1     
FAMILY PLANNING DATA PRIVACY AMENDMENTS

2     
2023 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Kirk A. Cullimore

5     
House Sponsor: ____________

6     

7     LONG TITLE
8     General Description:
9          This bill amends and enacts provisions related to reproductive health data.
10     Highlighted Provisions:
11          This bill:
12          ▸     amends the Utah Consumer Privacy Act (act) to make reproductive health data
13     subject to the provisions of the act;
14          ▸     enacts provisions prohibiting government entities from, in the course of an
15     investigation into a potential violation of or prosecution of state law, seeking or
16     using reproductive health data, except with the consent of the consumer;
17          ▸     defines terms; and
18          ▸     makes technical and conforming changes.
19     Money Appropriated in this Bill:
20          None
21     Other Special Clauses:
22          This bill provides a special effective date.
23     Utah Code Sections Affected:
24     AMENDS:
25          13-61-101 (Effective 12/31/23), as enacted by Laws of Utah 2022, Chapter 462
26          13-61-102 (Effective 12/31/23), as enacted by Laws of Utah 2022, Chapter 462
27     ENACTS:

28          13-61-306, Utah Code Annotated 1953
29     

30     Be it enacted by the Legislature of the state of Utah:
31          Section 1. Section 13-61-101 (Effective 12/31/23) is amended to read:
32          13-61-101 (Effective 12/31/23). Definitions.
33          As used in this chapter:
34          (1) "Account" means the Consumer Privacy Restricted Account established in Section
35     13-61-403.
36          (2) "Affiliate" means an entity that:
37          (a) controls, is controlled by, or is under common control with another entity; or
38          (b) shares common branding with another entity.
39          (3) "Aggregated data" means information that relates to a group or category of
40     consumers:
41          (a) from which individual consumer identities have been removed; and
42          (b) that is not linked or reasonably linkable to any consumer.
43          (4) "Air carrier" means the same as that term is defined in 49 U.S.C. Sec. 40102.
44          (5) "Authenticate" means to use reasonable means to determine that a consumer's
45     request to exercise the rights described in Section 13-61-201 is made by the consumer who is
46     entitled to exercise those rights.
47          (6) (a) "Biometric data" means data generated by automatic measurements of an
48     individual's unique biological characteristics.
49          (b) "Biometric data" includes data described in Subsection (6)(a) that are generated by
50     automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any
51     other unique biological pattern or characteristic that is used to identify a specific individual.
52          (c) "Biometric data" does not include:
53          (i) a physical or digital photograph;
54          (ii) a video or audio recording;
55          (iii) data generated from an item described in Subsection (6)(c)(i) or (ii);
56          (iv) information captured from a patient in a health care setting; or
57          (v) information collected, used, or stored for treatment, payment, or health care
58     operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.

59          (7) "Business associate" means the same as that term is defined in 45 C.F.R. Sec.
60     160.103.
61          (8) "Child" means an individual younger than 13 years old.
62          (9) "Consent" means an affirmative act by a consumer that unambiguously indicates
63     the consumer's voluntary and informed agreement to allow a person to process personal data
64     related to the consumer.
65          (10) (a) "Consumer" means an individual who is a resident of the state acting in an
66     individual or household context.
67          (b) "Consumer" does not include an individual acting in an employment or commercial
68     context.
69          (11) "Control" or "controlled" as used in Subsection (2) means:
70          (a) ownership of, or the power to vote, more than 50% of the outstanding shares of any
71     class of voting securities of an entity;
72          (b) control in any manner over the election of a majority of the directors or of the
73     individuals exercising similar functions; or
74          (c) the power to exercise controlling influence of the management of an entity.
75          (12) "Controller" means a person doing business in the state who determines the
76     purposes for which and the means by which personal data are processed, regardless of whether
77     the person makes the determination alone or with others.
78          (13) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec.
79     160.103.
80          (14) "Deidentified data" means data that:
81          (a) cannot reasonably be linked to an identified individual or an identifiable individual;
82     and
83          (b) are possessed by a controller who:
84          (i) takes reasonable measures to ensure that a person cannot associate the data with an
85     individual;
86          (ii) publicly commits to maintain and use the data only in deidentified form and not
87     attempt to reidentify the data; and
88          (iii) contractually obligates any recipients of the data to comply with the requirements
89     described in Subsections (14)(b)(i) and (ii).

