Chief Sponsor: Kirk A. Cullimore

House Sponsor: Brady Brammer


8     General Description:
9          This bill enacts the Utah Consumer Privacy Act and Utah Commercial Email Act.
10     Highlighted Provisions:
11          This bill:
12          ▸     defines terms;
13          ▸     provides consumers the right to access, correct, and delete certain personal data;
14          ▸     gives consumers the right to opt out of the collection and use of personal data for
15     certain purposes;
16          ▸     requires certain businesses that control and process personal data of consumers to:
17               •     safeguard personal data;
18               •     provide clear information to consumers regarding how the consumer's personal
19     data are used;
20               •     accept consumer requests to exercise the consumer's rights under this bill;
21               •     comply with a consumer's request to exercise the consumer's rights under this
22     bill; and
23               •     maintain data protection assessments;
24          ▸     creates a process for a consumer to submit requests and appeal a business's decision
25     regarding the business's processing of the consumer's personal data;
26          ▸     allows the Division of Consumer Protection to accept and investigate consumer
27     complaints regarding the processing of personal data;

28          ▸     empowers the Office of the Attorney General to:
29               •     obtain and evaluate a business's data protection assessments;
30               •     take enforcement action against violators; and
31               •     impose penalties for violations;
32          ▸     creates a right for a consumer to know what personal information a business
33     collects, how the business uses the personal information, and whether the business
34     sells the personal information;
35          ▸     allows a consumer to require a business to delete personal information, with
36     exceptions, and direct a business that sells personal information to stop selling the
37     consumer's personal information;
38          ▸     prohibits an advertiser or a person initiating an email from sending unauthorized or
39     misleading commercial email from this state or to an email address within this state;
40          ▸     creates a cause of action for the Office of the Attorney General, the electronic mail
41     service provider, the recipient of the unsolicited commercial email, and any person
42     whose brand, trademark, email address, or domain name is used without permission
43     to recover damages related to unauthorized or misleading commercial email;
44          ▸     permits the prevailing party to recover attorney fees and costs in an action related to
45     unauthorized or misleading commercial email; and
46          ▸     makes technical changes.
47     Money Appropriated in this Bill:
48          None
49     Other Special Clauses:
50          This bill provides a special effective date.
51     Utah Code Sections Affected:
52     AMENDS:
53          13-2-1, as last amended by Laws of Utah 2020, Chapter 118
54          63G-2-305, as last amended by Laws of Utah 2020, Chapters 112, 198, 339, 349, 382,
55     and 393
56     ENACTS:
57          13-58-101, Utah Code Annotated 1953
58          13-58-102, Utah Code Annotated 1953

59          13-58-201, Utah Code Annotated 1953
60          13-58-202, Utah Code Annotated 1953
61          13-58-203, Utah Code Annotated 1953
62          13-58-204, Utah Code Annotated 1953
63          13-58-205, Utah Code Annotated 1953
64          13-58-301, Utah Code Annotated 1953
65          13-58-302, Utah Code Annotated 1953
66          13-58-303, Utah Code Annotated 1953
67          13-58-304, Utah Code Annotated 1953
68          13-58-305, Utah Code Annotated 1953
69          13-58-306, Utah Code Annotated 1953
70          13-58-401, Utah Code Annotated 1953
71          13-58-402, Utah Code Annotated 1953
72          13-58-403, Utah Code Annotated 1953
73          13-58-404, Utah Code Annotated 1953
74          13-59-101, Utah Code Annotated 1953
75          13-59-102, Utah Code Annotated 1953
76          13-59-201, Utah Code Annotated 1953
77          13-59-202, Utah Code Annotated 1953

79     Be it enacted by the Legislature of the state of Utah:
80          Section 1. Section 13-2-1 is amended to read:
81          13-2-1. Consumer protection division established -- Functions.
82          (1) There is established within the Department of Commerce the Division of Consumer
83     Protection.
84          (2) The division shall administer and enforce the following:
85          (a) Chapter 5, Unfair Practices Act;
86          (b) Chapter 10a, Music Licensing Practices Act;
87          (c) Chapter 11, Utah Consumer Sales Practices Act;
88          (d) Chapter 15, Business Opportunity Disclosure Act;
89          (e) Chapter 20, New Motor Vehicle Warranties Act;

90          (f) Chapter 21, Credit Services Organizations Act;
91          (g) Chapter 22, Charitable Solicitations Act;
92          (h) Chapter 23, Health Spa Services Protection Act;
93          (i) Chapter 25a, Telephone and Facsimile Solicitation Act;
94          (j) Chapter 26, Telephone Fraud Prevention Act;
95          (k) Chapter 28, Prize Notices Regulation Act;
96          (l) Chapter 32a, Pawnshop and Secondhand Merchandise Transaction Information Act;
97          (m) Chapter 34, Utah Postsecondary Proprietary School Act;
98          (n) Chapter 34a, Utah Postsecondary School State Authorization Act;
99          (o) Chapter 39, Child Protection Registry;
100          (p) Chapter 41, Price Controls During Emergencies Act;
101          (q) Chapter 42, Uniform Debt-Management Services Act;
102          (r) Chapter 49, Immigration Consultants Registration Act;
103          (s) Chapter 51, Transportation Network Company Registration Act;
104          (t) Chapter 52, Residential Solar Energy Disclosure Act;
105          (u) Chapter 53, Residential, Vocational and Life Skills Program Act;
106          (v) Chapter 54, Ticket Website Sales Act;
107          (w) Chapter 56, Ticket Transferability Act; [and]
108          (x) Chapter 57, Maintenance Funding Practices Act[.]; and
109          (y) Chapter 58, Utah Consumer Privacy Act.
110          Section 2. Section 13-58-101 is enacted to read:

Part 1. General Provisions

113          13-58-101. Title.
114          This chapter is known as the "Utah Consumer Privacy Act."
115          Section 3. Section 13-58-102 is enacted to read:
116          13-58-102. Definitions.
117          As used in this chapter:
118          (1) (a) "Affiliate" means a person who directly or indirectly through one or more
119     intermediaries controls, or is controlled by, or is under common control with, the person
120     specified.

121          (b) "Affiliate" includes a subsidiary.
122          (2) "Authenticate" means to use reasonable means to determine that a consumer's
123     request to exercise the rights described in Section 13-58-202 is made by the consumer who is
124     entitled to exercise those rights.
125          (3) "Business associate" means the same as that term is defined in 45 C.F.R. Sec.
126     160.103.
127          (4) "Child" means an individual younger than 13 years old.
128          (5) "Consent" means an affirmative act by a consumer that unambiguously indicates
129     the consumer's voluntary and informed agreement to allow a person to process personal data
130     related to the consumer.
131          (6) (a) "Consumer" means an individual who is a resident of the state acting in an
132     individual or household context.
133          (b) "Consumer" does not include an individual acting in an employment or commercial
134     context.
135          (7) (a) "Controller" means a person doing business in the state who determines the
136     purposes for which and the means by which personal data is processed, regardless of whether
137     the person makes the determination alone or with others.
138          (b) "Controller" does not include a person who processes personal data solely for the
139     purposes described in Subsections 13-58-305(1)(a) through (d), or (f).
140          (8) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec. 160.103.
141          (9) "Deidentified data" means data that:
142          (a) cannot reasonably be linked to an identifiable individual; and
143          (b) are possessed by a controller who:
144          (i) takes reasonable measures to ensure that a person cannot associate the data with an
145     identifiable individual;
146          (ii) publicly commits to maintain and use the data only in deidentified form and not
147     attempt to reidentify the data; and
148          (iii) contractually obligates any recipients of the data to comply with the requirements
149     described in Subsections (9)(b)(i) and (ii).
150          (10) "Director" means the director of the Division of Consumer Protection.
151          (11) "Division" means the Division of Consumer Protection created in Section 13-2-1.

