Effective 12/31/2023
13-61-303. Processing deidentified data or pseudonymous data.
13-61-303. Processing deidentified data or pseudonymous data.
- (1) The provisions of this chapter do not require a controller or processor to:
- (a) reidentify deidentified data or pseudonymous data;
- (b) maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or
- (c) comply with an authenticated consumer request to exercise a right described in Subsections 13-61-202(1) through (3), if:
- (i)
- (A) the controller is not reasonably capable of associating the request with the personal data; or
- (B) it would be unreasonably burdensome for the controller to associate the request with the personal data;
- (ii) the controller does not:
- (A) use the personal data to recognize or respond to the consumer who is the subject of the personal data; or
- (B) associate the personal data with other personal data about the consumer; and
- (iii) the controller does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.
- (i)
- (2) The rights described in Subsections 13-61-201(1) through (3) do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept:
- (a) separately; and
- (b) subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.
- (3) A controller who uses pseudonymous data or deidentified data shall take reasonable steps to ensure the controller:
- (a) complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and
- (b) promptly addresses any breach of a contractual obligation described in Subsection (3)(a).
Enacted by Chapter 462, 2022 General Session