90          (15) "Director" means the director of the Division of Consumer Protection.
91          (16) "Division" means the Division of Consumer Protection created in Section 13-2-1.
92          (17) "Governmental entity" means the same as that term is defined in Section
93     63G-2-103.
94          (18) "Health care facility" means the same as that term is defined in Section 26-21-2.
95          (19) "Health care provider" means the same as that term is defined in Section [26-21-2]
96     78B-3-403.
97          (20) "Identifiable individual" means an individual who can be readily identified,
98     directly or indirectly.
99          (21) "Institution of higher education" means a public or private institution of higher
100     education.
101          (22) "Local political subdivision" means the same as that term is defined in Section
102     11-14-102.
103          (23) "Nonprofit corporation" means:
104          (a) the same as that term is defined in Section 16-6a-102; or
105          (b) a foreign nonprofit corporation as defined in Section 16-6a-102.
106          (24) (a) "Personal data" means information that is linked or reasonably linkable to an
107     identified individual or an identifiable individual.
108          (b) "Personal data" does not include deidentified data, aggregated data, or publicly
109     available information.
110          (25) "Process" means an operation or set of operations performed on personal data,
111     including collection, use, storage, disclosure, analysis, deletion, or modification of personal
112     data.
113          (26) "Processor" means a person who processes personal data on behalf of a controller.
114          (27) "Protected health information" means the same as that term is defined in 45 C.F.R.
115     Sec. 160.103.
116          (28) "Pseudonymous data" means personal data that cannot be attributed to a specific
117     individual without the use of additional information, if the additional information is:
118          (a) kept separate from the consumer's personal data; and
119          (b) subject to appropriate technical and organizational measures to ensure that the
120     personal data are not attributable to an identified individual or an identifiable individual.

121          (29) "Publicly available information" means information that a person:
122          (a) lawfully obtains from a record of a governmental entity;
123          (b) reasonably believes a consumer or widely distributed media has lawfully made
124     available to the general public; or
125          (c) if the consumer has not restricted the information to a specific audience, obtains
126     from a person to whom the consumer disclosed the information.
127          (30) "Reproductive health data" means personal data derived from an individual's
128     online interaction with an Internet website or application that relates to the individual's past,
129     present, or future reproductive health or sexual health, including:
130          (a) efforts to research or obtain reproductive health or sexual health information,
131     services, or supplies, including location information that may indicate the individual's attempt
132     to receive the information, services, or supplies;
133          (b) reproductive health or sexual health conditions, status, diseases, or diagnoses,
134     including:
135          (i) pregnancy;
136          (ii) menstruation;
137          (iii) ovulation;
138          (iv) ability to conceive a pregnancy;
139          (v) whether the individual is sexually active; or
140          (vi) whether the individual is engaging in unprotected sex;
141          (c) reproductive health related and sexual health related surgeries or procedures,
142     including termination of a pregnancy;
143          (d) use or purchase of contraceptives, birth control, or any medication related to
144     reproductive health, including abortifacients;
145          (e) bodily functions, vital signs, measurements, or symptoms related to menstruation or
146     pregnancy, including:
147          (i) basal temperature;
148          (ii) cramps;
149          (iii) bodily discharge; or
150          (iv) hormone levels;
151          (f) information about diagnoses or diagnostic testing, treatment, or medications related

152     to anything described in Subsections (30)(a) through (e);
153          (g) information about the use of a product or service related to anything described in
154     Subsections (30)(a) through (e); and
155          (h) information described in Subsections (30)(a) through (g) that is derived or
156     extrapolated from non-health information.
157          [(30)] (31) "Right" means a consumer right described in Section 13-61-201.
158          [(31)] (32) (a) "Sale," "sell," or "sold" means the exchange of personal data for
159     monetary consideration by a controller to a third party.
160          (b) "Sale," "sell," or "sold" does not include:
161          (i) a controller's disclosure of personal data to a processor who processes the personal
162     data on behalf of the controller;
163          (ii) a controller's disclosure of personal data to an affiliate of the controller;
164          (iii) considering the context in which the consumer provided the personal data to the
165     controller, a controller's disclosure of personal data to a third party if the purpose is consistent
166     with a consumer's reasonable expectations;
167          (iv) the disclosure or transfer of personal data when a consumer directs a controller to:
168          (A) disclose the personal data; or
169          (B) interact with one or more third parties;
170          (v) a consumer's disclosure of personal data to a third party for the purpose of
171     providing a product or service requested by the consumer or a parent or legal guardian of a
172     child;
173          (vi) the disclosure of information that the consumer:
174          (A) intentionally makes available to the general public via a channel of mass media;
175     and
176          (B) does not restrict to a specific audience; or
177          (vii) a controller's transfer of personal data to a third party as an asset that is part of a
178     proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes
179     control of all or part of the controller's assets.
180          [(32)] (33) (a) "Sensitive data" means:
181          (i) personal data that reveals:
182          (A) an individual's racial or ethnic origin;