152          (12) "Health care facility" means the same as that term is defined in Section 26-21-2.
153          (13) "Health care provider" means the same as that term is defined in Section 26-21-2.
154          (14) "Identifiable individual" means an individual who can be readily identified,
155     directly or indirectly.
156          (15) "Local political subdivision" means the same as that term is defined in Section
157     11-14-102.
158          (16) "Nonprofit corporation" means the same as that term is defined in Section
159     16-6a-102.
160          (17) (a) "Personal data" means any information that:
161          (i) identifies or describes an identifiable individual; or
162          (ii) is reasonably capable of identifying or describing an identifiable individual.
163          (b) "Personal data" does not include deidentified data, anonymous or pseudonymous
164     data, or publicly available information.
165          (18) "Process" means an operation or set of operations performed on personal data,
166     including collection, use, storage, disclosure, analysis, deletion, or modification of personal
167     data.
168          (19) "Processor" means a person who processes personal data on behalf of a controller.
169          (20) "Profiling" means automated processing of personal data to evaluate, analyze, or
170     predict personal aspects concerning an identifiable individual's:
171          (a) economic situation;
172          (b) health;
173          (c) personal preferences;
174          (d) interests;
175          (e) reliability;
176          (f) behavior;
177          (g) location; or
178          (h) movements.
179          (21) "Protected health information" means the same as that term is defined in 45 C.F.R.
180     Sec. 160.103.
181          (22) "Pseudonymous data" means personal data that cannot be attributed to a specific
182     individual without the use of additional information, if the additional information is:

183          (a) kept separate from the consumer's personal data; and
184          (b) subject to appropriate technical and organizational measures to ensure that the
185     personal data are not attributable to an identifiable individual.
186          (23) "Publicly available information" means information that a person:
187          (a) lawfully obtains from a federal, state, or local political subdivision record;
188          (b) reasonably believes a consumer or widely distributed media has lawfully made
189     available to the general public; or
190          (c) if the consumer has not restricted the information to a specific audience, obtains
191     from a person to whom the consumer disclosed the information.
192          (24) "Right" means a consumer right described in Section 13-58-202.
193          (25) (a) "Sale," "sell," or "sold" means the exchange of personal data for monetary
194     consideration by a controller to a third party.
195          (b) "Sale" does not include:
196          (i) a controller's disclosure of personal data to a processor who processes the personal
197     data on behalf of the controller;
198          (ii) a controller's disclosure of personal data to an affiliate of the controller;
199          (iii) considering the context in which the consumer provided the personal data to the
200     controller, a controller's disclosure of personal data to a third party if the purpose is consistent
201     with a consumer's reasonable expectations;
202          (iv) a consumer's disclosure of personal data to a third party for the purpose of
203     providing a product or service requested by the consumer;
204          (v) a consumer's disclosure of information that the consumer:
205          (A) intentionally makes available to the general public via a channel of mass media;
206     and
207          (B) does not restrict to a specific audience; or
208          (vi) a controller's transfer of personal data to a third party as an asset that is part of a
209     proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes
210     control of all or part of the controller's assets.
211          (26) (a) "Sensitive data" means:
212          (i) personal data that reveals an individual's:
213          (A) racial or ethnic origin;

214          (B) religious beliefs;
215          (C) diagnosed mental or physical health condition;
216          (D) sexual orientation; or
217          (E) citizenship or immigration status;
218          (ii) the processing of genetic or biometric personal data for the purpose of identifying
219     an individual;
220          (iii) the personal data of a known child; or
221          (iv) specific geolocation data.
222          (b) "Sensitive data" does not include personal data that reveals an individual's racial or
223     ethnic origin, if the personal data is processed by a video communication service.
224          (27) (a) "Specific geolocation data" means information:
225          (i) derived from technology; and
226          (ii) used or intended to be used to identify the specific location of a consumer within a
227     geographic area with a radius of 1,850 feet or less.
228          (b) "Specific geolocation data" does not include the content of a communication.
229          (28) (a) "Targeted advertising" means displaying an advertisement to a consumer
230     where the advertisement is selected based on personal data obtained from the consumer's
231     activities over time and across nonaffiliated websites or online applications to predict the
232     consumer's preferences or interests.
233          (b) "Targeted advertising" does not include advertising:
234          (i) based on a consumer's activities within a controller's or an affiliate of the
235     controller's websites or online applications;
236          (ii) based on the context of a consumer's current search query or visit to a website or
237     online application;
238          (iii) directed to a consumer in response to the consumer's request for information,
239     product, a service, or feedback; or
240          (iv) used solely to measure or report advertising:
241          (A) performance;
242          (B) reach; or
243          (C) frequency.
244          (29) "Third party" means a person other than:

245          (a) the consumer, controller, or processor; or
246          (b) an affiliate or contractor of the controller or the processor.
247          Section 4. Section 13-58-201 is enacted to read:
Part 2. Rights Relating to Personal Information

249          13-58-201. Applicability.
250          (1) This chapter applies to any controller or processor who:
251          (a) (i) conducts business in the state; or
252          (ii) produces a product or service that is targeted to residents of the state; and
253          (b) satisfies one or more of the following thresholds:
254          (i) during a calendar year, controls or processes personal data of 100,000 or more
255     consumers; or
256          (ii) derives over 50% of the entity's gross revenue from the sale of personal data and
257     controls or processes personal data of 25,000 or more consumers.
258          (2) This chapter does not apply to:
259          (a) a government entity;
260          (b) a tribe;
261          (c) a nonprofit corporation;
262          (d) information that meets the definition of:
263          (i) protected health information for purposes of the federal Health Insurance Portability
264     and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
265          (ii) patient identifying information for purposes of 42 C.F.R. Part 2;
266          (iii) identifiable private information for purposes of the Federal Policy for the
267     Protection of Human Subjects, 45 C.F.R. Part 46;
268          (iv) identifiable private information or personal data collected as part of human
269     subjects research pursuant to or under the same standards as:
270          (A) the good clinical practice guidelines issued by the International Council for
271     Harmonisation; or
272          (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review
273     Boards under 21 C.F.R. Part 56;
274          (v) personal data used or shared in research conducted in accordance with one or more
275     of the requirements described in Subsection (2)(e)(iv);

276          (vi) information and documents created specifically for, and collected and maintained
277     by, a committee listed in Section 26-1-7;
278          (vii) information and documents created for purposes of the federal Health Care
279     Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
280          (viii) patient safety work product for purposes of 42 C.F.R. Part 3; or
281          (ix) information that is:
282          (A) deidentified in accordance with the requirements for deidentification set forth in 45
283     C.F.R. Part 164; and
284          (B) derived from any of the health care-related information listed in this Subsection
285     (2)(d);
286          (e) information originating from, and intermingled to be indistinguishable with,
287     information under Subsection (2)(d) that is maintained by:
288          (i) a covered entity or business associate;
289          (ii) a health care facility or health care provider; or
290          (iii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
291          (f) information used only for public health activities and purposes as described in 45
292     C.F.R. Sec. 164.512;
293          (g) (i) an activity by:
294          (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
295          (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides
296     information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
297          (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
298          (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.
299     1681 et seq.; and
300          (iii) involving the collection, maintenance, disclosure, sale, communication, or use of
301     any personal information bearing on a consumer's:
302          (A) credit worthiness;
303          (B) credit standing;
304          (C) credit capacity;
305          (D) character;
306          (E) general reputation;

307          (F) personal characteristics; or
308          (G) mode of living;
309          (h) a financial institution or an affiliate of a financial institution governed by Title V of
310     the federal Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
311          (i) personal data collected, processed, sold, or disclosed in accordance with the federal
312     Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
313          (j) personal data regulated by the federal Family Education Rights and Privacy Act, 20
314     U.S.C. Sec. 1232g, and related regulations;
315          (k) personal data collected, processed, sold, or disclosed in accordance with the federal
316     Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;
317          (l) data maintained for employment records purposes;
318          (m) an individual's processing of personal data for purely personal or household
319     purposes; or
320          (n) an air carrier.
321          (3) A controller is in compliance with any obligation to obtain parental consent under
322     this chapter if the controller complies with the verifiable parental consent mechanisms under
323     the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and its implementing
324     regulations.
325          Section 5. Section 13-58-202 is enacted to read:
326          13-58-202. Consumer rights -- Access -- Correction -- Deletion -- Portability -- Opt
327     out of certain processing.
328          (1) A consumer has the right to:
329          (a) confirm whether a controller is processing personal data concerning the consumer;
330     and
331          (b) obtain information regarding the categories of personal data concerning the
332     consumer the controller has collected.
333          (2) A consumer has the right to correct inaccurate personal data concerning the
334     consumer, taking into account the nature of the personal data and the purposes of the
335     processing of the personal data.
336          (3) A consumer has the right to delete the consumer's personal data that the consumer
337     provided to the controller.

