(1)

lawyer at desk

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

Terms Used In Utah Code 13-61-302

  • Child: means an individual younger than 13 years old. See Utah Code 13-61-101
  • Consumer: means an individual who is a resident of the state acting in an individual or household context. See Utah Code 13-61-101
  • Contract: A legal written agreement that becomes binding when signed.
  • Controller: means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others. See Utah Code 13-61-101
  • Personal data: means information that is linked or reasonably linkable to an identified individual or an identifiable individual. See Utah Code 13-61-101
  • Process: means an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Utah Code 13-61-101
  • Right: means a consumer right described in Section 13-61-201. See Utah Code 13-61-101
  • Sensitive data: means :
              (32)(a)(i) personal data that reveals:
                   (32)(a)(i)(A) an individual's racial or ethnic origin;
                   (32)(a)(i)(B) an individual's religious beliefs;
                   (32)(a)(i)(C) an individual's sexual orientation;
                   (32)(a)(i)(D) an individual's citizenship or immigration status; or
                   (32)(a)(i)(E) information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional;
              (32)(a)(ii) the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or
              (32)(a)(iii) specific geolocation data. See Utah Code 13-61-101
  • Targeted advertising: means displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. See Utah Code 13-61-101
     (1)(a) A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes:

          (1)(a)(i) the categories of personal data processed by the controller;
          (1)(a)(ii) the purposes for which the categories of personal data are processed;
          (1)(a)(iii) how consumers may exercise a right;
          (1)(a)(iv) the categories of personal data that the controller shares with third parties, if any; and
          (1)(a)(v) the categories of third parties, if any, with whom the controller shares personal data.
     (1)(b) If a controller sells a consumer‘s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the:

          (1)(b)(i) sale of the consumer’s personal data; or
          (1)(b)(ii) processing for targeted advertising.
(2)

     (2)(a) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to:

          (2)(a)(i) protect the confidentiality and integrity of personal data; and
          (2)(a)(ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.
     (2)(b) Considering the controller’s business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.
(3) Except as otherwise provided in this chapter, a controller may not process sensitive data collected from a consumer without:

     (3)(a) first presenting the consumer with clear notice and an opportunity to opt out of the processing; or
     (3)(b) in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., and the act’s implementing regulations and exemptions.
(4)

     (4)(a) A controller may not discriminate against a consumer for exercising a right by:

          (4)(a)(i) denying a good or service to the consumer;
          (4)(a)(ii) charging the consumer a different price or rate for a good or service; or
          (4)(a)(iii) providing the consumer a different level of quality of a good or service.
     (4)(b) This Subsection (4) does not prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if:

          (4)(b)(i) the consumer has opted out of targeted advertising; or
          (4)(b)(ii) the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
(5) A controller is not required to provide a product, service, or functionality to a consumer if:

     (5)(a) the consumer’s personal data are or the processing of the consumer’s personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality; and
     (5)(b) the consumer does not:

          (5)(b)(i) provide the consumer’s personal data to the controller; or
          (5)(b)(ii) allow the controller to process the consumer’s personal data.
(6) Any provision of a contract that purports to waive or limit a consumer’s right under this chapter is void.

  Previous section
Next section  
 Part 3 Contents