183          (B) an individual's religious beliefs;
184          (C) an individual's sexual orientation;
185          (D) an individual's citizenship or immigration status; or
186          (E) information regarding an individual's medical history, mental or physical health
187     condition, or medical treatment or diagnosis by a health care professional;
188          (ii) the processing of genetic personal data or biometric data, if the processing is for the
189     purpose of identifying a specific individual; [or]
190          (iii) specific geolocation data.
191          (b) "Sensitive data" includes reproductive health data.
192          [(b)] (c) "Sensitive data" does not include personal data that reveals an individual's:
193          (i) racial or ethnic origin, if the personal data are processed by a video communication
194     service; or
195          (ii) if the personal data are processed by a person licensed to provide health care under
196     Title 26, Chapter 21, Health Care Facility Licensing and Inspection Act, or Title 58,
197     Occupations and Professions, information regarding an individual's medical history, mental or
198     physical health condition, or medical treatment or diagnosis by a health care professional.
199          [(33)] (34) (a) "Specific geolocation data" means information derived from technology,
200     including global position system level latitude and longitude coordinates, that directly
201     identifies an individual's specific location, accurate within a radius of 1,750 feet or less.
202          (b) "Specific geolocation data" does not include:
203          (i) the content of a communication; or
204          (ii) any data generated by or connected to advanced utility metering infrastructure
205     systems or equipment for use by a utility.
206          [(34)] (35) (a) "Targeted advertising" means displaying an advertisement to a consumer
207     where the advertisement is selected based on personal data obtained from the consumer's
208     activities over time and across nonaffiliated websites or online applications to predict the
209     consumer's preferences or interests.
210          (b) "Targeted advertising" does not include advertising:
211          (i) based on a consumer's activities within a controller's website or online application
212     or any affiliated website or online application;
213          (ii) based on the context of a consumer's current search query or visit to a website or

214     online application;
215          (iii) directed to a consumer in response to the consumer's request for information,
216     product, a service, or feedback; or
217          (iv) processing personal data solely to measure or report advertising:
218          (A) performance;
219          (B) reach; or
220          (C) frequency.
221          [(35)] (36) "Third party" means a person other than:
222          (a) the consumer, controller, or processor; or
223          (b) an affiliate or contractor of the controller or the processor.
224          [(36)] (37) "Trade secret" means information, including a formula, pattern,
225     compilation, program, device, method, technique, or process, that:
226          (a) derives independent economic value, actual or potential, from not being generally
227     known to, and not being readily ascertainable by proper means by, other persons who can
228     obtain economic value from the information's disclosure or use; and
229          (b) is the subject of efforts that are reasonable under the circumstances to maintain the
230     information's secrecy.
231          Section 2. Section 13-61-102 (Effective 12/31/23) is amended to read:
232          13-61-102 (Effective 12/31/23). Applicability.
233          (1) This chapter applies to any controller or processor who:
234          (a) (i) conducts business in the state; or
235          (ii) produces a product or service that is targeted to consumers who are residents of the
236     state;
237          (b) has annual revenue of $25,000,000 or more; and
238          (c) satisfies one or more of the following thresholds:
239          (i) during a calendar year, controls or processes personal data of 100,000 or more
240     consumers; or
241          (ii) derives over 50% of the entity's gross revenue from the sale of personal data and
242     controls or processes personal data of 25,000 or more consumers.
243          (2) This chapter does not apply to:
244          (a) except as provided in Section 13-61-306, a governmental entity or a third party

