UCPA: Deidentified Data, Enforcement, and Exceptions

Deidentified Data

The Utah Consumer Privacy Act (UCPA) will become effective on December 31, 2023. The scope of the UCPA is reviewed in "UCPA: Application, Definitions, Consumer Rights, and Obligations." This article discusses UCPA deidentified data and enforcement, as well as exceptions to the UCPA.

The provisions of the UCPA do not require a controller or processor to reidentify deidentified data or pseudonymous data, maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data, or comply with an authenticated consumer request to exercise a right described in Utah Code § 13–61–202(1)–(3) if the controller does the following.

• Is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; and
• Does not use the personal data to recognize or respond to the consumer who is the subject of the personal data or associate the personal data with other personal data about the consumer; and
• Does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in Utah Code § 13–61–303.

The rights described in Utah Code § 13–61–202(1)–(3) do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept separately and subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.

A controller that uses pseudonymous data or deidentified data must take reasonable steps to ensure the controller does the following.

• Complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and
• Promptly addresses any breach of such a contractual obligation.

Enforcement

The Utah attorney general will have exclusive authority to enforce the UCPA. Upon request, the Division of Consumer Protection in the Utah Department of Commerce (the "Division"), which is to administer and enforce the UCPA, is to provide consultation and assistance to the Utah attorney general in enforcing the UCPA.

The Division is to establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of the UCPA. Where the director of the Division has reasonable cause to believe that substantial evidence exists that a person identified in a consumer complaint is in violation of the UCPA, such director is to refer the matter to the Utah attorney general, which may initiate an enforcement action against a controller or processor for a violation of the UCPA.

If a controller or processor fails to cure a UCPA violation following an at-least 30-day written notice (for which there is a 30-day cure period) provided by the Utah attorney general thereof or after curing a noticed UCPA violation continues to violate the UCPA, the Utah attorney general may initiate an action against a controller or processor and may recover actual damages to the consumer and, for each such violation, an amount not to exceed $7,500.

A violation of the UCPA does not provide a basis for, nor is a violation of the UCPA subject to, a private right of action under the UCPA or any other law.

Exceptions

The UCPA shall not apply to any of the following.

• A governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity;
• A tribe;
• An institution of higher education;
• A nonprofit corporation;
• A covered entity;
• A business associate;
• Information that meets the definition of the following.
  • Protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996 and related regulations;
  • Patient identifying information for purposes of 42 C.F.R. Part 2;
  • Identifiable private information for purposes of the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46;
  • Identifiable private information or personal data collected as part of human subjects research pursuant to or under the same standards as the good clinical practice guidelines issued by the International Council for Harmonisation or Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review Boards under 21 C.F.R. Part 56;
  • Personal data used or shared in research conducted in accordance with one or more of the good clinical practice guidelines issued by the International Council for Harmonisation or Protection of Human Subjects under 21 C.F.R. Part 50 and Institutional Review Boards under 21 C.F.R. Part 56;
  • Information and documents created specifically for, and collected and maintained by, a committee listed in Utah Code § 26–1–7;
  • Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 and related regulations;
  • Patient safety work product for purposes of 42 C.F.R. Part 3; or
  • Information that is deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164 and derived from any of the healthcare-related information listed in this bullet point;
• Information originating from, and intermingled to be indistinguishable with, information under the immediately preceding bullet point that is maintained by a healthcare facility or healthcare provider or a program or a qualified service organization as defined in 42 C.F.R. § 2.11;
• Information used only for public health activities and purposes as described in 45 C.F.R. § 164.512;
• (i) An activity by the following.
  • A consumer reporting agency, as defined in 15 U.S.C. § 1681a;
  • A furnisher of information, as set forth in 15 U.S.C. § 1681s–2, who provides information for use in a consumer report, as defined in 15 U.S.C. § 1681a; or
  • A user of a consumer report, as set forth in 15 U.S.C. § 1681b;
  • (ii) Subject to regulation under the federal Fair Credit Reporting Act; and
  • (iii) Involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on the following of a consumer.
    • Creditworthiness;
    • Credit standing;
    • Credit capacity;
    • Character;
    • General reputation;
    • Personal characteristics; or
    • Mode of living;
• A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act and related regulations;
• Personal data collected, processed, sold, or disclosed in accordance with the federal Driver's Privacy Protection Act of 1994;
• Personal data regulated by the federal Family Education Rights and Privacy Act and related regulations;
• Personal data collected, processed, sold, or disclosed in accordance with the federal Farm Credit Act of 1971;
• Data that are processed or maintained in the following way.
  • In the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role;
  • As the emergency contact information of an individual in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role and used for emergency contact purposes; or
  • To administer benefits for another individual relating to an individual in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role and used for the purpose of administering the benefits;
• An individual's processing of personal data for purely personal or household purposes; or
• An air carrier.

The requirements described in the UCPA do not restrict a controller's or processor's ability to ("Exemption") do the following.

• Comply with a federal, state, or local law, rule, or regulation;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;
• Cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
• Investigate, establish, exercise, prepare for, or defend a legal claim;
• Provide a product or service requested by a consumer or a parent or legal guardian of a child;
• Perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer;
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual;
• Detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity, or investigate, report, or prosecute a person responsible for an action to detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity;
• Preserve the integrity or security of systems, or investigate, report, or prosecute a person responsible for harming or threatening the integrity or security of systems, as applicable;
• If the controller discloses the processing in a notice described in Utah Code § 13–61–302, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws;
• Assist another person with an obligation described with respect to any Exemption;
• Process personal data to do the following.
  • Conduct internal analytics or other research to develop, improve, or repair a controller's or processor's product, service, or technology;
  • Identify and repair technical errors that impair existing or intended functionality; or
  • Effectuate a product recall;
• Process personal data to perform an internal operation that is the following.
  • Reasonably aligned with the consumer's expectations based on the consumer's existing relationship with the controller; or
  • Otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer or a parent or legal guardian of a child or the performance of a contract to which the consumer or a parent or legal guardian of a child is a party; or
• Retain a consumer's email address to comply with the consumer's request to exercise a right.

If a controller processes personal data under an Exemption, the controller bears the burden of demonstrating that the processing qualifies for the exemption.

The UCPA does not apply if a controller's or processor's compliance with the UCPA does the following.

• Violates an evidentiary privilege under Utah law;
• As part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law; or
• Adversely affects the privacy or other rights of any person.

A controller or processor is not in violation of the UCPA if they do the following.

• The controller or processor discloses personal data to a third-party controller or processor in compliance with the UCPA;
• The third party processes the personal data in violation of the UCPA; and
• the disclosing controller or processor did not have actual knowledge of the third party's intent to commit a violation of the UCPA.

Nothing in the UCPA requires a controller, processor, third party, or consumer to disclose a trade secret.