (B) it would be unreasonably burdensome for the controller to associate the request
508 with the personal data;
509 (ii) the controller does not:
510 (A) use the personal data to recognize or respond to the consumer who is the subject of
511 the personal data; or
512 (B) associate the personal data with other personal data about the consumer; or
513 (iii) the controller does not sell or otherwise disclose the personal data to any third
514 party other than a processor, except as otherwise permitted in this section; or
515 (c) maintain data in identifiable form, or collect, retain, or access any data or
516 technology, in order to be capable of associating an authenticated consumer request with
517 personal data.
518 (2) The rights described in Subsections 13-58-202(1) through (4) do not apply to
519 pseudonymous data if a controller keeps information necessary to identify a consumer:
520 (a) separate from the pseudonymous data; and
521 (b) subject to effective technical and organizational controls that prevent the controller
522 from accessing the information.
523 (3) A controller who uses pseudonymous data or deidentified data shall take reasonable
524 steps to ensure the controller:
525 (a) complies with any contractual obligations to which the pseudonymous data or
526 deidentified data are subject; and
527 (b) promptly addresses any breach of a contractual obligation described in Subsection
528 (3)(a).
529 Section 12. Section 13-58-304 is enacted to read:
530 13-58-304. Data protection assessments.
531 (1) A controller shall conduct and document an annual data protection assessment of
532 the following processing activities involving personal data:
533 (a) the processing of personal data for purposes of targeted advertising;
534 (b) the sale of personal data;
535 (c) the processing of personal data for purposes of profiling, if the profiling presents a
536 reasonably foreseeable risk to consumers of:
537 (i) unfair or deceptive treatment;
538 (ii) disparate impact; or
539 (iii) financial, physical, or reputational injury;
540 (d) the processing of sensitive data; and
541 (e) any processing activities involving personal data that present a heightened risk of
542 harm or substantial injury to a consumer.
543 (2) A controller shall consider in the controller's data protection assessment:
544 (a) the benefits that may flow, directly or indirectly, from the processing of personal
545 data to the controller, the consumer, stakeholders, and the public;
546 (b) potential security risks to a consumer's personal data, as mitigated by safeguards
547 that can be employed by the controller;
548 (c) the use of deidentified data;
549 (d) the reasonable expectations of consumers;
550 (e) the context of the processing; and
551 (f) the relationship between the controller and the consumer whose personal data will
552 be processed.
553 (3) (a) The division or attorney general may request, in writing, that a controller
554 disclose any data protection assessment that is relevant to an investigation conducted by the
555 division or attorney general.
556 (b) A controller shall make a data protection assessment available to the division or
557 attorney general upon request.
558 (c) A data protection assessment is confidential and is a protected record for purposes
559 of Title 63G, Chapter 2, Government Records Access and Management Act.
560 (d) The disclosure of a data protection assessment in accordance with a request from
561 the division or attorney general under this subsection does not constitute a waiver of the
562 attorney-client privilege or work product protection with respect to the assessment or any
563 information contained in the assessment.
564 (4) A controller shall retain the controller's data protection assessments for at least
565 three years.
566 Section 13. Section 13-58-305 is enacted to read:
567 13-58-305. Limitations.
568 (1) The requirements described in this chapter do not restrict a controller or processor's
569 ability to:
570 (a) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
571 summons by a federal, state, local, or other governmental entity;
572 (b) cooperate with a law enforcement agency concerning activity that the controller or
573 processor reasonably and in good faith believes may violate federal, state, or local laws, rules,
574 or regulations;
575 (c) investigate, establish, exercise, prepare for, or defend a legal claim;
576 (d) provide a product or service requested by a consumer;
577 (e) perform a contract to which the consumer is a party, or take steps at the request of
578 the consumer before entering into a contract with the consumer;
579 (f) take immediate steps to protect an interest that is essential for the life or physical
580 safety of the consumer or of another individual;
581 (g) (i) detect, prevent, or respond to a security incident, identity theft, fraud,
582 harassment, malicious or deceptive activity, or any illegal activity; and
583 (ii) investigate, report, or prosecute a person responsible for an action described in
584 Subsection (1)(g)(i);
585 (h) preserve the integrity or security of systems, books, and records;
586 (i) if the controller discloses the processing in a notice described in Section 13-58-302,
587 engage in public or peer-reviewed scientific, historical, or statistical research in the public
588 interest that adheres to all other applicable ethics and privacy laws;
589 (j) assist another person with an obligation described in this subsection; or
590 (k) process personal data to:
591 (i) conduct internal analytics or other research solely to develop, improve, or repair a
592 controller or processor's product, service, or technology;
593 (ii) identify and repair technical errors that impair existing or intended functionality; or
594 (iii) perform a solely internal operation that is:
595 (A) reasonably aligned with the consumer's expectations based on the consumer's
596 existing relationship with the controller; or
597 (B) otherwise compatible with processing to aid the controller or processor in
598 providing a product or service specifically requested by a consumer or the performance of a
599 contract to which the consumer is a party.
