Section 13-61-302 - Responsibilities of controllers - Transparency - Purpose specification and data minimization - Consent for secondary use - Security - Nondiscrimination - Nonretaliation - Nonwaiver of consumer rights(1)(a) A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (i) the categories of personal data processed by the controller;(ii) the purposes for which the categories of personal data are processed;(iii) how consumers may exercise a right;(iv) the categories of personal data that the controller shares with third parties, if any; and(v) the categories of third parties, if any, with whom the controller shares personal data.(b) If a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the:(i) sale of the consumer's personal data; or(ii) processing for targeted advertising.(2)(a) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to: (i) protect the confidentiality and integrity of personal data; and(ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.(b) Considering the controller's business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.(3) Except as otherwise provided in this chapter, a controller may not process sensitive data collected from a consumer without: (a) first presenting the consumer with clear notice and an opportunity to opt out of the processing; or(b) in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's implementing regulations and exemptions.(4)(a) A controller may not discriminate against a consumer for exercising a right by: (i) denying a good or service to the consumer;(ii) charging the consumer a different price or rate for a good or service; or(iii) providing the consumer a different level of quality of a good or service.(b) This Subsection (4) does not prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if:(i) the consumer has opted out of targeted advertising; or(ii) the offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.(5) A controller is not required to provide a product, service, or functionality to a consumer if: (a) the consumer's personal data are or the processing of the consumer's personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality; and(b) the consumer does not: (i) provide the consumer's personal data to the controller; or(ii) allow the controller to process the consumer's personal data.(6) Any provision of a contract that purports to waive or limit a consumer's right under this chapter is void.Added by Chapter 462, 2022 General Session ,§ 9, eff. 12/31/2023.