338          (4) A consumer has the right to obtain a copy of the consumer's personal data, that the
339     consumer previously provided to the controller, in a format that:
340          (a) is portable;
341          (b) to the extent practicable, is readily-usable; and
342          (c) allows the consumer to transmit the data to another controller without impediment,
343     where the processing is carried out by automated means.
344          (5) A consumer has the right to opt out of the processing of the consumer's personal
345     data for purposes of:
346          (a) targeted advertising;
347          (b) the sale of personal data; or
348          (c) profiling in furtherance of decisions regarding:
349          (i) enrollment in an educational institution;
350          (ii) criminal justice;
351          (iii) employment opportunities;
352          (iv) health care services; or
353          (v) access to basic necessities.
354          Section 6. Section 13-58-203 is enacted to read:
355          13-58-203. Exercising consumer rights.
356          (1) A consumer may exercise a right by submitting a request to a controller specifying
357     the right the consumer intends to exercise.
358          (2) In the case of processing personal data concerning a known child, the parent or
359     legal guardian of the known child shall exercise a right on the child's behalf.
360          (3) In the case of processing personal data concerning a consumer subject to
361     guardianship, conservatorship, or other protective arrangement under Title 75, Chapter 5,
362     Protection of Persons Under Disability and Their Property, the guardian or the conservator of
363     the consumer shall exercise a right on the consumer's behalf.
364          Section 7. Section 13-58-204 is enacted to read:
365          13-58-204. Controller's response to requests.
366          (1) A controller shall comply with a consumer's request to exercise a right.
367          (2) (a) A controller shall provide one or more secure and reliable means for a consumer
368     to submit a request to exercise a right, including an email address to which a consumer may

369     submit a request.
370          (b) In providing the means described in Subsection (2)(a), a controller shall consider:
371          (i) the ways in which consumers interact with the controller; and
372          (ii) the need for secure and reliable communication of the requests.
373          (c) A controller may not require a consumer to create a new account to exercise a right.
374          (d) A controller may require a consumer to use an existing account to exercise a right.
375          (3) (a) Within 45 days after the day on which a controller receives a request to exercise
376     a right, the controller shall:
377          (i) take action on the consumer's request; and
378          (ii) inform the consumer of any action taken on the consumer's request under Section
379     13-58-203.
380          (b) The controller may extend once the initial 45-day period by an additional 45 days if
381     reasonably necessary due to the complexity of the request or the volume of the requests
382     received by the controller.
383          (c) If a controller extends the initial 45-day period, before the initial 45-day period
384     expires, the controller shall:
385          (i) inform the consumer of the extension, including the length of the extension; and
386          (ii) provide the reasons the extension is reasonably necessary as described in
387     Subsection (3)(b).
388          (d) If a controller chooses not to take action on a consumer's request, the controller
389     shall:
390          (i) within 45 days after the day on which the controller receives the request, inform the
391     consumer of the reasons for not taking action; and
392          (ii) provide instructions for how to appeal the controller's decision in accordance with
393     Section 13-58-205.
394          (e) A controller may not charge a fee for information in response to a request, unless
395     the request is the consumer's second or subsequent request during the same 12-month period.
396          (f) Notwithstanding Subsection (3)(e), if a request is duplicative, the controller may:
397          (i) charge a reasonable fee to cover the administrative costs of complying with the
398     request; or
399          (ii) refuse to act on the request.

400          (g) The controller bears the burden of demonstrating the duplicative nature of a
401     request.
402          (h) If a controller is unable to authenticate a request to exercise a right described in
403     Section 13-58-202 using commercially reasonable efforts, the controller:
404          (i) is not required to comply with the request; and
405          (ii) may request that the consumer provide additional information reasonably necessary
406     to authenticate the request.
407          Section 8. Section 13-58-205 is enacted to read:
408          13-58-205. Consumer appeal process.
409          (1) A controller shall establish an internal process that allows a consumer to appeal the
410     controller's failure to comply with Section 13-58-204.
411          (2) The controller shall ensure that the appeal process described in Subsection (1) is:
412          (a) conspicuously available; and
413          (b) equally easy to use as the process for submitting a request under Section 13-58-203.
414          (3) (a) Within 60 days after the day on which a controller receives an appeal, the
415     controller shall:
416          (i) inform the consumer of any action taken in response to the appeal; and
417          (ii) provide a written explanation of the reasons in support of the controller's action or
418     inaction.
419          (b) The controller may extend once the initial 60-day period by an additional 60 days if
420     reasonably necessary due to the complexity of the request or number of the requests serving as
421     the basis for the appeal.
422          (c) If a controller extends the initial 60-day period, before the initial 60-day period
423     expires, the controller shall:
424          (i) inform the consumer of the extension, including the length of the extension; and
425          (ii) provide the reasons the extension is reasonably necessary as described in
426     Subsection (3)(b).
427          (4) When informing a consumer of any action taken or not taken by the controller in
428     response to an appeal, the controller shall:
429          (a) inform the consumer of the consumer's right to appeal the decision to the division;
430     and

431          (b) upon request, provide to the consumer the controller's written explanation of the
432     reasons in support of the controller's action.
433          Section 9. Section 13-58-301 is enacted to read:
Part 3. Requirements for Controllers and Processors

435          13-58-301. Responsibility according to role.
436          (1) A processor shall:
437          (a) adhere to the controller's instructions; and
438          (b) assist the controller to meet the controller's obligations under this chapter by
439     providing information to the controller that is necessary to enable the controller to conduct and
440     document any data protection assessments required under Section 13-58-304.
441          (2) A processor shall:
442          (a) taking into account the context in which the personal data are to be processed,
443     implement and maintain reasonable security procedures and practices to protect personal data;
444          (b) ensure that each person processing personal data is subject to a duty of
445     confidentiality with respect to the personal data; and
446          (c) engage a subcontractor only pursuant to a written contract that requires the
447     subcontractor to meet the same obligations as the processor with respect to the personal data.
448          (3) Determining whether a person is acting as a controller or processor with respect to
449     a specific processing of data is a fact-based determination that depends upon the context in
450     which personal data are to be processed.
451          Section 10. Section 13-58-302 is enacted to read:
452          13-58-302. Responsibilities of controllers -- Transparency -- Purpose specification
453     and data minimization -- Consent for secondary use -- Security -- Nondiscrimination --
454     Nonretaliation -- Nonwaiver of consumer rights.
455          (1) (a) A controller shall provide consumers with a reasonably accessible and clear
456     privacy notice that includes:
457          (i) the categories of personal data processed by the controller;
458          (ii) the purposes for which the categories of personal data are processed;
459          (iii) how and where consumers may exercise a right, including how a consumer may
460     appeal a controller's action with regard to the consumer's request to exercise a right;
461          (iv) the categories of personal data that the controller shares with third parties, if any;

462     and
463          (v) the categories of third parties, if any, with whom the controller shares personal data.
464          (b) If a controller sells personal data to one or more third parties or processes personal
465     data for targeted advertising, the controller shall clearly and conspicuously disclose to the
466     consumer the manner in which the consumer may exercise the right to opt out of the:
467          (i) sale of the consumer's personal data; or
468          (ii) processing for targeted advertising.
469          (2) A controller may not collect personal data, unless:
470          (a) the collection is:
471          (i) relevant to the purposes for which the controller is processing the personal data; and
472          (ii) as disclosed to the consumer, limited to the personal data reasonably necessary to
473     achieve the purposes for which the controller is processing the personal data; or
474          (b) the controller obtains the consumer's consent.
475          (3) (a) A controller shall establish, implement, and maintain reasonable administrative,
476     technical, and physical data security practices designed to:
477          (i) protect the confidentiality and integrity of personal data; and
478          (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing
479     of personal data.
480          (b) Considering the controller's business size, scope, and type, a controller shall use
481     data security practices that are appropriate for the volume and nature of the personal data at
482     issue.
483          (4) Except as otherwise provided in this chapter, a controller may not process sensitive
484     data concerning a consumer without obtaining:
485          (a) the consumer's consent; or
486          (b) in the case of the processing of personal data concerning a known child, the consent
487     of the child's parent or lawful guardian in accordance with the federal Children's Online
488     Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq.
489          (5) (a) A controller may not discriminate against a consumer for exercising a right by:
490          (i) denying a good or service to the consumer;
491          (ii) charging the consumer a different price or rate for a good or service; or
492          (iii) providing the consumer a different level of quality of a good or service.

