(1) This chapter applies to any controller or processor who:

lawyer at desk

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

Terms Used In Utah Code 13-61-102

  • Affiliate: means an entity that:
         (2)(a) controls, is controlled by, or is under common control with another entity; or
         (2)(b) shares common branding with another entity. See Utah Code 13-61-101
  • Air carrier: means the same as that term is defined in Utah Code 13-61-101
  • Business associate: means the same as that term is defined in Utah Code 13-61-101
  • Consent: means an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer. See Utah Code 13-61-101
  • Consumer: means an individual who is a resident of the state acting in an individual or household context. See Utah Code 13-61-101
  • Contract: A legal written agreement that becomes binding when signed.
  • Controller: means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others. See Utah Code 13-61-101
  • Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
  • Covered entity: means the same as that term is defined in Utah Code 13-61-101
  • Fair Credit Reporting Act: A federal law, established in 1971 and revised in 1997, that gives consumers the right to see their credit records and correct any mistakes. Source: OCC
  • Governmental entity: means the same as that term is defined in Section 63G-2-103. See Utah Code 13-61-101
  • Health care facility: means the same as that term is defined in Section 26B-2-201. See Utah Code 13-61-101
  • Health care provider: means the same as that term is defined in Section 78B-3-403. See Utah Code 13-61-101
  • Institution of higher education: means a public or private institution of higher education. See Utah Code 13-61-101
  • Obligation: An order placed, contract awarded, service received, or similar transaction during a given period that will require payments during the same or a future period.
  • Person: means :
         (24)(a) an individual;
         (24)(b) an association;
         (24)(c) an institution;
         (24)(d) a corporation;
         (24)(e) a company;
         (24)(f) a trust;
         (24)(g) a limited liability company;
         (24)(h) a partnership;
         (24)(i) a political subdivision;
         (24)(j) a government office, department, division, bureau, or other body of government; and
         (24)(k) any other organization or entity. See Utah Code 68-3-12.5
  • Personal data: means information that is linked or reasonably linkable to an identified individual or an identifiable individual. See Utah Code 13-61-101
  • Processor: means a person who processes personal data on behalf of a controller. See Utah Code 13-61-101
  • Protected health information: means the same as that term is defined in Utah Code 13-61-101
  • sold: means the exchange of personal data for monetary consideration by a controller to a third party. See Utah Code 13-61-101
  • State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
  • Third party: means a person other than:
         (36)(a) the consumer, controller, or processor; or
         (36)(b) an affiliate or contractor of the controller or the processor. See Utah Code 13-61-101
     (1)(a)

          (1)(a)(i) conducts business in the state; or
          (1)(a)(ii) produces a product or service that is targeted to consumers who are residents of the state;
     (1)(b) has annual revenue of $25,000,000 or more; and
     (1)(c) satisfies one or more of the following thresholds:

          (1)(c)(i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or
          (1)(c)(ii) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
(2) This chapter does not apply to:

     (2)(a) a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity;
     (2)(b) a tribe;
     (2)(c) an institution of higher education;
     (2)(d) a nonprofit corporation;
     (2)(e) a covered entity;
     (2)(f) a business associate;
     (2)(g) information that meets the definition of:

          (2)(g)(i) protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., and related regulations;
          (2)(g)(ii) patient identifying information for purposes of 42 C.F.R. part 2;
          (2)(g)(iii) identifiable private information for purposes of the Federal Policy for the Protection of Human Subjects, 45 C.F.R. part 46;
          (2)(g)(iv) identifiable private information or personal data collected as part of human subjects research pursuant to or under the same standards as:

               (2)(g)(iv)(A) the good clinical practice guidelines issued by the International Council for Harmonisation; or
               (2)(g)(iv)(B) the Protection of Human Subjects under 21 C.F.R. part 50 and Institutional Review Boards under 21 C.F.R. part 56;
          (2)(g)(v) personal data used or shared in research conducted in accordance with one or more of the requirements described in Subsection (2)(g)(iv);
          (2)(g)(vi) information and documents created specifically for, and collected and maintained by, a committee but not a board or council listed in Section 26B-1-204;
          (2)(g)(vii) information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq., and related regulations;
          (2)(g)(viii) patient safety work product for purposes of 42 C.F.R. part 3; or
          (2)(g)(ix) information that is:

               (2)(g)(ix)(A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. part 164; and
               (2)(g)(ix)(B) derived from any of the health care-related information listed in this Subsection (2)(g);
     (2)(h) information originating from, and intermingled to be indistinguishable with, information under Subsection (2)(g) that is maintained by:

          (2)(h)(i) a health care facility or health care provider; or
          (2)(h)(ii) a program or a qualified service organization as defined in 42 C.F.R. § 2.11;
     (2)(i) information used only for public health activities and purposes as described in 45 C.F.R. § 164.512;
     (2)(j)

          (2)(j)(i) an activity by:

               (2)(j)(i)(A) a consumer reporting agency, as defined in 15 U.S.C. § 1681a;
               (2)(j)(i)(B) a furnisher of information, as set forth in 15 U.S.C. § 1681s-2, who provides information for use in a consumer report, as defined in 15 U.S.C. § 1681a; or
               (2)(j)(i)(C) a user of a consumer report, as set forth in 15 U.S.C. § 1681b;
          (2)(j)(ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and
          (2)(j)(iii) involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s:

               (2)(j)(iii)(A) credit worthiness;
               (2)(j)(iii)(B) credit standing;
               (2)(j)(iii)(C) credit capacity;
               (2)(j)(iii)(D) character;
               (2)(j)(iii)(E) general reputation;
               (2)(j)(iii)(F) personal characteristics; or
               (2)(j)(iii)(G) mode of living;
     (2)(k) a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and related regulations;
     (2)(l) personal data collected, processed, sold, or disclosed in accordance with the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq.;
     (2)(m) personal data regulated by the federal Family Education Rights and Privacy Act, 20 U.S.C. § 1232g, and related regulations;
     (2)(n) personal data collected, processed, sold, or disclosed in accordance with the federal Farm Credit Act of 1971, 12 U.S.C. § 2001 et seq.;
     (2)(o) data that are processed or maintained:

          (2)(o)(i) in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual’s role;
          (2)(o)(ii) as the emergency contact information of an individual described in Subsection (2)(o)(i) and used for emergency contact purposes; or
          (2)(o)(iii) to administer benefits for another individual relating to an individual described in Subsection (2)(o)(i) and used for the purpose of administering the benefits;
     (2)(p) an individual’s processing of personal data for purely personal or household purposes; or
     (2)(q) an air carrier.
(3) A controller is in compliance with any obligation to obtain parental consent under this chapter if the controller complies with the verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., and the act’s implementing regulations and exemptions.
(4) This chapter does not require a person to take any action in conflict with the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., or related regulations.

  Previous section
Next section  
 Part 1 Contents