600 (2) This chapter does not apply if a controller or processor's compliance with this
601 chapter:
602 (a) violates an evidentiary privilege under Utah law;
603 (b) as part of a privileged communication, prevents a controller or processor from
604 providing personal data concerning a consumer to a person covered by an evidentiary privilege
605 under Utah law; or
606 (c) adversely affect the rights of any person.
607 (3) A controller or processor is not in violation of this chapter if:
608 (a) the controller or processor discloses personal data to a third party controller or
609 processor in compliance with this chapter;
610 (b) the third party processes the personal data in violation of this chapter; and
611 (c) the disclosing controller or processor did not have actual knowledge of the third
612 party's intent to commit a violation of this chapter.
613 (4) If a controller processes personal data under an exemption described in Subsection
614 (1), the controller bears the burden of demonstrating that the processing qualifies for the
615 exemption.
616 Section 14. Section 13-58-306 is enacted to read:
617 13-58-306. No private cause of action.
618 There is no private cause of action against a controller or processor for a violation of
619 this chapter.
620 Section 15. Section 13-58-401 is enacted to read:
621
622 13-58-401. Investigative powers of division.
623 (1) The division shall establish and administer a system to receive consumer
624 complaints regarding a controller or processor's alleged violation of this chapter.
625 (2) (a) The division may investigate a consumer complaint to determine whether the
626 controller or processor violated, is violating, or is about to violate this chapter.
627 (b) If the director has reasonable cause to believe that substantial evidence exists that a
628 person identified in a consumer complaint is in violation of this chapter, the director shall refer
629 the matter to the attorney general.
630 (c) Upon request, the division shall provide consultation and assistance to the attorney
631 general in enforcing this chapter.
632 Section 16. Section 13-58-402 is enacted to read:
633 13-58-402. Enforcement powers of the attorney general.
634 (1) Except as otherwise provided in this chapter, the attorney general has the exclusive
635 authority to enforce this chapter.
636 (2) Upon referral from the division, the attorney general may initiate an enforcement
637 action against a controller or processor for a violation of this chapter.
638 (3) (a) At least 30 days before the day on which the attorney general initiates an
639 enforcement action against a controller or processor, the attorney general shall provide the
640 controller or processor:
641 (i) written notice identifying each provision of this chapter the attorney general alleges
642 the controller or processor has violated or is violating; and
643 (ii) an explanation of the basis for each allegation.
644 (b) The attorney general may not initiate an action if the controller or processor:
645 (i) cures the noticed violation within 30 days after the day on which the controller or
646 processor receives the written notice described in Subsection (3)(a); and
647 (ii) provides the attorney general an express written statement that:
648 (A) the violation has been cured; and
649 (B) no further violation will occur.
650 (c) The attorney general may initiate an action against a controller or processor who:
651 (i) fails to cure a violation after receiving the notice described in Subsection (3)(a); or
652 (ii) after curing a noticed violation and providing a written statement in accordance
653 with Subsection (3)(b), continues to violate this chapter.
654 (d) In an action described in Subsection (3)(c), the attorney general may recover:
655 (i) actual damages to the consumer; and
656 (ii) for each violation of this chapter, an amount not to exceed $1,000 per consumer
657 affected by the violation.
658 (4) All money received from an action under this chapter shall be deposited into the
659 Consumer Privacy Account established in Section 13-58-403.
660 (5) If more than one controller or processor are involved in the same processing in
661 violation of this chapter, the liability for the violation shall be allocated among the controllers
662 or processors according to the principles of comparative fault.
663 Section 17. Section 13-58-403 is enacted to read:
664 13-58-403. Consumer privacy restricted account.
665 (1) There is created a restricted account known as the "Consumer Privacy Account."
666 (2) The account shall be funded by money received through civil enforcement actions
667 under this chapter.
668 (3) Upon appropriation, the division or the attorney general may use money deposited
669 into the account for:
670 (a) investigation and administrative costs incurred by the division in investigating
671 consumer complaints alleging violations of this chapter;
672 (b) recovery of costs and attorney fees accrued by the attorney general in enforcing this
673 chapter; and
674 (c) providing consumer and business education regarding:
675 (i) consumer rights under this chapter; and
676 (ii) compliance with the provisions of this chapter for controllers and processors.
677 (4) If the balance in the fund exceeds $4,000,000 at the close of any fiscal year, the
678 Division of Finance shall transfer the amount that exceeds $4,000,000 into the General Fund.
679 Section 18. Section 13-58-404 is enacted to read:
680 13-58-404. Attorney general report.
681 (1) The attorney general and the division shall compile a report:
682 (a) evaluating the liability and enforcement provisions of this chapter, including:
683 (i) the effectiveness of the attorney general's and the division's efforts to enforce this
684 chapter; and
685 (ii) any recommendations for changes to this chapter; and
686 (b) summarizing the data protected and not protected by this chapter including, with
687 reasonable detail:
688 (i) a list of the types of information that are publicly available from local, state, and
689 federal government sources; and
690 (ii) an inventory of information to which this chapter does not apply by virtue of a
691 limitation in Section 13-58-305.
692 (2) The attorney general and the division may update the report as new information
693 becomes available.
