(1) The provisions of this chapter do not require a controller or processor to: (a) reidentify deidentified data or pseudonymous data; (b) maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or (c) comply with an authenticated consumer request to exercise a right described in Subsections 13-61-202(1) through (3), if: (i) (A) the controller is not reasonably capable of associating the request with the personal data; or (B) it would be unreasonably burdensome for the controller to associate the request with the personal data; (ii) the controller does not: (A) use the personal data to recognize or respond to the consumer who is the subject of the personal data; or (B) associate the personal data with other personal data about the consumer; and (iii) the controller does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. (2) The rights described in Subsections 13-61-201(1) through (3) do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept: (a) separately; and (b) subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual. (3) A controller who uses pseudonymous data or deidentified data shall take reasonable steps to ensure the controller: (a) complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and (b) promptly addresses any breach of a contractual obligation described in Subsection (3)(a).
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.