Section 13-61-203 - Controller's response to requests(1) Subject to the other provisions of this chapter, a controller shall comply with a consumer's request under Section 13-61-202 to exercise a right.(2)(a) Within 45 days after the day on which a controller receives a request to exercise a right, the controller shall: (i) take action on the consumer's request; and(ii) inform the consumer of any action taken on the consumer's request.(b) The controller may extend once the initial 45-day period by an additional 45 days if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller.(c) If a controller extends the initial 45-day period, before the initial 45-day period expires, the controller shall:(i) inform the consumer of the extension, including the length of the extension; and(ii) provide the reasons the extension is reasonably necessary as described in Subsection (2)(b).(d) The 45-day period does not apply if the controller reasonably suspects the consumer's request is fraudulent and the controller is not able to authenticate the request before the 45-day period expires.(3) If, in accordance with this section, a controller chooses not to take action on a consumer's request, the controller shall within 45 days after the day on which the controller receives the request, inform the consumer of the reasons for not taking action.(4)(a) A controller may not charge a fee for information in response to a request, unless the request is the consumer's second or subsequent request during the same 12-month period.(b)(i) Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request, if: (A) the request is excessive, repetitive, technically infeasible, or manifestly unfounded;(B) the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or(C) the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business.(ii) A controller that charges a fee or refuses to act in accordance with this Subsection (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria described in Subsection (4)(b)(i).(5) If a controller is unable to authenticate a consumer request to exercise a right described in Section 13-61-201 using commercially reasonable efforts, the controller: (a) is not required to comply with the request; and(b) may request that the consumer provide additional information reasonably necessary to authenticate the request.Added by Chapter 462, 2022 General Session ,§ 7, eff. 12/31/2023.