Utah § 13-61-303 Processing deidentified data or pseudonymous data.

Utah Statutes

§ 13-61-303 — Processing deidentified data or pseudonymous data.

Utah § 13-61-303

Title 13Commerce and Trade

Ch. 13-61Utah Consumer Privacy Act

Part 13-61-3Requirements for Controllers and Processors

This text of Utah § 13-61-303 (Processing deidentified data or pseudonymous data.) is published on Counsel Stack Legal Research, covering Utah primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Utah Code Ann. § 13-61-303 (2026).

Text

(1)The provisions of this chapter do not require a controller or processor to:

(1)(a) reidentify deidentified data or pseudonymous data;

(1)(b) maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or

(1)(c) comply with an authenticated consumer request to exercise a right described in Subsections 13-61-202(1) through (3), if:

(1)(c)(i) (1)(c)(i)(A) the controller is not reasonably capable of associating the request with the personal data; or

(1)(c)(i)(B) it would be unreasonably burdensome for the controller to associate the request with the personal data;

(1)(c)(ii) the controller does not:

(1)(c)(ii)(A) use the personal data to recognize or resp

Free access — add to your briefcase to read the full text and ask questions with AI

(1) The provisions of this chapter do not require a controller or processor to:

(1)(a) reidentify deidentified data or pseudonymous data;
(1)(b) maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or
(1)(c) comply with an authenticated consumer request to exercise a right described in Subsections 13-61-202(1) through (3), if:
(1)(c)(i) (1)(c)(i)(A) the controller is not reasonably capable of associating the request with the personal data; or
(1)(c)(i)(B) it would be unreasonably burdensome for the controller to associate the request with the personal data;
(1)(c)(ii) the controller does not:

(1)(c)(ii)(A) use the personal data to recognize or respond to the consumer who is the subject of the personal data; or
(1)(c)(ii)(B) associate the personal data with other personal data about the consumer; and
(1)(c)(iii) the controller does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.
(2) The rights described in Subsections 13-61-201(1) through (3) do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept:

(2)(a) separately; and
(2)(b) subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.
(3) A controller who uses pseudonymous data or deidentified data shall take reasonable steps to ensure the controller:

(3)(a) complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and
(3)(b) promptly addresses any breach of a contractual obligation described in Subsection (3)(a).