245     under contract with a governmental entity when the third party is acting on behalf of the
246     governmental entity;
247          (b) a tribe;
248          (c) an institution of higher education;
249          (d) a nonprofit corporation;
250          (e) a covered entity;
251          (f) a business associate;
252          (g) information that meets the definition of:
253          (i) protected health information for purposes of the federal Health Insurance Portability
254     and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
255          (ii) patient identifying information for purposes of 42 C.F.R. Part 2;
256          (iii) identifiable private information for purposes of the Federal Policy for the
257     Protection of Human Subjects, 45 C.F.R. Part 46;
258          (iv) identifiable private information or personal data collected as part of human
259     subjects research pursuant to or under the same standards as:
260          (A) the good clinical practice guidelines issued by the International Council for
261     Harmonisation; or
262          (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review
263     Boards under 21 C.F.R. Part 56;
264          (v) personal data used or shared in research conducted in accordance with one or more
265     of the requirements described in Subsection (2)(g)(iv);
266          [(vi) information and documents created specifically for, and collected and maintained
267     by, a committee listed in Section 26-1-7;]
268          [(vii)] (vi) information and documents created for purposes of the federal Health Care
269     Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
270          [(viii)] (vii) patient safety work product for purposes of 42 C.F.R. Part 3; or
271          [(ix)] (viii) information that is:
272          (A) deidentified in accordance with the requirements for deidentification set forth in 45
273     C.F.R. Part 164; and
274          (B) derived from any of the health care-related information listed in this Subsection
275     (2)(g);

276          (h) information originating from, and intermingled to be indistinguishable with,
277     information under Subsection (2)(g) that is maintained by:
278          (i) a health care facility or health care provider; or
279          (ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
280          (i) information used only for public health activities and purposes as described in 45
281     C.F.R. Sec. 164.512;
282          (j) (i) an activity by:
283          (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
284          (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides
285     information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
286          (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
287          (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.
288     1681 et seq.; and
289          (iii) involving the collection, maintenance, disclosure, sale, communication, or use of
290     any personal data bearing on a consumer's:
291          (A) credit worthiness;
292          (B) credit standing;
293          (C) credit capacity;
294          (D) character;
295          (E) general reputation;
296          (F) personal characteristics; or
297          (G) mode of living;
298          (k) a financial institution or an affiliate of a financial institution governed by, or
299     personal data collected, processed, sold, or disclosed in accordance with, Title V of the
300     Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
301          (l) personal data collected, processed, sold, or disclosed in accordance with the federal
302     Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
303          (m) personal data regulated by the federal Family Education Rights and Privacy Act,
304     20 U.S.C. Sec. 1232g, and related regulations;
305          (n) personal data collected, processed, sold, or disclosed in accordance with the federal
306     Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;

307          (o) data that are processed or maintained:
308          (i) in the course of an individual applying to, being employed by, or acting as an agent
309     or independent contractor of a controller, processor, or third party, to the extent the collection
310     and use of the data are related to the individual's role;
311          (ii) as the emergency contact information of an individual described in Subsection
312     (2)(o)(i) and used for emergency contact purposes; or
313          (iii) to administer benefits for another individual relating to an individual described in
314     Subsection (2)(o)(i) and used for the purpose of administering the benefits;
315          (p) an individual's processing of personal data for purely personal or household
316     purposes; or
317          (q) an air carrier.
318          (3) A controller is in compliance with any obligation to obtain parental consent under
319     this chapter if the controller complies with the verifiable parental consent mechanisms under
320     the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's
321     implementing regulations and exemptions.
322          (4) This chapter does not require a person to take any action in conflict with the federal
323     Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., or
324     related regulations.
325          Section 3. Section 13-61-306 is enacted to read:
326     
Part 3. Requirements Relating to Personal Data

327          13-61-306. Reproductive health data restrictions.
328          Notwithstanding any provision of law to the contrary, in the course of an investigation
329     into a potential violation of or prosecution of state law, a governmental entity may not:
330          (1) request a search warrant that seeks to obtain reproductive health data;
331          (2) issue a subpoena that seeks to obtain reproductive health data; or
332          (3) without the consent of the consumer:
333          (a) request that an Internet website or application release the consumer's reproductive
334     health data; or
335          (b) use the consumer's reproductive health data for any purpose in connection with the
336     investigation or prosecution.
337          Section 4. Effective date.

338          This bill takes effect on December 31, 2023.