Utah Consumer Privacy Act

CONSUMER PRIVACY ACT

2021 GENERAL SESSION

STATE OF UTAH

Chief Sponsor: Kirk A. Cullimore
House Sponsor: Brady Brammer

Be it enacted by the Legislature of the state of Utah:

13-2-1. Consumer protection division established - - Functions.

• There is established within the Department of Commerce the Division of Consumer Protection.

• The division shall administer and enforce the following:

  • Chapter 5, Unfair Practices Act
  • Chapter 10a, Music Licensing Practices Act
  • Chapter 11, Utah Consumer Sales Practices Act
  • Chapter 15, Business Opportunity Disclosure Act
  • Chapter 20, New Motor Vehicle Warranties Act
  • Chapter 21, Credit Services Organizations Act
  • Chapter 22, Charitable Solicitations Act
  • Chapter 23, Health Spa Services Protection Act
  • Chapter 25a, Telephone and Facsimile Solicitation Act
  • Chapter 26, Telephone Fraud Prevention Act
  • Chapter 28, Prize Notices Regulation Act
  • Chapter 32a, Pawnshop and Secondhand Merchandise Transaction Information Act
  • Chapter 34, Utah Postsecondary Proprietary School Act
  • Chapter 34a, Utah Postsecondary School State Authorization Act
  • Chapter 41, Price Controls During Emergencies Act
  • Chapter 42, Uniform Debt-Management Services Act
  • Chapter 49, Immigration Consultants Registration Act
  • Chapter 51, Transportation Network Company Registration Act
  • Chapter 52, Residential Solar Energy Disclosure Act
  • Chapter 53, Residential, Vocational and Life Skills Program Act
  • Chapter 54, Ticket Website Sales Act
  • Chapter 56, Ticket Transferability Act
  • Chapter 57, Maintenance Funding Practices Act
  • Chapter 61, Utah Consumer Privacy Act

CHAPTER 61.  UTAH CONSUMER PRIVACY ACT

Part 1. General Provisions

13-61-101. Definitions.

As used in this chapter:

• "Account" means the Consumer Privacy Restricted Account established in Section 13-61-403.
• "Affiliate" means an entity that:
  • Controls, is controlled by, or is under common control with another entity; or
  • Shares common branding with another entity.
• "Aggregated data" means information that relates to a group or category of consumers:
  • From which individual consumer identities have been removed; and
  • That is not linked or reasonably linkable to any consumer.
• "Air carrier" means the same as that term is defined in 49 U.S.C. Sec. 40102.
• "Authenticate" means to use reasonable means to determine that a consumer's request to exercise the rights described in Section 13-61-201 is made by the consumer who is entitled to exercise those rights.
• "Biometric data" means:
  • Data generated by automatic measurements of an individual's unique biological characteristics, including fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern used to identify a specific individual.
  • Does not include:
    • A physical or digital photograph;
    • A video or audio recording;
    • Data generated from an item listed above;
    • Information captured in a healthcare setting or for treatment, payment, or healthcare operations under 45 C.F.R. Parts 160, 162, and 164.
• "Business associate" means the same as that term is defined in 45 C.F.R. Sec. 160.103.
• "Child" means an individual younger than 13 years old.
• "Consent" means an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer.
• "Consumer" means:
  • An individual who is a resident of the state acting in an individual or household context.
  • Does not include an individual acting in an employment or commercial context.
• "Control" or "controlled" means:
  • Ownership of more than 50% of the voting securities of an entity;
  • Control over the election of a majority of directors or individuals exercising similar functions; or
  • The power to exercise controlling influence over an entity's management.
• "Controller" means a person doing business in the state who determines the purposes and means of processing personal data, either alone or with others.
• "Covered entity" means the same as that term is defined in 45 C.F.R. Sec. 160.103.
• "Deidentified data" means data that:
  • Cannot reasonably be linked to an identified or identifiable individual;
  • Is held by a controller who:
    • Takes reasonable measures to ensure the data cannot be associated with an individual;
    • Publicly commits to maintain the data in deidentified form and not attempt to reidentify it; and
    • Contractually obligates any recipients of the data to comply with the deidentification requirements.
• "Director" means the director of the Division of Consumer Protection.
• "Division" means the Division of Consumer Protection created in Section 13-2-1.
• "Governmental entity" means the same as that term is defined in Section 63G-2-103.
• "Health care facility" means the same as that term is defined in Section 26-21-2.
• "Health care provider" means the same as that term is defined in Section 26-21-2.
• "Identifiable individual" means an individual who can be readily identified, directly or indirectly.
• "Institution of higher education" means a public or private institution of higher education.
• "Local political subdivision" means the same as that term is defined in Section 11-14-102.
• "Nonprofit corporation" means:
  • The same as that term is defined in Section 16-6a-102; or
  • A foreign nonprofit corporation as defined in Section 16-6a-102.
• "Personal data" means:
  • Information linked or reasonably linkable to an identified or identifiable individual.
  • Does not include deidentified data, aggregated data, or publicly available information.
• "Process" means an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification.
• "Processor" means a person who processes personal data on behalf of a controller.
• "Protected health information" means the same as that term is defined in 45 C.F.R. Sec. 160.103.
• "Pseudonymous data" means personal data that cannot be attributed to a specific individual without additional information that is:
  • Kept separate from the consumer's personal data; and
  • Subject to technical and organizational measures to ensure the personal data is not attributable to an identified individual.
• "Publicly available information" means information that a person:
  • Lawfully obtains from a record of a governmental entity;
  • Reasonably believes a consumer or widely distributed media has made publicly available; or
  • Obtains from a person to whom the consumer disclosed the information, if the consumer has not restricted access to a specific audience.
• "Right" means a consumer right described in Section 13-61-201.
• "Sale," "sell," or "sold" means:
  • The exchange of personal data for monetary consideration by a controller to a third party.
  • Does not include:
    • Disclosure of personal data to a processor who processes the data on behalf of the controller;
    • Disclosure of personal data to an affiliate of the controller;
    • Disclosure in line with the consumer's reasonable expectations;
    • A consumer’s directive to disclose personal data or interact with third parties;
    • A consumer's disclosure for requested products or services;
    • Information that a consumer intentionally makes available to the public via mass media; or
    • The transfer of personal data as part of a merger, acquisition, or bankruptcy.
• "Sensitive data" means:
  • Personal data that reveals:
    • Racial or ethnic origin,
    • Religious beliefs,
    • Sexual orientation,
    • Citizenship or immigration status, or
    • Information regarding medical history, health condition, or medical treatment.
  • Processing of genetic or biometric data for identifying an individual.
  • Specific geolocation data.
  • Does not include:
    • Data processed by a video communication service revealing racial or ethnic origin; or
    • Data processed by licensed health care professionals.
• "Specific geolocation data" means information derived from technology that directly identifies an individual's specific location within a radius of 1,750 feet or less.
  • Does not include:
    • The content of communications; or
    • Data generated by advanced utility metering infrastructure systems.
• "Targeted advertising" means displaying an advertisement selected based on personal data obtained from a consumer's activities over time across nonaffiliated websites or online applications to predict preferences or interests.
  • Does not include:
    • Advertising based on a consumer's activities within a controller's website or online application;
    • Advertising based on the context of a consumer's current search query or visit to a website;
    • Advertising directed at a consumer in response to a request for information, product, or service; or
    • Processing personal data solely to measure or report advertising performance, reach, or frequency.
• "Third party" means a person other than:
  • The consumer, controller, or processor; or
  • An affiliate or contractor of the controller or processor.
• "Trade secret" means information that:
  • Derives independent economic value from not being generally known or readily ascertainable by others; and
  • Is subject to efforts to maintain its secrecy.

13-61-102. Applicability.

• This chapter applies to any controller or processor who:

  • Conducts business in the state; or
  • Produces a product or service that is targeted to consumers who are residents of the state.
  • Has annual revenue of $25,000,000 or more; and
  • Satisfies one or more of the following thresholds:
    • During a calendar year, controls or processes personal data of 100,000 or more consumers; or
    • Derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

• This chapter does not apply to:

  • A governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity;
  • A tribe;
  • An institution of higher education;
  • A nonprofit corporation;
  • A covered entity;
  • A business associate;
  • Information that meets the definition of:
    • Protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;
    • Patient identifying information for purposes of 42 C.F.R. Part 2;
    • Identifiable private information for purposes of the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46;
    • Identifiable private information or personal data collected as part of human subjects research pursuant to or under the same standards as:
      • The good clinical practice guidelines issued by the International Council for Harmonisation; or
      • The Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review Boards under 21 C.F.R. Part 56;
    • Personal data used or shared in research conducted in accordance with one or more of the requirements described above;
    • Information and documents created specifically for, and collected and maintained by, a committee listed in Section 26-1-7;
    • Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;
    • Patient safety work product for purposes of 42 C.F.R. Part 3; or
    • Information that is:
      • Deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164; and
      • Derived from any of the health care-related information listed above.
  • Information originating from, and intermingled to be indistinguishable with, information described above that is maintained by:
    • A health care facility or health care provider; or
    • A program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11.
  • Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512.
  • An activity by:
    • A consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;
    • A furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or
    • A user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;
    • Subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 et seq.; and
    • Involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's:
      • Credit worthiness;
      • Credit standing;
      • Credit capacity;
      • Character;
      • General reputation;
      • Personal characteristics; or
      • Mode of living.
  • A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations.
  • Personal data collected, processed, sold, or disclosed in accordance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.
  • Personal data regulated by the federal Family Education Rights and Privacy Act, 20 U.S.C. Sec. 1232g, and related regulations.
  • Personal data collected, processed, sold, or disclosed in accordance with the federal Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.
  • Data that are processed or maintained:
    • In the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role;
    • As the emergency contact information of an individual described above and used for emergency contact purposes; or
    • To administer benefits for another individual relating to an individual described above and used for the purpose of administering the benefits.
  • An individual's processing of personal data for purely personal or household purposes.
  • An air carrier.

• A controller is in compliance with any obligation to obtain parental consent under this chapter if the controller complies with the verifiable parental consent mechanisms under the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's implementing regulations and exemptions.

• This chapter does not require a person to take any action in conflict with the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., or related regulations.

13-61-103. Preemption - Reference to other laws.

• This chapter supersedes and preempts any ordinance, resolution, rule, or other regulation adopted by a local political subdivision regarding the processing of personal data by a controller or processor.

• Any reference to federal law in this chapter includes any rules or regulations promulgated under the federal law.

Part 2. Rights Relating to Personal Data

13-61-201. Consumer rights - Access - Deletion - Portability - Opt out of certain processing.

• A consumer has the right to:

  • Confirm whether a controller is processing the consumer's personal data.
  • Access the consumer's personal data.

• A consumer has the right to delete the consumer's personal data that the consumer provided to the controller.

• A consumer has the right to obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that:

  • To the extent technically feasible, is portable.
  • To the extent practicable, is readily usable.
  • Allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

• A consumer has the right to opt out of the processing of the consumer's personal data for purposes of:

  • Targeted advertising.
  • The sale of personal data.

• Nothing in this section requires a person to cause a breach of security system as defined in Section 13-44-102.

13-61-202. Exercising consumer rights.

• A consumer may exercise a right by submitting a request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise.

• In the case of processing personal data concerning a known child, the parent or legal guardian of the known child shall exercise a right on the child's behalf.

• In the case of processing personal data concerning a consumer subject to guardianship, conservatorship, or other protective arrangement under Title 75, Chapter 5, Protection of Persons Under Disability and Their Property, the guardian or the conservator of the consumer shall exercise a right on the consumer's behalf.

13-61-203. Controller's response to requests

• Subject to the other provisions of this chapter, a controller shall comply with a consumer's request under Section 13-61-202 to exercise a right.

• Within 45 days after the day on which a controller receives a request to exercise a right, the controller shall:

  • Take action on the consumer's request.
  • Inform the consumer of any action taken on the consumer's request.

• The controller may extend once the initial 45-day period by an additional 45 days if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller.

• If a controller extends the initial 45-day period, before the initial 45-day period expires, the controller shall:

  • Inform the consumer of the extension, including the length of the extension.
  • Provide the reasons the extension is reasonably necessary as described in Subsection (2)(b).

• The 45-day period does not apply if the controller reasonably suspects the consumer's request is fraudulent and the controller is not able to authenticate the request before the 45-day period expires.

• If, in accordance with this section, a controller chooses not to take action on a consumer's request, the controller shall, within 45 days after the day on which the controller receives the request, inform the consumer of the reasons for not taking action.