694 (3) The attorney general and the division shall submit the report to the Business and
695 Labor Interim Committee before July 1, 2023.
696 Section 19. Section 13-59-101 is enacted to read:
697
698
699 13-59-101. Title.
700 This chapter is known as the "Utah Commercial Email Act."
701 Section 20. Section 13-59-102 is enacted to read:
702 13-59-102. Definitions.
703 As used in this chapter:
704 (1) "Advertiser" means a person who advertises the person's product, service, or
705 website through the use of commercial email.
706 (2) (a) "Commercial email" means an email used primarily to:
707 (i) advertise or promote a commercial website, product, or service; or
708 (ii) solicit money, property, or personal information.
709 (b) "Commercial email" does not include email sent for the purpose of marketing
710 research.
711 (3) "Domain name" means any alphanumeric designation that is registered with or
712 assigned by any domain name registrar, domain name registry, or other domain name
713 registration authority as part of an electronic address on the Internet.
714 (4) "Electronic mail service provider" means a company or a service that provides
715 routing, relaying, handling, storage, or support for email addresses and email inboxes.
716 (5) "Header information" means information attached to an email, including:
717 (a) the originating domain name;
718 (b) the originating email address;
719 (c) the destination;
720 (d) the routing information; and
721 (e) any other information that appears in the header line identifying, or purporting to
722 identify, a person initiating the message.
723 (6) "Initiate" means an act of:
724 (a) originating, transmitting, or sending commercial email; or
725 (b) promising, paying, or providing other consideration for another person to originate,
726 transmit, or send a commercial email.
727 (7) (a) "Initiator" means a person who:
728 (i) originates, transmits, or sends commercial email; or
729 (ii) promises, pays, or provides other consideration for another person to originate,
730 transmit, or send commercial email.
731 (b) "Initiator" does not include a person whose activities are a routine conveyance.
732 (8) (a) "Marketing research" means the collection, use, maintenance, or transfer of
733 personal information to investigate the market for the purpose of marketing a product, service,
734 or idea.
735 (b) "Marketing research" does not include:
736 (i) the collection, use, maintenance, or transfer of personal information that is
737 integrated into a product or service; or
738 (ii) the use of personal information to:
739 (A) contact a particular individual or a particular device; or
740 (B) advertise or market to a particular individual or a particular device.
741 (9) "Preexisting or current business relationship" means a situation where the recipient
742 has:
743 (a) made an inquiry and provided an email address; or
744 (b) made an application, a purchase, or a transaction, with or without consideration,
745 related to a product or a service offered by the advertiser.
746 (10) "Recipient" means an addressee of an unsolicited email.
747 (11) "Routine conveyance" means the transmission, routing, relaying, handling, or
748 storing, through an automatic technical process, of an electronic mail message for which
749 another person has identified the recipients or provided the recipients' addresses.
750 (12) "Unsolicited commercial email" means a commercial email sent by an advertiser
751 to a recipient that:
752 (a) has not provided direct consent to the advertiser to receive the commercial email;
753 and
754 (b) does not have a preexisting or current relationship with the advertiser.
755 (13) "Utah email address" means an email address that is:
756 (a) provided by an electronic mail service provider that sends bills for providing and
757 maintaining that email address to a mailing address in this state;
758 (b) ordinarily accessed from a computer located in this state; or
759 (c) provided to an individual who is currently a resident of this state.
760 Section 21. Section 13-59-201 is enacted to read:
761
762 13-59-201. Prohibited uses of email.
763 An advertiser or an initiator may not knowingly initiate or advertise in a commercial
764 email sent from this state or sent to a Utah email address if:
765 (1) the commercial email contains or is accompanied by a third party's domain name
766 without the permission of the third party;
767 (2) the commercial email contains or is accompanied by false, misrepresented, or
768 forged header information, even if the commercial email contains truthful identifying
769 information for the advertiser in the body of the email; or
770 (3) the commercial email has a subject line that is likely to mislead a recipient, acting
771 reasonably under the circumstances, about a material fact regarding the identity of the
772 advertiser, the contents, or the subject matter of the commercial email.
773 Section 22. Section 13-59-202 is enacted to read:
774 13-59-202. Cause of action.
775 (1) (a) The following persons may bring a claim against an advertiser or initiator who
776 violates Section 13-59-201:
777 (i) the attorney general;
778 (ii) an electronic mail service provider;
779 (iii) a recipient of an unsolicited commercial email; or
780 (iv) a person whose brand, trademark, email address, or domain name an advertiser or
781 initiator uses, without authorization, in the header information.
782 (b) (i) There is a rebuttable presumption that a commercial email that violates Section
783 13-59-201 is an unsolicited commercial email.
784 (ii) The burden of proving that a commercial email is not an unsolicited commercial
785 email is on the defendant.
786 (2) (a) A person described in Subsections (1)(a)(i) through (iii) may recover:
787 (i) actual damages; and
788 (ii) except as provided in Subsection (2)(c), liquidated damages of $1,000 for each
789 unsolicited commercial email transmitted in violation of Section 13-59-201.
