Section 13-61-102 - Applicability(1) This chapter applies to any controller or processor who:(a)(i) conducts business in the state; or(ii) produces a product or service that is targeted to consumers who are residents of the state;(b) has annual revenue of $25,000,000 or more; and(c) satisfies one or more of the following thresholds: (i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or(ii) derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.(2) This chapter does not apply to: (a) a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity;(c) an institution of higher education;(d) a nonprofit corporation;(f) a business associate;(g) information that meets the definition of:(i) protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations;(ii) patient identifying information for purposes of 42 C.F.R. Part 2;(iii) identifiable private information for purposes of the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46 ;(iv) identifiable private information or personal data collected as part of human subjects research pursuant to or under the same standards as: (A) the good clinical practice guidelines issued by the International Council for Harmonisation; or(B) the Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review Boards under 21 C.F.R. Part 56;(v) personal data used or shared in research conducted in accordance with one or more of the requirements described in Subsection (2)(g)(iv);(vi) information and documents created specifically for, and collected and maintained by, a committee but not a board or council listed in Section 26B-1-204;(vii) information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. Sec. 11101 et seq., and related regulations;(viii) patient safety work product for purposes of 42 C.F.R. Part 3; or(ix) information that is: (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164 ; and(B) derived from any of the health care-related information listed in this Subsection (2)(g);(h) information originating from, and intermingled to be indistinguishable with, information under Subsection (2)(g) that is maintained by: (i) a health care facility or health care provider; or(ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;(i) information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512;(j)(i) an activity by: (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a;(B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or(C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b;(ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 et seq.; and(iii) involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's:(F) personal characteristics; or(k) a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;(l) personal data collected, processed, sold, or disclosed in accordance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;(m) personal data regulated by the federal Family Education Rights and Privacy Act, 20 U.S.C. Sec. 1232g, and related regulations;(n) personal data collected, processed, sold, or disclosed in accordance with the federal Farm Credit Act of 1971, 12 U.S.C. Sec. 2001 et seq.;(o) data that are processed or maintained: (i) in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role;(ii) as the emergency contact information of an individual described in Subsection (2)(o)(i) and used for emergency contact purposes; or(iii) to administer benefits for another individual relating to an individual described in Subsection (2)(o)(i) and used for the purpose of administering the benefits;(p) an individual's processing of personal data for purely personal or household purposes; or(3) A controller is in compliance with any obligation to obtain parental consent under this chapter if the controller complies with the verifiable parental consent mechanisms under the Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's implementing regulations and exemptions.(4) This chapter does not require a person to take any action in conflict with the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., or related regulations.Amended by Chapter 381, 2024 General Session ,§ 1, eff. 5/1/2024.Added by Chapter 462, 2022 General Session ,§ 3, eff. 12/31/2023.