2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill modifies provisions dealing with consumers' personal information.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ broadens the applicability of the Consumer Privacy Act;
14 ▸ creates a private right of action for any damages resulting from a violation of the
15 Consumer Privacy Act;
16 ▸ modifies the private right of action under the Utah Social Media Regulation Act;
17 and
18 ▸ makes technical and conforming changes.
19 Money Appropriated in this Bill:
20 None
21 Other Special Clauses:
22 None
23 Utah Code Sections Affected:
24 AMENDS:
25 13-61-102, as enacted by Laws of Utah 2022, Chapter 462
26 13-61-402, as enacted by Laws of Utah 2022, Chapter 462
27 13-63-301, as enacted by Laws of Utah 2023, Chapter 498
28 REPEALS AND REENACTS:
29 13-61-305, as enacted by Laws of Utah 2022, Chapter 462
30
31 Be it enacted by the Legislature of the state of Utah:
32 Section 1. Section 13-61-102 is amended to read:
33 13-61-102. Applicability.
34 (1) This chapter applies to any controller or processor who:
35 (a) (i) conducts business in the state; or
36 (ii) produces a product or service that is targeted to consumers who are residents of the
37 state; and
38 [
39 [
40 (i) during a calendar year, controls or processes personal data of 100,000 or more
41 consumers; [
42 (ii) derives over 50% of the entity's gross revenue from the sale of personal data and
43 controls or processes personal data of 25,000 or more consumers[
44 (iii) has annual revenue of $25,000,000 or more.
45 (2) This chapter does not apply to:
46 (a) a governmental entity or a third party under contract with a governmental entity
47 when the third party is acting on behalf of the governmental entity;
48 (b) a tribe;
49 (c) an institution of higher education;
50 (d) a nonprofit corporation;
51 (e) a covered entity;
52 (f) a business associate;
53 (g) information that meets the definition of:
54 (i) protected health information for purposes of the federal Health Insurance Portability
55 and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
56 (ii) patient identifying information for purposes of 42 C.F.R. Part 2;
57 (iii) identifiable private information for purposes of the Federal Policy for the
58 Protection of Human Subjects, 45 C.F.R. Part 46;
59 (iv) identifiable private information or personal data collected as part of human
60 subjects research pursuant to or under the same standards as:
61 (A) the good clinical practice guidelines issued by the International Council for
62 Harmonisation; or
63 (B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review
64 Boards under 21 C.F.R. Part 56;
65 (v) personal data used or shared in research conducted in accordance with one or more
66 of the requirements described in Subsection (2)(g)(iv);
67 (vi) information and documents created specifically for, and collected and maintained
68 by, a committee listed in Section 26-1-7;
69 (vii) information and documents created for purposes of the federal Health Care
70 Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
71 (viii) patient safety work product for purposes of 42 C.F.R. Part 3; or
72 (ix) information that is:
73 (A) deidentified in accordance with the requirements for deidentification set forth in 45
74 C.F.R. Part 164; and
75 (B) derived from any of the health care-related information listed in this Subsection
76 (2)(g);
77 (h) information originating from, and intermingled to be indistinguishable with,
78 information under Subsection (2)(g) that is maintained by:
79 (i) a health care facility or health care provider; or
80 (ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
81 (i) information used only for public health activities and purposes as described in 45
82 C.F.R. Sec. 164.512;
83 (j) (i) an activity by:
84 (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
85 (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides
86 information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
87 (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
88 (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.
89 1681 et seq.; and
90 (iii) involving the collection, maintenance, disclosure, sale, communication, or use of
91 any personal data bearing on a consumer's:
92 (A) credit worthiness;
93 (B) credit standing;
94 (C) credit capacity;
95 (D) character;
96 (E) general reputation;
97 (F) personal characteristics; or
98 (G) mode of living;
99 (k) a financial institution or an affiliate of a financial institution governed by, or
100 personal data collected, processed, sold, or disclosed in accordance with, Title V of the
101 Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
102 (l) personal data collected, processed, sold, or disclosed in accordance with the federal
103 Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
104 (m) personal data regulated by the federal Family Education Rights and Privacy Act,
105 20 U.S.C. Sec. 1232g, and related regulations;
106 (n) personal data collected, processed, sold, or disclosed in accordance with the federal
107 Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;
108 (o) data that are processed or maintained:
109 (i) in the course of an individual applying to, being employed by, or acting as an agent
110 or independent contractor of a controller, processor, or third party, to the extent the collection
111 and use of the data are related to the individual's role;
112 (ii) as the emergency contact information of an individual described in Subsection
113 (2)(o)(i) and used for emergency contact purposes; or
114 (iii) to administer benefits for another individual relating to an individual described in
115 Subsection (2)(o)(i) and used for the purpose of administering the benefits;
116 (p) an individual's processing of personal data for purely personal or household
117 purposes; or
118 (q) an air carrier.