790 (b) If an addressee of an unsolicited commercial email has more than one email address
791 to which an advertiser or an initiator sends an unsolicited commercial email, the addressee is
792 considered a separate recipient for each email address to which the advertiser or the initiator
793 sends the unsolicited commercial email.
794 (c) If a court finds that an advertiser or an initiator used due diligence to establish and
795 implement practices and procedures to effectively prevent unsolicited commercial emails in
796 violation of this chapter, the court shall reduce the liquidated damages to $100 for each
797 unsolicited commercial email transmitted in violation of Section 13-59-201.
798 (3) A person described in Subsection (1)(a)(i) or (iv) may recover:
799 (a) actual damages; and
800 (b) liquidated damages in an amount equal to the lesser of:
801 (i) $1,000 for each commercial email transmitted in violation of this chapter that uses,
802 without authorization, a person's brand, trademark, email address, or domain name in the
803 header information; and
804 (ii) $2,000,000.
805 (4) The prevailing party in an action brought under this section may recover reasonable
806 attorney fees and costs.
807 (5) (a) Defendants in an action under this section are jointly and severally liable.
808 (b) There is no cause of action under this section against an electronic mail service
809 provider who is involved only in the routine transmission or conveyance of commercial email
810 over the email service provider's computer network.
811 Section 23. Section 63G-2-305 is amended to read:
812 63G-2-305. Protected records.
813 The following records are protected if properly classified by a governmental entity:
814 (1) trade secrets as defined in Section 13-24-2 if the person submitting the trade secret
815 has provided the governmental entity with the information specified in Section 63G-2-309;
816 (2) commercial information or nonindividual financial information obtained from a
817 person if:
818 (a) disclosure of the information could reasonably be expected to result in unfair
819 competitive injury to the person submitting the information or would impair the ability of the
820 governmental entity to obtain necessary information in the future;
821 (b) the person submitting the information has a greater interest in prohibiting access
822 than the public in obtaining access; and
823 (c) the person submitting the information has provided the governmental entity with
824 the information specified in Section 63G-2-309;
825 (3) commercial or financial information acquired or prepared by a governmental entity
826 to the extent that disclosure would lead to financial speculations in currencies, securities, or
827 commodities that will interfere with a planned transaction by the governmental entity or cause
828 substantial financial injury to the governmental entity or state economy;
829 (4) records, the disclosure of which could cause commercial injury to, or confer a
830 competitive advantage upon a potential or actual competitor of, a commercial project entity as
831 defined in Subsection 11-13-103(4);
832 (5) test questions and answers to be used in future license, certification, registration,
833 employment, or academic examinations;
834 (6) records, the disclosure of which would impair governmental procurement
835 proceedings or give an unfair advantage to any person proposing to enter into a contract or
836 agreement with a governmental entity, except, subject to Subsections (1) and (2), that this
837 Subsection (6) does not restrict the right of a person to have access to, after the contract or
838 grant has been awarded and signed by all parties:
839 (a) a bid, proposal, application, or other information submitted to or by a governmental
840 entity in response to:
841 (i) an invitation for bids;
842 (ii) a request for proposals;
843 (iii) a request for quotes;
844 (iv) a grant; or
845 (v) other similar document; or
846 (b) an unsolicited proposal, as defined in Section 63G-6a-712;
847 (7) information submitted to or by a governmental entity in response to a request for
848 information, except, subject to Subsections (1) and (2), that this Subsection (7) does not restrict
849 the right of a person to have access to the information, after:
850 (a) a contract directly relating to the subject of the request for information has been
851 awarded and signed by all parties; or
852 (b) (i) a final determination is made not to enter into a contract that relates to the
853 subject of the request for information; and
854 (ii) at least two years have passed after the day on which the request for information is
855 issued;
856 (8) records that would identify real property or the appraisal or estimated value of real
857 or personal property, including intellectual property, under consideration for public acquisition
858 before any rights to the property are acquired unless:
859 (a) public interest in obtaining access to the information is greater than or equal to the
860 governmental entity's need to acquire the property on the best terms possible;
861 (b) the information has already been disclosed to persons not employed by or under a
862 duty of confidentiality to the entity;
863 (c) in the case of records that would identify property, potential sellers of the described
864 property have already learned of the governmental entity's plans to acquire the property;
865 (d) in the case of records that would identify the appraisal or estimated value of
866 property, the potential sellers have already learned of the governmental entity's estimated value
867 of the property; or
868 (e) the property under consideration for public acquisition is a single family residence
869 and the governmental entity seeking to acquire the property has initiated negotiations to acquire
870 the property as required under Section 78B-6-505;
871 (9) records prepared in contemplation of sale, exchange, lease, rental, or other
872 compensated transaction of real or personal property including intellectual property, which, if
873 disclosed prior to completion of the transaction, would reveal the appraisal or estimated value