493          (b) This Subsection (5) does not prohibit a controller from offering a different price,
494     rate, level, quality, or selection of goods or services to a consumer, including offering goods or
495     services for no fee or at a discount, as part of the consumer's voluntary participation in a bona
496     fide loyalty, rewards, premium features, discounts, or club card program.
497          (6) Any provision of a contract that purports to waive or limit a consumer's right under
498     this chapter is void.
499          Section 11. Section 13-58-303 is enacted to read:
500          13-58-303. Processing deidentified data or pseudonymous data.
501          (1) The provisions of this chapter do not require a controller or processor to:
502          (a) reidentify deidentified data;
503          (b) comply with an authenticated consumer request to exercise a right described in
504     Subsections 13-58-202(1) through (4), if:
505          (i) (A) the controller is not reasonably capable of associating the request with the
506     personal data; or
507          (B) it would be unreasonably burdensome for the controller to associate the request
508     with the personal data;
509          (ii) the controller does not:
510          (A) use the personal data to recognize or respond to the consumer who is the subject of
511     the personal data; or
512          (B) associate the personal data with other personal data about the consumer; or
513          (iii) the controller does not sell or otherwise disclose the personal data to any third
514     party other than a processor, except as otherwise permitted in this section; or
515          (c) maintain data in identifiable form, or collect, retain, or access any data or
516     technology, in order to be capable of associating an authenticated consumer request with
517     personal data.
518          (2) The rights described in Subsections 13-58-202(1) through (4) do not apply to
519     pseudonymous data if a controller keeps information necessary to identify a consumer:
520          (a) separate from the pseudonymous data; and
521          (b) subject to effective technical and organizational controls that prevent the controller
522     from accessing the information.
523          (3) A controller who uses pseudonymous data or deidentified data shall take reasonable

524     steps to ensure the controller:
525          (a) complies with any contractual obligations to which the pseudonymous data or
526     deidentified data are subject; and
527          (b) promptly addresses any breach of a contractual obligation described in Subsection
528     (3)(a).
529          Section 12. Section 13-58-304 is enacted to read:
530          13-58-304. Data protection assessments.
531          (1) A controller shall conduct and document an annual data protection assessment of
532     the following processing activities involving personal data:
533          (a) the processing of personal data for purposes of targeted advertising;
534          (b) the sale of personal data;
535          (c) the processing of personal data for purposes of profiling, if the profiling presents a
536     reasonably foreseeable risk to consumers of:
537          (i) unfair or deceptive treatment;
538          (ii) disparate impact; or
539          (iii) financial, physical, or reputational injury;
540          (d) the processing of sensitive data; and
541          (e) any processing activities involving personal data that present a heightened risk of
542     harm or substantial injury to a consumer.
543          (2) A controller shall consider in the controller's data protection assessment:
544          (a) the benefits that may flow, directly or indirectly, from the processing of personal
545     data to the controller, the consumer, stakeholders, and the public;
546          (b) potential security risks to a consumer's personal data, as mitigated by safeguards
547     that can be employed by the controller;
548          (c) the use of deidentified data;
549          (d) the reasonable expectations of consumers;
550          (e) the context of the processing; and
551          (f) the relationship between the controller and the consumer whose personal data will
552     be processed.
553          (3) (a) The division or attorney general may request, in writing, that a controller
554     disclose any data protection assessment that is relevant to an investigation conducted by the

555     division or attorney general.
556          (b) A controller shall make a data protection assessment available to the division or
557     attorney general upon request.
558          (c) A data protection assessment is confidential and is a protected record for purposes
559     of Title 63G, Chapter 2, Government Records Access and Management Act.
560          (d) The disclosure of a data protection assessment in accordance with a request from
561     the division or attorney general under this subsection does not constitute a waiver of the
562     attorney-client privilege or work product protection with respect to the assessment or any
563     information contained in the assessment.
564          (4) A controller shall retain the controller's data protection assessments for at least
565     three years.
566          Section 13. Section 13-58-305 is enacted to read:
567          13-58-305. Limitations.
568          (1) The requirements described in this chapter do not restrict a controller or processor's
569     ability to:
570          (a) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
571     summons by a federal, state, local, or other governmental entity;
572          (b) cooperate with a law enforcement agency concerning activity that the controller or
573     processor reasonably and in good faith believes may violate federal, state, or local laws, rules,
574     or regulations;
575          (c) investigate, establish, exercise, prepare for, or defend a legal claim;
576          (d) provide a product or service requested by a consumer;
577          (e) perform a contract to which the consumer is a party, or take steps at the request of
578     the consumer before entering into a contract with the consumer;
579          (f) take immediate steps to protect an interest that is essential for the life or physical
580     safety of the consumer or of another individual;
581          (g) (i) detect, prevent, or respond to a security incident, identity theft, fraud,
582     harassment, malicious or deceptive activity, or any illegal activity; and
583          (ii) investigate, report, or prosecute a person responsible for an action described in
584     Subsection (1)(g)(i);
585          (h) preserve the integrity or security of systems, books, and records;

586          (i) if the controller discloses the processing in a notice described in Section 13-58-302,
587     engage in public or peer-reviewed scientific, historical, or statistical research in the public
588     interest that adheres to all other applicable ethics and privacy laws;
589          (j) assist another person with an obligation described in this subsection; or
590          (k) process personal data to:
591          (i) conduct internal analytics or other research solely to develop, improve, or repair a
592     controller or processor's product, service, or technology;
593          (ii) identify and repair technical errors that impair existing or intended functionality; or
594          (iii) perform a solely internal operation that is:
595          (A) reasonably aligned with the consumer's expectations based on the consumer's
596     existing relationship with the controller; or
597          (B) otherwise compatible with processing to aid the controller or processor in
598     providing a product or service specifically requested by a consumer or the performance of a
599     contract to which the consumer is a party.
600          (2) This chapter does not apply if a controller or processor's compliance with this
601     chapter:
602          (a) violates an evidentiary privilege under Utah law;
603          (b) as part of a privileged communication, prevents a controller or processor from
604     providing personal data concerning a consumer to a person covered by an evidentiary privilege
605     under Utah law; or
606          (c) adversely affect the rights of any person.
607          (3) A controller or processor is not in violation of this chapter if:
608          (a) the controller or processor discloses personal data to a third party controller or
609     processor in compliance with this chapter;
610          (b) the third party processes the personal data in violation of this chapter; and
611          (c) the disclosing controller or processor did not have actual knowledge of the third
612     party's intent to commit a violation of this chapter.
613          (4) If a controller processes personal data under an exemption described in Subsection
614     (1), the controller bears the burden of demonstrating that the processing qualifies for the
615     exemption.
616          Section 14. Section 13-58-306 is enacted to read:

617          13-58-306. No private cause of action.
618          There is no private cause of action against a controller or processor for a violation of
619     this chapter.
620          Section 15. Section 13-58-401 is enacted to read:
Part 4. Enforcement

622          13-58-401. Investigative powers of division.
623          (1) The division shall establish and administer a system to receive consumer
624     complaints regarding a controller or processor's alleged violation of this chapter.
625          (2) (a) The division may investigate a consumer complaint to determine whether the
626     controller or processor violated, is violating, or is about to violate this chapter.
627          (b) If the director has reasonable cause to believe that substantial evidence exists that a
628     person identified in a consumer complaint is in violation of this chapter, the director shall refer
629     the matter to the attorney general.
630          (c) Upon request, the division shall provide consultation and assistance to the attorney
631     general in enforcing this chapter.
632          Section 16. Section 13-58-402 is enacted to read:
633          13-58-402. Enforcement powers of the attorney general.
634          (1) Except as otherwise provided in this chapter, the attorney general has the exclusive
635     authority to enforce this chapter.
636          (2) Upon referral from the division, the attorney general may initiate an enforcement
637     action against a controller or processor for a violation of this chapter.
638          (3) (a) At least 30 days before the day on which the attorney general initiates an
639     enforcement action against a controller or processor, the attorney general shall provide the
640     controller or processor:
641          (i) written notice identifying each provision of this chapter the attorney general alleges
642     the controller or processor has violated or is violating; and
643          (ii) an explanation of the basis for each allegation.
644          (b) The attorney general may not initiate an action if the controller or processor:
645          (i) cures the noticed violation within 30 days after the day on which the controller or
646     processor receives the written notice described in Subsection (3)(a); and
647          (ii) provides the attorney general an express written statement that:

648          (A) the violation has been cured; and
649          (B) no further violation will occur.
650          (c) The attorney general may initiate an action against a controller or processor who:
651          (i) fails to cure a violation after receiving the notice described in Subsection (3)(a); or
652          (ii) after curing a noticed violation and providing a written statement in accordance
653     with Subsection (3)(b), continues to violate this chapter.
654          (d) In an action described in Subsection (3)(c), the attorney general may recover:
655          (i) actual damages to the consumer; and
656          (ii) for each violation of this chapter, an amount not to exceed $1,000 per consumer
657     affected by the violation.
658          (4) All money received from an action under this chapter shall be deposited into the
659     Consumer Privacy Account established in Section 13-58-403.
660          (5) If more than one controller or processor are involved in the same processing in
661     violation of this chapter, the liability for the violation shall be allocated among the controllers
662     or processors according to the principles of comparative fault.
663          Section 17. Section 13-58-403 is enacted to read:
664          13-58-403. Consumer privacy restricted account.
665          (1) There is created a restricted account known as the "Consumer Privacy Account."
666          (2) The account shall be funded by money received through civil enforcement actions
667     under this chapter.
668          (3) Upon appropriation, the division or the attorney general may use money deposited
669     into the account for:
670          (a) investigation and administrative costs incurred by the division in investigating
671     consumer complaints alleging violations of this chapter;
672          (b) recovery of costs and attorney fees accrued by the attorney general in enforcing this
673     chapter; and
674          (c) providing consumer and business education regarding:
675          (i) consumer rights under this chapter; and
676          (ii) compliance with the provisions of this chapter for controllers and processors.
677          (4) If the balance in the fund exceeds $4,000,000 at the close of any fiscal year, the
678     Division of Finance shall transfer the amount that exceeds $4,000,000 into the General Fund.

679          Section 18. Section 13-58-404 is enacted to read:
680          13-58-404. Attorney general report.
681          (1) The attorney general and the division shall compile a report:
682          (a) evaluating the liability and enforcement provisions of this chapter, including:
683          (i) the effectiveness of the attorney general's and the division's efforts to enforce this
684     chapter; and
685          (ii) any recommendations for changes to this chapter; and
686          (b) summarizing the data protected and not protected by this chapter including, with
687     reasonable detail:
688          (i) a list of the types of information that are publicly available from local, state, and
689     federal government sources; and
690          (ii) an inventory of information to which this chapter does not apply by virtue of a
691     limitation in Section 13-58-305.
692          (2) The attorney general and the division may update the report as new information
693     becomes available.
694          (3) The attorney general and the division shall submit the report to the Business and
695     Labor Interim Committee before July 1, 2023.
696          Section 19. Section 13-59-101 is enacted to read:

Part 1. General Provisions

699          13-59-101. Title.
700          This chapter is known as the "Utah Commercial Email Act."
701          Section 20. Section 13-59-102 is enacted to read:
702          13-59-102. Definitions.
703          As used in this chapter:
704          (1) "Advertiser" means a person who advertises the person's product, service, or
705     website through the use of commercial email.
706          (2) (a) "Commercial email" means an email used primarily to:
707          (i) advertise or promote a commercial website, product, or service; or
708          (ii) solicit money, property, or personal information.
709          (b) "Commercial email" does not include email sent for the purpose of marketing

710     research.
711          (3) "Domain name" means any alphanumeric designation that is registered with or
712     assigned by any domain name registrar, domain name registry, or other domain name
713     registration authority as part of an electronic address on the Internet.
714          (4) "Electronic mail service provider" means a company or a service that provides
715     routing, relaying, handling, storage, or support for email addresses and email inboxes.
716          (5) "Header information" means information attached to an email, including:
717          (a) the originating domain name;
718          (b) the originating email address;
719          (c) the destination;
720          (d) the routing information; and
721          (e) any other information that appears in the header line identifying, or purporting to
722     identify, a person initiating the message.
723          (6) "Initiate" means an act of:
724          (a) originating, transmitting, or sending commercial email; or
725          (b) promising, paying, or providing other consideration for another person to originate,
726     transmit, or send a commercial email.
727          (7) (a) "Initiator" means a person who:
728          (i) originates, transmits, or sends commercial email; or
729          (ii) promises, pays, or provides other consideration for another person to originate,
730     transmit, or send commercial email.
731          (b) "Initiator" does not include a person whose activities are a routine conveyance.
732          (8) (a) "Marketing research" means the collection, use, maintenance, or transfer of
733     personal information to investigate the market for the purpose of marketing a product, service,
734     or idea.
735          (b) "Marketing research" does not include:
736          (i) the collection, use, maintenance, or transfer of personal information that is
737     integrated into a product or service; or
738          (ii) the use of personal information to:
739          (A) contact a particular individual or a particular device; or
740          (B) advertise or market to a particular individual or a particular device.

741          (9) "Preexisting or current business relationship" means a situation where the recipient
742     has:
743          (a) made an inquiry and provided an email address; or
744          (b) made an application, a purchase, or a transaction, with or without consideration,
745     related to a product or a service offered by the advertiser.
746          (10) "Recipient" means an addressee of an unsolicited email.
747          (11) "Routine conveyance" means the transmission, routing, relaying, handling, or
748     storing, through an automatic technical process, of an electronic mail message for which
749     another person has identified the recipients or provided the recipients' addresses.
750          (12) "Unsolicited commercial email" means a commercial email sent by an advertiser
751     to a recipient that:
752          (a) has not provided direct consent to the advertiser to receive the commercial email;
753     and
754          (b) does not have a preexisting or current relationship with the advertiser.
755          (13) "Utah email address" means an email address that is:
756          (a) provided by an electronic mail service provider that sends bills for providing and
757     maintaining that email address to a mailing address in this state;
758          (b) ordinarily accessed from a computer located in this state; or
759          (c) provided to an individual who is currently a resident of this state.
760          Section 21. Section 13-59-201 is enacted to read:
Part 2. Restrictions on Commercial Email

762          13-59-201. Prohibited uses of email.
763          An advertiser or an initiator may not knowingly initiate or advertise in a commercial
764     email sent from this state or sent to a Utah email address if:
765          (1) the commercial email contains or is accompanied by a third party's domain name
766     without the permission of the third party;
767          (2) the commercial email contains or is accompanied by false, misrepresented, or
768     forged header information, even if the commercial email contains truthful identifying
769     information for the advertiser in the body of the email; or
770          (3) the commercial email has a subject line that is likely to mislead a recipient, acting
771     reasonably under the circumstances, about a material fact regarding the identity of the

772     advertiser, the contents, or the subject matter of the commercial email.
773          Section 22. Section 13-59-202 is enacted to read:
774          13-59-202. Cause of action.
775          (1) (a) The following persons may bring a claim against an advertiser or initiator who
776     violates Section 13-59-201:
777          (i) the attorney general;
778          (ii) an electronic mail service provider;
779          (iii) a recipient of an unsolicited commercial email; or
780          (iv) a person whose brand, trademark, email address, or domain name an advertiser or
781     initiator uses, without authorization, in the header information.
782          (b) (i) There is a rebuttable presumption that a commercial email that violates Section
783     13-59-201 is an unsolicited commercial email.
784          (ii) The burden of proving that a commercial email is not an unsolicited commercial
785     email is on the defendant.
786          (2) (a) A person described in Subsections (1)(a)(i) through (iii) may recover:
787          (i) actual damages; and
788          (ii) except as provided in Subsection (2)(c), liquidated damages of $1,000 for each
789     unsolicited commercial email transmitted in violation of Section 13-59-201.
790          (b) If an addressee of an unsolicited commercial email has more than one email address
791     to which an advertiser or an initiator sends an unsolicited commercial email, the addressee is
792     considered a separate recipient for each email address to which the advertiser or the initiator
793     sends the unsolicited commercial email.
794          (c) If a court finds that an advertiser or an initiator used due diligence to establish and
795     implement practices and procedures to effectively prevent unsolicited commercial emails in
796     violation of this chapter, the court shall reduce the liquidated damages to $100 for each
797     unsolicited commercial email transmitted in violation of Section 13-59-201.
798          (3) A person described in Subsection (1)(a)(i) or (iv) may recover:
799          (a) actual damages; and
800          (b) liquidated damages in an amount equal to the lesser of:
801          (i) $1,000 for each commercial email transmitted in violation of this chapter that uses,
802     without authorization, a person's brand, trademark, email address, or domain name in the