• A controller may not charge a fee for information in response to a request, unless the request is the consumer's second or subsequent request during the same 12-month period.

• Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request if:

  • The request is excessive, repetitive, technically infeasible, or manifestly unfounded.
  • The controller reasonably believes the primary purpose in submitting the request was something other than exercising a right.
  • The request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business.

• A controller that charges a fee or refuses to act in accordance with this Subsection (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria described in Subsection (4)(b).

• If a controller is unable to authenticate a consumer request to exercise a right described in Section 13-61-201 using commercially reasonable efforts, the controller:

  • Is not required to comply with the request.
  • May request that the consumer provide additional information reasonably necessary to authenticate the request.

Part 3. Requirements for Controllers and Processors

13-61-301. Responsibility according to role.

• A processor shall:

  • Adhere to the controller's instructions.
  • Taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably practicable, assist the controller in meeting the controller's obligations, including obligations related to the security of processing personal data and notification of a breach of security system described in Section 13-44-202.

• Before a processor performs processing on behalf of a controller, the processor and controller shall enter into a contract that:

  • Clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations.
  • Requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data.
  • Requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

• Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed.

  • A processor that adheres to a controller's instructions with respect to a specific processing of personal data remains a processor.

13-61-302. Responsibilities of controllers - Transparency - Purpose specification and data minimization - Consent for secondary use - Security - Nondiscrimination - Nonretaliation - Nonwaiver of consumer rights.

• A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller.
  • The purposes for which the categories of personal data are processed.
  • How consumers may exercise a right.
  • The categories of personal data that the controller shares with third parties, if any.
  • The categories of third parties, if any, with whom the controller shares personal data.

• If a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the:

  • Sale of the consumer's personal data.
  • Processing for targeted advertising.

• A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to:

  • Protect the confidentiality and integrity of personal data.
  • Reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.

• Considering the controller's business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.

• Except as otherwise provided in this chapter, a controller may not process sensitive data collected from a consumer without:

  • First presenting the consumer with clear notice and an opportunity to opt out of the processing, or
  • In the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's implementing regulations and exemptions.

• A controller may not discriminate against a consumer for exercising a right by:

  • Denying a good or service to the consumer.
  • Charging the consumer a different price or rate for a good or service.
  • Providing the consumer a different level of quality of a good or service.

• This does not prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if:

  • The consumer has opted out of targeted advertising, or
  • The offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

• A controller is not required to provide a product, service, or functionality to a consumer if:

  • The consumer's personal data or the processing of the consumer's personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality, and
  • The consumer does not:
    • Provide the consumer's personal data to the controller, or
    • Allow the controller to process the consumer's personal data.

• Any provision of a contract that purports to waive or limit a consumer's right under this chapter is void.

13-61-303. Processing deidentified data or pseudonymous data.

• The provisions of this chapter do not require a controller or processor to:

  • Reidentify deidentified data or pseudonymous data.
  • Maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data.
  • Comply with an authenticated consumer request to exercise a right described in Subsections 13-61-202(1) through (3), if:
    • The controller is not reasonably capable of associating the request with the personal data; or
    • It would be unreasonably burdensome for the controller to associate the request with the personal data.
    • The controller does not:
      • Use the personal data to recognize the consumer who is the subject of the personal data; or
      • Associate the personal data with other personal data about the consumer.
    • The controller does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

• The rights described in Subsections 13-61-201(1) through (3) do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept:

  • Separately; and
  • Subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or identifiable individual.

• A controller who uses pseudonymous data or deidentified data shall take reasonable steps to ensure the controller:

  • Complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and
  • Promptly addresses any breach of a contractual obligation described in Subsection (3)(a).