874 of the subject property, unless:
875 (a) the public interest in access is greater than or equal to the interests in restricting
876 access, including the governmental entity's interest in maximizing the financial benefit of the
877 transaction; or
878 (b) when prepared by or on behalf of a governmental entity, appraisals or estimates of
879 the value of the subject property have already been disclosed to persons not employed by or
880 under a duty of confidentiality to the entity;
881 (10) records created or maintained for civil, criminal, or administrative enforcement
882 purposes or audit purposes, or for discipline, licensing, certification, or registration purposes, if
883 release of the records:
884 (a) reasonably could be expected to interfere with investigations undertaken for
885 enforcement, discipline, licensing, certification, or registration purposes;
886 (b) reasonably could be expected to interfere with audits, disciplinary, or enforcement
887 proceedings;
888 (c) would create a danger of depriving a person of a right to a fair trial or impartial
889 hearing;
890 (d) reasonably could be expected to disclose the identity of a source who is not
891 generally known outside of government and, in the case of a record compiled in the course of
892 an investigation, disclose information furnished by a source not generally known outside of
893 government if disclosure would compromise the source; or
894 (e) reasonably could be expected to disclose investigative or audit techniques,
895 procedures, policies, or orders not generally known outside of government if disclosure would
896 interfere with enforcement or audit efforts;
897 (11) records the disclosure of which would jeopardize the life or safety of an
898 individual;
899 (12) records the disclosure of which would jeopardize the security of governmental
900 property, governmental programs, or governmental recordkeeping systems from damage, theft,
901 or other appropriation or use contrary to law or public policy;
902 (13) records that, if disclosed, would jeopardize the security or safety of a correctional
903 facility, or records relating to incarceration, treatment, probation, or parole, that would interfere
904 with the control and supervision of an offender's incarceration, treatment, probation, or parole;
905 (14) records that, if disclosed, would reveal recommendations made to the Board of
906 Pardons and Parole by an employee of or contractor for the Department of Corrections, the
907 Board of Pardons and Parole, or the Department of Human Services that are based on the
908 employee's or contractor's supervision, diagnosis, or treatment of any person within the board's
909 jurisdiction;
910 (15) records and audit workpapers that identify audit, collection, and operational
911 procedures and methods used by the State Tax Commission, if disclosure would interfere with
912 audits or collections;
913 (16) records of a governmental audit agency relating to an ongoing or planned audit
914 until the final audit is released;
915 (17) records that are subject to the attorney client privilege;
916 (18) records prepared for or by an attorney, consultant, surety, indemnitor, insurer,
917 employee, or agent of a governmental entity for, or in anticipation of, litigation or a judicial,
918 quasi-judicial, or administrative proceeding;
919 (19) (a) (i) personal files of a state legislator, including personal correspondence to or
920 from a member of the Legislature; and
921 (ii) notwithstanding Subsection (19)(a)(i), correspondence that gives notice of
922 legislative action or policy may not be classified as protected under this section; and
923 (b) (i) an internal communication that is part of the deliberative process in connection
924 with the preparation of legislation between:
925 (A) members of a legislative body;
926 (B) a member of a legislative body and a member of the legislative body's staff; or
927 (C) members of a legislative body's staff; and
928 (ii) notwithstanding Subsection (19)(b)(i), a communication that gives notice of
929 legislative action or policy may not be classified as protected under this section;
930 (20) (a) records in the custody or control of the Office of Legislative Research and
931 General Counsel, that, if disclosed, would reveal a particular legislator's contemplated
932 legislation or contemplated course of action before the legislator has elected to support the
933 legislation or course of action, or made the legislation or course of action public; and
934 (b) notwithstanding Subsection (20)(a), the form to request legislation submitted to the
935 Office of Legislative Research and General Counsel is a public document unless a legislator
936 asks that the records requesting the legislation be maintained as protected records until such
937 time as the legislator elects to make the legislation or course of action public;
938 (21) research requests from legislators to the Office of Legislative Research and
939 General Counsel or the Office of the Legislative Fiscal Analyst and research findings prepared
940 in response to these requests;
941 (22) drafts, unless otherwise classified as public;
942 (23) records concerning a governmental entity's strategy about:
943 (a) collective bargaining; or
944 (b) imminent or pending litigation;
945 (24) records of investigations of loss occurrences and analyses of loss occurrences that
946 may be covered by the Risk Management Fund, the Employers' Reinsurance Fund, the
947 Uninsured Employers' Fund, or similar divisions in other governmental entities;
948 (25) records, other than personnel evaluations, that contain a personal recommendation
949 concerning an individual if disclosure would constitute a clearly unwarranted invasion of
950 personal privacy, or disclosure is not in the public interest;
951 (26) records that reveal the location of historic, prehistoric, paleontological, or
952 biological resources that if known would jeopardize the security of those resources or of
953 valuable historic, scientific, educational, or cultural information;
954 (27) records of independent state agencies if the disclosure of the records would
