Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

UTAH DATA PRIVACY REGULATIONS

Did You Know?

 
  • Limited methods of notification delivery;
  • Data owners are responsible for breach reporting and notifications;
  • Third-parties must notify the UT Data Owner immediately if breached;
  • Violations can result in heavy fines;
  • Data protection laws extend out-of-state.

Who Me?

 

Utah breach and notification laws may apply if you are a person that:

  • Owns or licenses computerized data containing PII concerning a Utah resident;
  • Maintains computerized data that includes PII but does not own it.

There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?

 

PII relevant to a breach in Utah includes an individual’s name with one or more of the following:

  • Social Security Number;
  • Driver license or state issues identification card number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account.

LAWS

APPLICABLE LAWS

A few applicable statutes include, but are not limited to:

  • Title 13 - Commerce and Trade / Chapter 44 - Protection of Personal Information Act / All Parts, 13-44-101 to 301;
  • Title 45 Publication and Broadcasting / Chapter 1 Official Notices / Part 1 General Publication Requirements / 45-1-101. Legal notice publication requirements.

RELATED LAWS

Title 13 - Commerce and Trade / Chapter 44 - Protection of Personal Information Act / Part 2 – Protection of Personal Information Act / 13-44-201

PENALTIES

NO PRIVATE RIGHT OF ACTION

In Utah, the attorney general enforces the law. There is no private right of action. Violation penalties could be up to $2,500 per consumer, but not over $100,000. The attorney general can seek injunctive relief to prevent future violations.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was was secure by encryption or other method;
  • Whether the encryption key or other means was acquired;
  • Whether the personal information is likely to be used for identity theft or fraud.

TIME LIMITS

After the determination regarding the scope of the breach and once reasonable integrity is restored to the system, the notification must be made in the most expedient time possible without unreasonable delay. An exception for delay is made if law enforcement indicates the notification may interfere with an investigation.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

The notification may be delivered in written form, electronically, by telephone, or publishing the notice in a newspaper. There are specific requirements related to each of these methods.

Contact the Privacy Experts at CSR