803     header information; and
804          (ii) $2,000,000.
805          (4) The prevailing party in an action brought under this section may recover reasonable
806     attorney fees and costs.
807          (5) (a) Defendants in an action under this section are jointly and severally liable.
808          (b) There is no cause of action under this section against an electronic mail service
809     provider who is involved only in the routine transmission or conveyance of commercial email
810     over the email service provider's computer network.
811          Section 23. Section 63G-2-305 is amended to read:
812          63G-2-305. Protected records.
813          The following records are protected if properly classified by a governmental entity:
814          (1) trade secrets as defined in Section 13-24-2 if the person submitting the trade secret
815     has provided the governmental entity with the information specified in Section 63G-2-309;
816          (2) commercial information or nonindividual financial information obtained from a
817     person if:
818          (a) disclosure of the information could reasonably be expected to result in unfair
819     competitive injury to the person submitting the information or would impair the ability of the
820     governmental entity to obtain necessary information in the future;
821          (b) the person submitting the information has a greater interest in prohibiting access
822     than the public in obtaining access; and
823          (c) the person submitting the information has provided the governmental entity with
824     the information specified in Section 63G-2-309;
825          (3) commercial or financial information acquired or prepared by a governmental entity
826     to the extent that disclosure would lead to financial speculations in currencies, securities, or
827     commodities that will interfere with a planned transaction by the governmental entity or cause
828     substantial financial injury to the governmental entity or state economy;
829          (4) records, the disclosure of which could cause commercial injury to, or confer a
830     competitive advantage upon a potential or actual competitor of, a commercial project entity as
831     defined in Subsection 11-13-103(4);
832          (5) test questions and answers to be used in future license, certification, registration,
833     employment, or academic examinations;

834          (6) records, the disclosure of which would impair governmental procurement
835     proceedings or give an unfair advantage to any person proposing to enter into a contract or
836     agreement with a governmental entity, except, subject to Subsections (1) and (2), that this
837     Subsection (6) does not restrict the right of a person to have access to, after the contract or
838     grant has been awarded and signed by all parties:
839          (a) a bid, proposal, application, or other information submitted to or by a governmental
840     entity in response to:
841          (i) an invitation for bids;
842          (ii) a request for proposals;
843          (iii) a request for quotes;
844          (iv) a grant; or
845          (v) other similar document; or
846          (b) an unsolicited proposal, as defined in Section 63G-6a-712;
847          (7) information submitted to or by a governmental entity in response to a request for
848     information, except, subject to Subsections (1) and (2), that this Subsection (7) does not restrict
849     the right of a person to have access to the information, after:
850          (a) a contract directly relating to the subject of the request for information has been
851     awarded and signed by all parties; or
852          (b) (i) a final determination is made not to enter into a contract that relates to the
853     subject of the request for information; and
854          (ii) at least two years have passed after the day on which the request for information is
855     issued;
856          (8) records that would identify real property or the appraisal or estimated value of real
857     or personal property, including intellectual property, under consideration for public acquisition
858     before any rights to the property are acquired unless:
859          (a) public interest in obtaining access to the information is greater than or equal to the
860     governmental entity's need to acquire the property on the best terms possible;
861          (b) the information has already been disclosed to persons not employed by or under a
862     duty of confidentiality to the entity;
863          (c) in the case of records that would identify property, potential sellers of the described
864     property have already learned of the governmental entity's plans to acquire the property;

865          (d) in the case of records that would identify the appraisal or estimated value of
866     property, the potential sellers have already learned of the governmental entity's estimated value
867     of the property; or
868          (e) the property under consideration for public acquisition is a single family residence
869     and the governmental entity seeking to acquire the property has initiated negotiations to acquire
870     the property as required under Section 78B-6-505;
871          (9) records prepared in contemplation of sale, exchange, lease, rental, or other
872     compensated transaction of real or personal property including intellectual property, which, if
873     disclosed prior to completion of the transaction, would reveal the appraisal or estimated value
874     of the subject property, unless:
875          (a) the public interest in access is greater than or equal to the interests in restricting
876     access, including the governmental entity's interest in maximizing the financial benefit of the
877     transaction; or
878          (b) when prepared by or on behalf of a governmental entity, appraisals or estimates of
879     the value of the subject property have already been disclosed to persons not employed by or
880     under a duty of confidentiality to the entity;
881          (10) records created or maintained for civil, criminal, or administrative enforcement
882     purposes or audit purposes, or for discipline, licensing, certification, or registration purposes, if
883     release of the records:
884          (a) reasonably could be expected to interfere with investigations undertaken for
885     enforcement, discipline, licensing, certification, or registration purposes;
886          (b) reasonably could be expected to interfere with audits, disciplinary, or enforcement
887     proceedings;
888          (c) would create a danger of depriving a person of a right to a fair trial or impartial
889     hearing;
890          (d) reasonably could be expected to disclose the identity of a source who is not
891     generally known outside of government and, in the case of a record compiled in the course of
892     an investigation, disclose information furnished by a source not generally known outside of
893     government if disclosure would compromise the source; or
894          (e) reasonably could be expected to disclose investigative or audit techniques,
895     procedures, policies, or orders not generally known outside of government if disclosure would

896     interfere with enforcement or audit efforts;
897          (11) records the disclosure of which would jeopardize the life or safety of an
898     individual;
899          (12) records the disclosure of which would jeopardize the security of governmental
900     property, governmental programs, or governmental recordkeeping systems from damage, theft,
901     or other appropriation or use contrary to law or public policy;
902          (13) records that, if disclosed, would jeopardize the security or safety of a correctional
903     facility, or records relating to incarceration, treatment, probation, or parole, that would interfere
904     with the control and supervision of an offender's incarceration, treatment, probation, or parole;
905          (14) records that, if disclosed, would reveal recommendations made to the Board of
906     Pardons and Parole by an employee of or contractor for the Department of Corrections, the
907     Board of Pardons and Parole, or the Department of Human Services that are based on the
908     employee's or contractor's supervision, diagnosis, or treatment of any person within the board's
909     jurisdiction;
910          (15) records and audit workpapers that identify audit, collection, and operational
911     procedures and methods used by the State Tax Commission, if disclosure would interfere with
912     audits or collections;
913          (16) records of a governmental audit agency relating to an ongoing or planned audit
914     until the final audit is released;
915          (17) records that are subject to the attorney client privilege;
916          (18) records prepared for or by an attorney, consultant, surety, indemnitor, insurer,
917     employee, or agent of a governmental entity for, or in anticipation of, litigation or a judicial,
918     quasi-judicial, or administrative proceeding;
919          (19) (a) (i) personal files of a state legislator, including personal correspondence to or
920     from a member of the Legislature; and
921          (ii) notwithstanding Subsection (19)(a)(i), correspondence that gives notice of
922     legislative action or policy may not be classified as protected under this section; and
923          (b) (i) an internal communication that is part of the deliberative process in connection
924     with the preparation of legislation between:
925          (A) members of a legislative body;
926          (B) a member of a legislative body and a member of the legislative body's staff; or