955 conflict with the fiduciary obligations of the agency;
956 (28) records of an institution within the state system of higher education defined in
957 Section 53B-1-102 regarding tenure evaluations, appointments, applications for admissions,
958 retention decisions, and promotions, which could be properly discussed in a meeting closed in
959 accordance with Title 52, Chapter 4, Open and Public Meetings Act, provided that records of
960 the final decisions about tenure, appointments, retention, promotions, or those students
961 admitted, may not be classified as protected under this section;
962 (29) records of the governor's office, including budget recommendations, legislative
963 proposals, and policy statements, that if disclosed would reveal the governor's contemplated
964 policies or contemplated courses of action before the governor has implemented or rejected
965 those policies or courses of action or made them public;
966 (30) records of the Office of the Legislative Fiscal Analyst relating to budget analysis,
967 revenue estimates, and fiscal notes of proposed legislation before issuance of the final
968 recommendations in these areas;
969 (31) records provided by the United States or by a government entity outside the state
970 that are given to the governmental entity with a requirement that they be managed as protected
971 records if the providing entity certifies that the record would not be subject to public disclosure
972 if retained by it;
973 (32) transcripts, minutes, recordings, or reports of the closed portion of a meeting of a
974 public body except as provided in Section 52-4-206;
975 (33) records that would reveal the contents of settlement negotiations but not including
976 final settlements or empirical data to the extent that they are not otherwise exempt from
977 disclosure;
978 (34) memoranda prepared by staff and used in the decision-making process by an
979 administrative law judge, a member of the Board of Pardons and Parole, or a member of any
980 other body charged by law with performing a quasi-judicial function;
981 (35) records that would reveal negotiations regarding assistance or incentives offered
982 by or requested from a governmental entity for the purpose of encouraging a person to expand
983 or locate a business in Utah, but only if disclosure would result in actual economic harm to the
984 person or place the governmental entity at a competitive disadvantage, but this section may not
985 be used to restrict access to a record evidencing a final contract;
986 (36) materials to which access must be limited for purposes of securing or maintaining
987 the governmental entity's proprietary protection of intellectual property rights including patents,
988 copyrights, and trade secrets;
989 (37) the name of a donor or a prospective donor to a governmental entity, including an
990 institution within the state system of higher education defined in Section 53B-1-102, and other
991 information concerning the donation that could reasonably be expected to reveal the identity of
992 the donor, provided that:
993 (a) the donor requests anonymity in writing;
994 (b) any terms, conditions, restrictions, or privileges relating to the donation may not be
995 classified protected by the governmental entity under this Subsection (37); and
996 (c) except for an institution within the state system of higher education defined in
997 Section 53B-1-102, the governmental unit to which the donation is made is primarily engaged
998 in educational, charitable, or artistic endeavors, and has no regulatory or legislative authority
999 over the donor, a member of the donor's immediate family, or any entity owned or controlled
1000 by the donor or the donor's immediate family;
1001 (38) accident reports, except as provided in Sections 41-6a-404, 41-12a-202, and
1002 73-18-13;
1003 (39) a notification of workers' compensation insurance coverage described in Section
1004 34A-2-205;
1005 (40) (a) the following records of an institution within the state system of higher
1006 education defined in Section 53B-1-102, which have been developed, discovered, disclosed to,
1007 or received by or on behalf of faculty, staff, employees, or students of the institution:
1008 (i) unpublished lecture notes;
1009 (ii) unpublished notes, data, and information:
1010 (A) relating to research; and
1011 (B) of:
1012 (I) the institution within the state system of higher education defined in Section
1013 53B-1-102; or
1014 (II) a sponsor of sponsored research;
1015 (iii) unpublished manuscripts;
1016 (iv) creative works in process;
1017 (v) scholarly correspondence; and
1018 (vi) confidential information contained in research proposals;
1019 (b) Subsection (40)(a) may not be construed to prohibit disclosure of public
1020 information required pursuant to Subsection 53B-16-302(2)(a) or (b); and
1021 (c) Subsection (40)(a) may not be construed to affect the ownership of a record;
1022 (41) (a) records in the custody or control of the Office of Legislative Auditor General
1023 that would reveal the name of a particular legislator who requests a legislative audit prior to the
1024 date that audit is completed and made public; and
1025 (b) notwithstanding Subsection (41)(a), a request for a legislative audit submitted to the
1026 Office of the Legislative Auditor General is a public document unless the legislator asks that
1027 the records in the custody or control of the Office of Legislative Auditor General that would
1028 reveal the name of a particular legislator who requests a legislative audit be maintained as
1029 protected records until the audit is completed and made public;
1030 (42) records that provide detail as to the location of an explosive, including a map or
1031 other document that indicates the location of:
1032 (a) a production facility; or
1033 (b) a magazine;
1034 (43) information:
1035 (a) contained in the statewide database of the Division of Aging and Adult Services
1036 created by Section 62A-3-311.1; or
1037 (b) received or maintained in relation to the Identity Theft Reporting Information
1038 System (IRIS) established under Section 67-5-22;
