(1) Subject to the other provisions of this chapter, a controller shall comply with a consumer‘s request under Section 13-61-202 to exercise a right.
lawyer at desk

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

Terms Used In Utah Code 13-61-203

  • Authenticate: means to use reasonable means to determine that a consumer's request to exercise the rights described in Section 13-61-201 is made by the consumer who is entitled to exercise those rights. See Utah Code 13-61-101
  • Consumer: means an individual who is a resident of the state acting in an individual or household context. See Utah Code 13-61-101
  • Controller: means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others. See Utah Code 13-61-101
  • Right: means a consumer right described in Section 13-61-201. See Utah Code 13-61-101
(2)

     (2)(a) Within 45 days after the day on which a controller receives a request to exercise a right, the controller shall:

          (2)(a)(i) take action on the consumer’s request; and
          (2)(a)(ii) inform the consumer of any action taken on the consumer’s request.
     (2)(b) The controller may extend once the initial 45-day period by an additional 45 days if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller.
     (2)(c) If a controller extends the initial 45-day period, before the initial 45-day period expires, the controller shall:

          (2)(c)(i) inform the consumer of the extension, including the length of the extension; and
          (2)(c)(ii) provide the reasons the extension is reasonably necessary as described in Subsection (2)(b).
     (2)(d) The 45-day period does not apply if the controller reasonably suspects the consumer’s request is fraudulent and the controller is not able to authenticate the request before the 45-day period expires.
(3) If, in accordance with this section, a controller chooses not to take action on a consumer’s request, the controller shall within 45 days after the day on which the controller receives the request, inform the consumer of the reasons for not taking action.
(4)

     (4)(a) A controller may not charge a fee for information in response to a request, unless the request is the consumer’s second or subsequent request during the same 12-month period.
     (4)(b)

          (4)(b)(i) Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request, if:

               (4)(b)(i)(A) the request is excessive, repetitive, technically infeasible, or manifestly unfounded;
               (4)(b)(i)(B) the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or
               (4)(b)(i)(C) the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller’s business.
          (4)(b)(ii) A controller that charges a fee or refuses to act in accordance with this Subsection (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria described in Subsection (4)(b)(i).
(5) If a controller is unable to authenticate a consumer request to exercise a right described in Section 13-61-201 using commercially reasonable efforts, the controller:

     (5)(a) is not required to comply with the request; and
     (5)(b) may request that the consumer provide additional information reasonably necessary to authenticate the request.
  Previous section
Next section  
 Part 2 Contents