927          (C) members of a legislative body's staff; and
928          (ii) notwithstanding Subsection (19)(b)(i), a communication that gives notice of
929     legislative action or policy may not be classified as protected under this section;
930          (20) (a) records in the custody or control of the Office of Legislative Research and
931     General Counsel, that, if disclosed, would reveal a particular legislator's contemplated
932     legislation or contemplated course of action before the legislator has elected to support the
933     legislation or course of action, or made the legislation or course of action public; and
934          (b) notwithstanding Subsection (20)(a), the form to request legislation submitted to the
935     Office of Legislative Research and General Counsel is a public document unless a legislator
936     asks that the records requesting the legislation be maintained as protected records until such
937     time as the legislator elects to make the legislation or course of action public;
938          (21) research requests from legislators to the Office of Legislative Research and
939     General Counsel or the Office of the Legislative Fiscal Analyst and research findings prepared
940     in response to these requests;
941          (22) drafts, unless otherwise classified as public;
942          (23) records concerning a governmental entity's strategy about:
943          (a) collective bargaining; or
944          (b) imminent or pending litigation;
945          (24) records of investigations of loss occurrences and analyses of loss occurrences that
946     may be covered by the Risk Management Fund, the Employers' Reinsurance Fund, the
947     Uninsured Employers' Fund, or similar divisions in other governmental entities;
948          (25) records, other than personnel evaluations, that contain a personal recommendation
949     concerning an individual if disclosure would constitute a clearly unwarranted invasion of
950     personal privacy, or disclosure is not in the public interest;
951          (26) records that reveal the location of historic, prehistoric, paleontological, or
952     biological resources that if known would jeopardize the security of those resources or of
953     valuable historic, scientific, educational, or cultural information;
954          (27) records of independent state agencies if the disclosure of the records would
955     conflict with the fiduciary obligations of the agency;
956          (28) records of an institution within the state system of higher education defined in
957     Section 53B-1-102 regarding tenure evaluations, appointments, applications for admissions,

958     retention decisions, and promotions, which could be properly discussed in a meeting closed in
959     accordance with Title 52, Chapter 4, Open and Public Meetings Act, provided that records of
960     the final decisions about tenure, appointments, retention, promotions, or those students
961     admitted, may not be classified as protected under this section;
962          (29) records of the governor's office, including budget recommendations, legislative
963     proposals, and policy statements, that if disclosed would reveal the governor's contemplated
964     policies or contemplated courses of action before the governor has implemented or rejected
965     those policies or courses of action or made them public;
966          (30) records of the Office of the Legislative Fiscal Analyst relating to budget analysis,
967     revenue estimates, and fiscal notes of proposed legislation before issuance of the final
968     recommendations in these areas;
969          (31) records provided by the United States or by a government entity outside the state
970     that are given to the governmental entity with a requirement that they be managed as protected
971     records if the providing entity certifies that the record would not be subject to public disclosure
972     if retained by it;
973          (32) transcripts, minutes, recordings, or reports of the closed portion of a meeting of a
974     public body except as provided in Section 52-4-206;
975          (33) records that would reveal the contents of settlement negotiations but not including
976     final settlements or empirical data to the extent that they are not otherwise exempt from
977     disclosure;
978          (34) memoranda prepared by staff and used in the decision-making process by an
979     administrative law judge, a member of the Board of Pardons and Parole, or a member of any
980     other body charged by law with performing a quasi-judicial function;
981          (35) records that would reveal negotiations regarding assistance or incentives offered
982     by or requested from a governmental entity for the purpose of encouraging a person to expand
983     or locate a business in Utah, but only if disclosure would result in actual economic harm to the
984     person or place the governmental entity at a competitive disadvantage, but this section may not
985     be used to restrict access to a record evidencing a final contract;
986          (36) materials to which access must be limited for purposes of securing or maintaining
987     the governmental entity's proprietary protection of intellectual property rights including patents,
988     copyrights, and trade secrets;

989          (37) the name of a donor or a prospective donor to a governmental entity, including an
990     institution within the state system of higher education defined in Section 53B-1-102, and other
991     information concerning the donation that could reasonably be expected to reveal the identity of
992     the donor, provided that:
993          (a) the donor requests anonymity in writing;
994          (b) any terms, conditions, restrictions, or privileges relating to the donation may not be
995     classified protected by the governmental entity under this Subsection (37); and
996          (c) except for an institution within the state system of higher education defined in
997     Section 53B-1-102, the governmental unit to which the donation is made is primarily engaged
998     in educational, charitable, or artistic endeavors, and has no regulatory or legislative authority
999     over the donor, a member of the donor's immediate family, or any entity owned or controlled
1000     by the donor or the donor's immediate family;
1001          (38) accident reports, except as provided in Sections 41-6a-404, 41-12a-202, and
1002     73-18-13;
1003          (39) a notification of workers' compensation insurance coverage described in Section
1004     34A-2-205;
1005          (40) (a) the following records of an institution within the state system of higher
1006     education defined in Section 53B-1-102, which have been developed, discovered, disclosed to,
1007     or received by or on behalf of faculty, staff, employees, or students of the institution:
1008          (i) unpublished lecture notes;
1009          (ii) unpublished notes, data, and information:
1010          (A) relating to research; and
1011          (B) of:
1012          (I) the institution within the state system of higher education defined in Section
1013     53B-1-102; or
1014          (II) a sponsor of sponsored research;
1015          (iii) unpublished manuscripts;
1016          (iv) creative works in process;
1017          (v) scholarly correspondence; and
1018          (vi) confidential information contained in research proposals;
1019          (b) Subsection (40)(a) may not be construed to prohibit disclosure of public

1020     information required pursuant to Subsection 53B-16-302(2)(a) or (b); and
1021          (c) Subsection (40)(a) may not be construed to affect the ownership of a record;
1022          (41) (a) records in the custody or control of the Office of Legislative Auditor General
1023     that would reveal the name of a particular legislator who requests a legislative audit prior to the
1024     date that audit is completed and made public; and
1025          (b) notwithstanding Subsection (41)(a), a request for a legislative audit submitted to the
1026     Office of the Legislative Auditor General is a public document unless the legislator asks that
1027     the records in the custody or control of the Office of Legislative Auditor General that would
1028     reveal the name of a particular legislator who requests a legislative audit be maintained as
1029     protected records until the audit is completed and made public;
1030          (42) records that provide detail as to the location of an explosive, including a map or
1031     other document that indicates the location of:
1032          (a) a production facility; or
1033          (b) a magazine;
1034          (43) information:
1035          (a) contained in the statewide database of the Division of Aging and Adult Services
1036     created by Section 62A-3-311.1; or
1037          (b) received or maintained in relation to the Identity Theft Reporting Information
1038     System (IRIS) established under Section 67-5-22;
1039          (44) information contained in the Management Information System and Licensing
1040     Information System described in Title 62A, Chapter 4a, Child and Family Services;
1041          (45) information regarding National Guard operations or activities in support of the
1042     National Guard's federal mission;
1043          (46) records provided by any pawn or secondhand business to a law enforcement
1044     agency or to the central database in compliance with Title 13, Chapter 32a, Pawnshop and
1045     Secondhand Merchandise Transaction Information Act;
1046          (47) information regarding food security, risk, and vulnerability assessments performed
1047     by the Department of Agriculture and Food;
1048          (48) except to the extent that the record is exempt from this chapter pursuant to Section
1049     63G-2-106, records related to an emergency plan or program, a copy of which is provided to or
1050     prepared or maintained by the Division of Emergency Management, and the disclosure of

1051     which would jeopardize:
1052          (a) the safety of the general public; or
1053          (b) the security of:
1054          (i) governmental property;
1055          (ii) governmental programs; or
1056          (iii) the property of a private person who provides the Division of Emergency
1057     Management information;
1058          (49) records of the Department of Agriculture and Food that provides for the
1059     identification, tracing, or control of livestock diseases, including any program established under
1060     Title 4, Chapter 24, Utah Livestock Brand and Anti-Theft Act, or Title 4, Chapter 31, Control
1061     of Animal Disease;
1062          (50) as provided in Section 26-39-501:
1063          (a) information or records held by the Department of Health related to a complaint
1064     regarding a child care program or residential child care which the department is unable to
1065     substantiate; and
1066          (b) information or records related to a complaint received by the Department of Health
1067     from an anonymous complainant regarding a child care program or residential child care;
1068          (51) unless otherwise classified as public under Section 63G-2-301 and except as
1069     provided under Section 41-1a-116, an individual's home address, home telephone number, or
1070     personal mobile phone number, if:
1071          (a) the individual is required to provide the information in order to comply with a law,
1072     ordinance, rule, or order of a government entity; and
1073          (b) the subject of the record has a reasonable expectation that this information will be
1074     kept confidential due to:
1075          (i) the nature of the law, ordinance, rule, or order; and
1076          (ii) the individual complying with the law, ordinance, rule, or order;
1077          (52) the portion of the following documents that contains a candidate's residential or
1078     mailing address, if the candidate provides to the filing officer another address or phone number
1079     where the candidate may be contacted:
1080          (a) a declaration of candidacy, a nomination petition, or a certificate of nomination,
1081     described in Section 20A-9-201, 20A-9-202, 20A-9-203, 20A-9-404, 20A-9-405, 20A-9-408,

