Current through the 2024 Fourth Special Session
Section 13-61-101 - DefinitionsAs used in this chapter:
(1) "Account" means the Consumer Privacy Restricted Account established in Section 13-61-403.(2) "Affiliate" means an entity that: (a) controls, is controlled by, or is under common control with another entity; or(b) shares common branding with another entity.(3) "Aggregated data" means information that relates to a group or category of consumers: (a) from which individual consumer identities have been removed; and(b) that is not linked or reasonably linkable to any consumer.(4) "Air carrier" means the same as that term is defined in 49 U.S.C. Sec. 40102.(5) "Authenticate" means to use reasonable means to determine that a consumer's request to exercise the rights described in Section 13-61-201 is made by the consumer who is entitled to exercise those rights.(6)(a) "Biometric data" means data generated by automatic measurements of an individual's unique biological characteristics.(b) "Biometric data" includes data described in Subsection (6)(a) that are generated by automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual.(c) "Biometric data" does not include: (i) a physical or digital photograph;(ii) a video or audio recording;(iii) data generated from an item described in Subsection (6)(c)(i) or (ii);(iv) information captured from a patient in a health care setting; or(v) information collected, used, or stored for treatment, payment, or health care operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.(7) "Business associate" means the same as that term is defined in 45 C.F.R. Sec. 160.103.(8) "Child" means an individual younger than 13 years old.(9) "Consent" means an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer.(10)(a) "Consumer" means an individual who is a resident of the state acting in an individual or household context.(b) "Consumer" does not include an individual acting in an employment or commercial context.(11) "Control" or "controlled" as used in Subsection (2) means:(a) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting securities of an entity;(b) control in any manner over the election of a majority of the directors or of the individuals exercising similar functions; or(c) the power to exercise controlling influence of the management of an entity.(12) "Controller" means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.(13) "Covered entity" means the same as that term is defined in 45 C.F.R. Sec. 160.103.(14)(a) "Deidentified data" means data that:(i) cannot reasonably be linked to an identified individual or an identifiable individual; and(ii) are possessed by a controller who:(A) takes reasonable measures to ensure that a person cannot associate the data with an individual;(B) publicly commits to maintain and use the data only in deidentified form and not attempt to reidentify the data; and(C) contractually obligates any recipients of the data to comply with the requirements described in Subsections (14)(b)(i) and (ii).(b) "Deidentified data" includes synthetic data.(15) "Director" means the director of the Division of Consumer Protection.(16) "Division" means the Division of Consumer Protection created in Section 13-2-1.(17) "Governmental entity" means the same as that term is defined in Section 63G-2-103.(18) "Health care facility" means the same as that term is defined in Section 26B-2-201.(19) "Health care provider" means the same as that term is defined in Section 78B-3-403.(20) "Identifiable individual" means an individual who can be readily identified, directly or indirectly.(21) "Institution of higher education" means a public or private institution of higher education.(22) "Local political subdivision" means the same as that term is defined in Section 11-14-102.(23) "Nonprofit corporation" means: (a) the same as that term is defined in Section 16-6a-102; or(b) a foreign nonprofit corporation as defined in Section 16-6a-102.(24)(a) "Personal data" means information that is linked or reasonably linkable to an identified individual or an identifiable individual.(b) "Personal data" does not include deidentified data, aggregated data, or publicly available information.(25) "Process" means an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data.(26) "Processor" means a person who processes personal data on behalf of a controller.(27) "Protected health information" means the same as that term is defined in 45 C.F.R. Sec. 160.103.(28) "Pseudonymous data" means personal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is: (a) kept separate from the consumer's personal data; and(b) subject to appropriate technical and organizational measures to ensure that the personal data are not attributable to an identified individual or an identifiable individual.(29) "Publicly available information" means information that a person: (a) lawfully obtains from a record of a governmental entity;(b) reasonably believes a consumer or widely distributed media has lawfully made available to the general public; or(c) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.(30) "Right" means a consumer right described in Section 13-61-201.(31)(a) "Sale," "sell," or "sold" means the exchange of personal data for monetary consideration by a controller to a third party.(b) "Sale," "sell," or "sold" does not include:(i) a controller's disclosure of personal data to a processor who processes the personal data on behalf of the controller;(ii) a controller's disclosure of personal data to an affiliate of the controller;(iii) considering the context in which the consumer provided the personal data to the controller, a controller's disclosure of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations;(iv) the disclosure or transfer of personal data when a consumer directs a controller to: (A) disclose the personal data; or(B) interact with one or more third parties;(v) a consumer's disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child;(vi) the disclosure of information that the consumer: (A) intentionally makes available to the general public via a channel of mass media; and(B) does not restrict to a specific audience; or(vii) a controller's transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller's assets.(32)(a) "Sensitive data" means: (i) personal data that reveals: (A) an individual's racial or ethnic origin;(B) an individual's religious beliefs;(C) an individual's sexual orientation;(D) an individual's citizenship or immigration status; or(E) information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional;(ii) the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or(iii) specific geolocation data.(b) "Sensitive data" does not include personal data that reveals an individual's: (i) racial or ethnic origin, if the personal data are processed by a video communication service; or(ii) if the personal data are processed by a person licensed to provide health care under Title 26B, Chapter 2, Part 2, Health Care Facility Licensing and Inspection, or Title 58, Occupations and Professions, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional.(33)(a) "Specific geolocation data" means information derived from technology, including global position system level latitude and longitude coordinates, that directly identifies an individual's specific location, accurate within a radius of 1,750 feet or less.(b) "Specific geolocation data" does not include: (i) the content of a communication; or(ii) any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.(34) "Synthetic data" means data that has been generated by computer algorithms or statistical models and does not contain personal data.(35)(a) "Targeted advertising" means displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.(b) "Targeted advertising" does not include advertising: (i) based on a consumer's activities within a controller's website or online application or any affiliated website or online application;(ii) based on the context of a consumer's current search query or visit to a website or online application;(iii) directed to a consumer in response to the consumer's request for information, product, a service, or feedback; or(iv) processing personal data solely to measure or report advertising: (36) "Third party" means a person other than:(a) the consumer, controller, or processor; or(b) an affiliate or contractor of the controller or the processor.(37) "Trade secret" means information, including a formula, pattern, compilation, program, device, method, technique, or process, that:(a) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from the information's disclosure or use; and(b) is the subject of efforts that are reasonable under the circumstances to maintain the information's secrecy.Amended by Chapter 186, 2024 General Session ,§ 3, eff. 5/1/2024.Amended by Chapter 327, 2023 General Session ,§ 37, eff. 12/31/2023.Added by Chapter 462, 2022 General Session ,§ 2, eff. 12/31/2023.