1039 (44) information contained in the Management Information System and Licensing
1040 Information System described in Title 62A, Chapter 4a, Child and Family Services;
1041 (45) information regarding National Guard operations or activities in support of the
1042 National Guard's federal mission;
1043 (46) records provided by any pawn or secondhand business to a law enforcement
1044 agency or to the central database in compliance with Title 13, Chapter 32a, Pawnshop and
1045 Secondhand Merchandise Transaction Information Act;
1046 (47) information regarding food security, risk, and vulnerability assessments performed
1047 by the Department of Agriculture and Food;
1048 (48) except to the extent that the record is exempt from this chapter pursuant to Section
1049 63G-2-106, records related to an emergency plan or program, a copy of which is provided to or
1050 prepared or maintained by the Division of Emergency Management, and the disclosure of
1051 which would jeopardize:
1052 (a) the safety of the general public; or
1053 (b) the security of:
1054 (i) governmental property;
1055 (ii) governmental programs; or
1056 (iii) the property of a private person who provides the Division of Emergency
1057 Management information;
1058 (49) records of the Department of Agriculture and Food that provides for the
1059 identification, tracing, or control of livestock diseases, including any program established under
1060 Title 4, Chapter 24, Utah Livestock Brand and Anti-Theft Act, or Title 4, Chapter 31, Control
1061 of Animal Disease;
1062 (50) as provided in Section 26-39-501:
1063 (a) information or records held by the Department of Health related to a complaint
1064 regarding a child care program or residential child care which the department is unable to
1065 substantiate; and
1066 (b) information or records related to a complaint received by the Department of Health
1067 from an anonymous complainant regarding a child care program or residential child care;
1068 (51) unless otherwise classified as public under Section 63G-2-301 and except as
1069 provided under Section 41-1a-116, an individual's home address, home telephone number, or
1070 personal mobile phone number, if:
1071 (a) the individual is required to provide the information in order to comply with a law,
1072 ordinance, rule, or order of a government entity; and
1073 (b) the subject of the record has a reasonable expectation that this information will be
1074 kept confidential due to:
1075 (i) the nature of the law, ordinance, rule, or order; and
1076 (ii) the individual complying with the law, ordinance, rule, or order;
1077 (52) the portion of the following documents that contains a candidate's residential or
1078 mailing address, if the candidate provides to the filing officer another address or phone number
1079 where the candidate may be contacted:
1080 (a) a declaration of candidacy, a nomination petition, or a certificate of nomination,
1081 described in Section 20A-9-201, 20A-9-202, 20A-9-203, 20A-9-404, 20A-9-405, 20A-9-408,
1082 20A-9-408.5, 20A-9-502, or 20A-9-601;
1083 (b) an affidavit of impecuniosity, described in Section 20A-9-201; or
1084 (c) a notice of intent to gather signatures for candidacy, described in Section
1085 20A-9-408;
1086 (53) the name, home address, work addresses, and telephone numbers of an individual
1087 that is engaged in, or that provides goods or services for, medical or scientific research that is:
1088 (a) conducted within the state system of higher education, as defined in Section
1089 53B-1-102; and
1090 (b) conducted using animals;
1091 (54) in accordance with Section 78A-12-203, any record of the Judicial Performance
1092 Evaluation Commission concerning an individual commissioner's vote on whether or not to
1093 recommend that the voters retain a judge including information disclosed under Subsection
1094 78A-12-203(5)(e);
1095 (55) information collected and a report prepared by the Judicial Performance
1096 Evaluation Commission concerning a judge, unless Section 20A-7-702 or Title 78A, Chapter
1097 12, Judicial Performance Evaluation Commission Act, requires disclosure of, or makes public,
1098 the information or report;
1099 (56) records contained in the Management Information System created in Section
1100 62A-4a-1003;
1101 (57) records provided or received by the Public Lands Policy Coordinating Office in
1102 furtherance of any contract or other agreement made in accordance with Section 63J-4-603;
1103 (58) information requested by and provided to the 911 Division under Section
1104 63H-7a-302;
1105 (59) in accordance with Section 73-10-33:
1106 (a) a management plan for a water conveyance facility in the possession of the Division
1107 of Water Resources or the Board of Water Resources; or
1108 (b) an outline of an emergency response plan in possession of the state or a county or
1109 municipality;
1110 (60) the following records in the custody or control of the Office of Inspector General
1111 of Medicaid Services, created in Section 63A-13-201:
1112 (a) records that would disclose information relating to allegations of personal
1113 misconduct, gross mismanagement, or illegal activity of a person if the information or
1114 allegation cannot be corroborated by the Office of Inspector General of Medicaid Services
1115 through other documents or evidence, and the records relating to the allegation are not relied
1116 upon by the Office of Inspector General of Medicaid Services in preparing a final investigation
1117 report or final audit report;
1118 (b) records and audit workpapers to the extent they would disclose the identity of a
1119 person who, during the course of an investigation or audit, communicated the existence of any
1120 Medicaid fraud, waste, or abuse, or a violation or suspected violation of a law, rule, or
1121 regulation adopted under the laws of this state, a political subdivision of the state, or any
1122 recognized entity of the United States, if the information was disclosed on the condition that
1123 the identity of the person be protected;
1124 (c) before the time that an investigation or audit is completed and the final