1082     20A-9-408.5, 20A-9-502, or 20A-9-601;
1083          (b) an affidavit of impecuniosity, described in Section 20A-9-201; or
1084          (c) a notice of intent to gather signatures for candidacy, described in Section
1085     20A-9-408;
1086          (53) the name, home address, work addresses, and telephone numbers of an individual
1087     that is engaged in, or that provides goods or services for, medical or scientific research that is:
1088          (a) conducted within the state system of higher education, as defined in Section
1089     53B-1-102; and
1090          (b) conducted using animals;
1091          (54) in accordance with Section 78A-12-203, any record of the Judicial Performance
1092     Evaluation Commission concerning an individual commissioner's vote on whether or not to
1093     recommend that the voters retain a judge including information disclosed under Subsection
1094     78A-12-203(5)(e);
1095          (55) information collected and a report prepared by the Judicial Performance
1096     Evaluation Commission concerning a judge, unless Section 20A-7-702 or Title 78A, Chapter
1097     12, Judicial Performance Evaluation Commission Act, requires disclosure of, or makes public,
1098     the information or report;
1099          (56) records contained in the Management Information System created in Section
1100     62A-4a-1003;
1101          (57) records provided or received by the Public Lands Policy Coordinating Office in
1102     furtherance of any contract or other agreement made in accordance with Section 63J-4-603;
1103          (58) information requested by and provided to the 911 Division under Section
1104     63H-7a-302;
1105          (59) in accordance with Section 73-10-33:
1106          (a) a management plan for a water conveyance facility in the possession of the Division
1107     of Water Resources or the Board of Water Resources; or
1108          (b) an outline of an emergency response plan in possession of the state or a county or
1109     municipality;
1110          (60) the following records in the custody or control of the Office of Inspector General
1111     of Medicaid Services, created in Section 63A-13-201:
1112          (a) records that would disclose information relating to allegations of personal

1113     misconduct, gross mismanagement, or illegal activity of a person if the information or
1114     allegation cannot be corroborated by the Office of Inspector General of Medicaid Services
1115     through other documents or evidence, and the records relating to the allegation are not relied
1116     upon by the Office of Inspector General of Medicaid Services in preparing a final investigation
1117     report or final audit report;
1118          (b) records and audit workpapers to the extent they would disclose the identity of a
1119     person who, during the course of an investigation or audit, communicated the existence of any
1120     Medicaid fraud, waste, or abuse, or a violation or suspected violation of a law, rule, or
1121     regulation adopted under the laws of this state, a political subdivision of the state, or any
1122     recognized entity of the United States, if the information was disclosed on the condition that
1123     the identity of the person be protected;
1124          (c) before the time that an investigation or audit is completed and the final
1125     investigation or final audit report is released, records or drafts circulated to a person who is not
1126     an employee or head of a governmental entity for the person's response or information;
1127          (d) records that would disclose an outline or part of any investigation, audit survey
1128     plan, or audit program; or
1129          (e) requests for an investigation or audit, if disclosure would risk circumvention of an
1130     investigation or audit;
1131          (61) records that reveal methods used by the Office of Inspector General of Medicaid
1132     Services, the fraud unit, or the Department of Health, to discover Medicaid fraud, waste, or
1133     abuse;
1134          (62) information provided to the Department of Health or the Division of Occupational
1135     and Professional Licensing under Subsections 58-67-304(3) and (4) and Subsections
1136     58-68-304(3) and (4);
1137          (63) a record described in Section 63G-12-210;
1138          (64) captured plate data that is obtained through an automatic license plate reader
1139     system used by a governmental entity as authorized in Section 41-6a-2003;
1140          (65) any record in the custody of the Utah Office for Victims of Crime relating to a
1141     victim, including:
1142          (a) a victim's application or request for benefits;
1143          (b) a victim's receipt or denial of benefits; and

1144          (c) any administrative notes or records made or created for the purpose of, or used to,
1145     evaluate or communicate a victim's eligibility for or denial of benefits from the Crime Victim
1146     Reparations Fund;
1147          (66) an audio or video recording created by a body-worn camera, as that term is
1148     defined in Section 77-7a-103, that records sound or images inside a hospital or health care
1149     facility as those terms are defined in Section 78B-3-403, inside a clinic of a health care
1150     provider, as that term is defined in Section 78B-3-403, or inside a human service program as
1151     that term is defined in Section 62A-2-101, except for recordings that:
1152          (a) depict the commission of an alleged crime;
1153          (b) record any encounter between a law enforcement officer and a person that results in
1154     death or bodily injury, or includes an instance when an officer fires a weapon;
1155          (c) record any encounter that is the subject of a complaint or a legal proceeding against
1156     a law enforcement officer or law enforcement agency;
1157          (d) contain an officer involved critical incident as defined in Subsection
1158     76-2-408(1)(f); or
1159          (e) have been requested for reclassification as a public record by a subject or
1160     authorized agent of a subject featured in the recording;
1161          (67) a record pertaining to the search process for a president of an institution of higher
1162     education described in Section 53B-2-102, except for application materials for a publicly
1163     announced finalist;
1164          (68) an audio recording that is:
1165          (a) produced by an audio recording device that is used in conjunction with a device or
1166     piece of equipment designed or intended for resuscitating an individual or for treating an
1167     individual with a life-threatening condition;
1168          (b) produced during an emergency event when an individual employed to provide law
1169     enforcement, fire protection, paramedic, emergency medical, or other first responder service:
1170          (i) is responding to an individual needing resuscitation or with a life-threatening
1171     condition; and
1172          (ii) uses a device or piece of equipment designed or intended for resuscitating an
1173     individual or for treating an individual with a life-threatening condition; and
1174          (c) intended and used for purposes of training emergency responders how to improve

1175     their response to an emergency situation;
1176          (69) records submitted by or prepared in relation to an applicant seeking a
1177     recommendation by the Research and General Counsel Subcommittee, the Budget
1178     Subcommittee, or the Audit Subcommittee, established under Section 36-12-8, for an
1179     employment position with the Legislature;
1180          (70) work papers as defined in Section 31A-2-204;
1181          (71) a record made available to Adult Protective Services or a law enforcement agency
1182     under Section 61-1-206;
1183          (72) a record submitted to the Insurance Department in accordance with Section
1184     31A-37-201 or 31A-22-653;
1185          (73) a record described in Section 31A-37-503[.];
1186          (74) any record created by the Division of Occupational and Professional Licensing as
1187     a result of Subsection 58-37f-304(5) or 58-37f-702(2)(a)(ii);
1188          (75) a record described in Section 72-16-306 that relates to the reporting of an injury
1189     involving an amusement ride;
1190          (76) except as provided in Subsection 63G-2-305.5(1), the signature of an individual
1191     on a political petition, or on a request to withdraw a signature from a political petition,
1192     including a petition or request described in the following titles:
1193          (a) Title 10, Utah Municipal Code;
1194          (b) Title 17, Counties;
1195          (c) Title 17B, Limited Purpose Local Government Entities - Local Districts;
1196          (d) Title 17D, Limited Purpose Local Government Entities - Other Entities; and
1197          (e) Title 20A, Election Code;
1198          (77) except as provided in Subsection 63G-2-305.5(2), the signature of an individual in
1199     a voter registration record;
1200          (78) except as provided in Subsection 63G-2-305.5(3), any signature, other than a
1201     signature described in Subsection (76) or (77), in the custody of the lieutenant governor or a
1202     local political subdivision collected or held under, or in relation to, Title 20A, Election Code;
1203          (79) a Form I-918 Supplement B certification as described in Title 77, Chapter 38, Part
1204     5, Victims Guidelines for Prosecutors Act;
1205          (80) a record submitted to the Insurance Department under Subsection

1206     31A-47-103(1)(b); [and]
1207          (81) personal information, as defined in Section 63G-26-102, to the extent disclosure is
1208     prohibited under Section 63G-26-103[.]; and
1209          (82) data protection assessments submitted by a controller to the Division of Consumer
1210     Protection or attorney general under Section 13-58-304.
1211          Section 24. Effective date.
1212          This bill takes effect on January 1, 2022.