13-61-304. Limitations

• The requirements described in this chapter do not restrict a controller's or processor's ability to:

  • Comply with a federal, state, or local law, rule, or regulation.
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity.
  • Cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.
  • Investigate, establish, exercise, prepare for, or defend a legal claim.
  • Provide a product or service requested by a consumer or a parent or legal guardian of a child.
  • Perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer.
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual.
  • Detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity.
  • Investigate, report, or prosecute a person responsible for an action described in Subsection (1)(h)(i).
  • Preserve the integrity or security of systems.
  • Investigate, report, or prosecute a person responsible for harming or threatening the integrity or security of systems, as applicable.
  • If the controller discloses the processing in a notice described in Section 13-61-302, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws.
  • Assist another person with an obligation described in this subsection.
  • Process personal data to:
    • Conduct internal analytics or other research to develop, improve, or repair a controller's or processor's product, service, or technology.
    • Identify and repair technical errors that impair existing or intended functionality.
    • Effectuate a product recall.
  • Process personal data to perform an internal operation that is:
    • Reasonably aligned with the consumer's expectations based on the consumer's existing relationship with the controller.
    • Otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer or a parent or legal guardian of a child or the performance of a contract to which the consumer or a parent or legal guardian of a child is a party.
  • Retain a consumer's email address to comply with the consumer's request to exercise a right.

• This chapter does not apply if a controller's or processor's compliance with this chapter:

  • Violates an evidentiary privilege under Utah law.
  • As part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law.
  • Adversely affects the privacy or other rights of any person.

• A controller or processor is not in violation of this chapter if:

  • The controller or processor discloses personal data to a third party controller or processor in compliance with this chapter.
  • The third party processes the personal data in violation of this chapter.
  • The disclosing controller or processor did not have actual knowledge of the third party's intent to commit a violation of this chapter.

• If a controller processes personal data under an exemption described in Subsection (1), the controller bears the burden of demonstrating that the processing qualifies for the exemption.

• Nothing in this chapter requires a controller, processor, third party, or consumer to disclose a trade secret.

13-61-305. No private cause of action

• A violation of this chapter does not provide a basis for, nor is a violation of this chapter subject to, a private right of action under this chapter or any other law.

Part 4. Enforcement

13-61-401. Investigative powers of division.

• The division shall establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of this chapter.

• The division may investigate a consumer complaint to determine whether the controller or processor violated or is violating this chapter.

  • If the director has reasonable cause to believe that substantial evidence exists that a person identified in a consumer complaint is in violation of this chapter, the director shall refer the matter to the attorney general.

  • Upon request, the division shall provide consultation and assistance to the attorney general in enforcing this chapter.

13-61-402. Enforcement powers of the attorney general.

• The attorney general has the exclusive authority to enforce this chapter.

• Upon referral from the division, the attorney general may initiate an enforcement action against a controller or processor for a violation of this chapter.

• At least 30 days before the day on which the attorney general initiates an enforcement action against a controller or processor, the attorney general shall provide the controller or processor:

  • Written notice identifying each provision of this chapter the attorney general alleges the controller or processor has violated or is violating.

  • An explanation of the basis for each allegation.

• The attorney general may not initiate an action if the controller or processor:

  • Cures the noticed violation within 30 days after the day on which the controller or processor receives the written notice described above.

  • Provides the attorney general with an express written statement that:

    • The violation has been cured.

    • No further violation of the cured violation will occur.

• The attorney general may initiate an action against a controller or processor who:

  • Fails to cure a violation after receiving the notice described above.

  • After curing a noticed violation and providing a written statement, continues to violate this chapter.

• In an action described in this section, the attorney general may recover:

  • Actual damages to the consumer.

  • For each violation described above, an amount not to exceed $7,500.

• All money received from an action under this chapter shall be deposited into the Consumer Privacy Account established in Section 13-61-403.

• If more than one controller or processor is involved in the same processing in violation of this chapter, the liability for the violation shall be allocated among the controllers or processors according to the principles of comparative fault.

13-61-403. Consumer Privacy Restricted Account.

• There is created a restricted account known as the "Consumer Privacy Account."

• The account shall be funded by money received through civil enforcement actions under this chapter.

• Upon appropriation, the division or the attorney general may use money deposited into the account for:

  • Investigation and administrative costs incurred by the division in investigating consumer complaints alleging violations of this chapter.

  • Recovery of costs and attorney fees accrued by the attorney general in enforcing this chapter.

  • Providing consumer and business education regarding:

    • Consumer rights under this chapter.

    • Compliance with the provisions of this chapter for controllers and processors.

• If the balance in the account exceeds $4,000,000 at the close of any fiscal year, the Division of Finance shall transfer the amount that exceeds $4,000,000 into the General Fund.

13-61-404. Attorney general report.