119 (3) A controller is in compliance with any obligation to obtain parental consent under
120 this chapter if the controller complies with the verifiable parental consent mechanisms under
121 the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's
122 implementing regulations and exemptions.
123 (4) This chapter does not require a person to take any action in conflict with the federal
124 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., or
125 related regulations.
126 Section 2. Section 13-61-305 is repealed and reenacted to read:
127 13-61-305. Private right of action.
128 (1) A person who is injured by a violation of this chapter may bring an action, in
129 accordance with Section 78B-3-307, against any person whose actions:
130 (a) violated this chapter; and
131 (b) resulted in damages to the injured person.
132 (2) If a court finds that a person has violated a provision of this chapter, the person who
133 brings an action under this section is entitled to:
134 (a) an award of reasonable attorney fees and court costs; and
135 (b) an amount equal to the greater of:
136 (i) $2,500 per each incident of violation; or
137 (ii) actual damages for financial, physical, and emotional harm incurred by the person
138 bringing the action, if the court determines that the harm is a direct consequence of the
139 violation or violations.
140 Section 3. Section 13-61-402 is amended to read:
141 13-61-402. Enforcement powers of the attorney general.
142 (1) [
143 general has the exclusive authority to enforce this chapter.
144 (2) Upon referral from the division, the attorney general may initiate an enforcement
145 action against a controller or processor for a violation of this chapter.
146 (3) (a) At least 30 days before the day on which the attorney general initiates an
147 enforcement action against a controller or processor, the attorney general shall provide the
148 controller or processor:
149 (i) written notice identifying each provision of this chapter the attorney general alleges
150 the controller or processor has violated or is violating; and
151 (ii) an explanation of the basis for each allegation.
152 (b) The attorney general may not initiate an action if the controller or processor:
153 (i) cures the noticed violation within 30 days after the day on which the controller or
154 processor receives the written notice described in Subsection (3)(a); and
155 (ii) provides the attorney general an express written statement that:
156 (A) the violation has been cured; and
157 (B) no further violation of the cured violation will occur.
158 (c) The attorney general may initiate an action against a controller or processor who:
159 (i) fails to cure a violation after receiving the notice described in Subsection (3)(a); or
160 (ii) after curing a noticed violation and providing a written statement in accordance
161 with Subsection (3)(b), continues to violate this chapter.
162 (d) In an action described in Subsection (3)(c), the attorney general may recover:
163 (i) actual damages to the consumer; and
164 (ii) for each violation described in Subsection (3)(c), an amount not to exceed $7,500.
165 (4) All money received from an action under this chapter shall be deposited into the
166 Consumer Privacy Account established in Section 13-61-403.
167 (5) If more than one controller or processor are involved in the same processing in
168 violation of this chapter, the liability for the violation shall be allocated among the controllers
169 or processors according to the principles of comparative fault.
170 Section 4. Section 13-63-301 is amended to read:
171 13-63-301. Private right of action.
172 [
173
174 [
175
176 a violation of this chapter may bring an action, in accordance with Section 78B-3-307, against
177 a social media company whose actions:
178 (a) violated Part 1, General Requirements; and
179 (b) resulted in damages to the injured person.
180 [
181 of Part 1, General Requirements, the person who brings an action under this section is entitled
182 to:
183 (a) an award of reasonable attorney fees and court costs; and
184 (b) an amount equal to the greater of:
185 (i) $2,500 per each incident of violation; or
186 (ii) actual damages for financial, physical, and emotional harm incurred by the person
187 bringing the action, if the court determines that the harm is a direct consequence of the
188 violation or violations.
189 Section 5. Effective date.
190 This bill takes effect on May 1, 2024.