1125 investigation or final audit report is released, records or drafts circulated to a person who is not
1126 an employee or head of a governmental entity for the person's response or information;
1127 (d) records that would disclose an outline or part of any investigation, audit survey
1128 plan, or audit program; or
1129 (e) requests for an investigation or audit, if disclosure would risk circumvention of an
1130 investigation or audit;
1131 (61) records that reveal methods used by the Office of Inspector General of Medicaid
1132 Services, the fraud unit, or the Department of Health, to discover Medicaid fraud, waste, or
1133 abuse;
1134 (62) information provided to the Department of Health or the Division of Occupational
1135 and Professional Licensing under Subsections 58-67-304(3) and (4) and Subsections
1136 58-68-304(3) and (4);
1137 (63) a record described in Section 63G-12-210;
1138 (64) captured plate data that is obtained through an automatic license plate reader
1139 system used by a governmental entity as authorized in Section 41-6a-2003;
1140 (65) any record in the custody of the Utah Office for Victims of Crime relating to a
1141 victim, including:
1142 (a) a victim's application or request for benefits;
1143 (b) a victim's receipt or denial of benefits; and
1144 (c) any administrative notes or records made or created for the purpose of, or used to,
1145 evaluate or communicate a victim's eligibility for or denial of benefits from the Crime Victim
1146 Reparations Fund;
1147 (66) an audio or video recording created by a body-worn camera, as that term is
1148 defined in Section 77-7a-103, that records sound or images inside a hospital or health care
1149 facility as those terms are defined in Section 78B-3-403, inside a clinic of a health care
1150 provider, as that term is defined in Section 78B-3-403, or inside a human service program as
1151 that term is defined in Section 62A-2-101, except for recordings that:
1152 (a) depict the commission of an alleged crime;
1153 (b) record any encounter between a law enforcement officer and a person that results in
1154 death or bodily injury, or includes an instance when an officer fires a weapon;
1155 (c) record any encounter that is the subject of a complaint or a legal proceeding against
1156 a law enforcement officer or law enforcement agency;
1157 (d) contain an officer involved critical incident as defined in Subsection
1158 76-2-408(1)(f); or
1159 (e) have been requested for reclassification as a public record by a subject or
1160 authorized agent of a subject featured in the recording;
1161 (67) a record pertaining to the search process for a president of an institution of higher
1162 education described in Section 53B-2-102, except for application materials for a publicly
1163 announced finalist;
1164 (68) an audio recording that is:
1165 (a) produced by an audio recording device that is used in conjunction with a device or
1166 piece of equipment designed or intended for resuscitating an individual or for treating an
1167 individual with a life-threatening condition;
1168 (b) produced during an emergency event when an individual employed to provide law
1169 enforcement, fire protection, paramedic, emergency medical, or other first responder service:
1170 (i) is responding to an individual needing resuscitation or with a life-threatening
1171 condition; and
1172 (ii) uses a device or piece of equipment designed or intended for resuscitating an
1173 individual or for treating an individual with a life-threatening condition; and
1174 (c) intended and used for purposes of training emergency responders how to improve
1175 their response to an emergency situation;
1176 (69) records submitted by or prepared in relation to an applicant seeking a
1177 recommendation by the Research and General Counsel Subcommittee, the Budget
1178 Subcommittee, or the Audit Subcommittee, established under Section 36-12-8, for an
1179 employment position with the Legislature;
1180 (70) work papers as defined in Section 31A-2-204;
1181 (71) a record made available to Adult Protective Services or a law enforcement agency
1182 under Section 61-1-206;
1183 (72) a record submitted to the Insurance Department in accordance with Section
1184 31A-37-201 or 31A-22-653;
1185 (73) a record described in Section 31A-37-503[
1186 (74) any record created by the Division of Occupational and Professional Licensing as
1187 a result of Subsection 58-37f-304(5) or 58-37f-702(2)(a)(ii);
1188 (75) a record described in Section 72-16-306 that relates to the reporting of an injury
1189 involving an amusement ride;
1190 (76) except as provided in Subsection 63G-2-305.5(1), the signature of an individual
1191 on a political petition, or on a request to withdraw a signature from a political petition,
1192 including a petition or request described in the following titles:
1193 (a) Title 10, Utah Municipal Code;
1194 (b) Title 17, Counties;
1195 (c) Title 17B, Limited Purpose Local Government Entities - Local Districts;
1196 (d) Title 17D, Limited Purpose Local Government Entities - Other Entities; and
1197 (e) Title 20A, Election Code;
1198 (77) except as provided in Subsection 63G-2-305.5(2), the signature of an individual in
1199 a voter registration record;
1200 (78) except as provided in Subsection 63G-2-305.5(3), any signature, other than a
1201 signature described in Subsection (76) or (77), in the custody of the lieutenant governor or a
1202 local political subdivision collected or held under, or in relation to, Title 20A, Election Code;
1203 (79) a Form I-918 Supplement B certification as described in Title 77, Chapter 38, Part
1204 5, Victims Guidelines for Prosecutors Act;
1205 (80) a record submitted to the Insurance Department under Subsection
1206 31A-47-103(1)(b); [
1207 (81) personal information, as defined in Section 63G-26-102, to the extent disclosure is
1208 prohibited under Section 63G-26-103[
1209 (82) data protection assessments submitted by a controller to the Division of Consumer
1210 Protection or attorney general under Section 13-58-304.
1211 Section 24. Effective date.
1212 This bill takes effect on January 1, 2022.