Utah § 63A-19-101 Definitions.

Utah Statutes

§ 63A-19-101 — Definitions.

Utah § 63A-19-101

Title 63AUtah Government Operations Code

Ch. 63A-19Government Data Privacy Act

Part 63A-19-1General Provisions -- State Data Privacy Policy

This text of Utah § 63A-19-101 (Definitions.) is published on Counsel Stack Legal Research, covering Utah primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Utah Code Ann. § 63A-19-101 (2026).

Text

As used in this chapter:

(1)"Anonymized data" means information that has been irreversibly modified so that there is no possibility of using the information, alone or in combination with other information, to identify an individual.

(2)"At-risk government employee" means the same as that term is defined in Section 63G-2-303.

(3)"Automated decision making" means using personal data to make a decision about an individual through automated processing, without human review or intervention.

(4)"Biometric data" means the same as that term is defined in Section 13-61-101.

(5)"Chief administrative officer" means the same as that term is defined in Section 63A-12-100.5.

(6)"Chief privacy officer" means the individual appointed under Section 63A-19-302.

(7)"Commission" means the Utah Privacy

Free access — add to your briefcase to read the full text and ask questions with AI

As used in this chapter:
(1) "Anonymized data" means information that has been irreversibly modified so that there is no possibility of using the information, alone or in combination with other information, to identify an individual.
(2) "At-risk government employee" means the same as that term is defined in Section 63G-2-303.
(3) "Automated decision making" means using personal data to make a decision about an individual through automated processing, without human review or intervention.
(4) "Biometric data" means the same as that term is defined in Section 13-61-101.
(5) "Chief administrative officer" means the same as that term is defined in Section 63A-12-100.5.
(6) "Chief privacy officer" means the individual appointed under Section 63A-19-302.
(7) "Commission" means the Utah Privacy Commission established in Section 63A-19-203.
(8) "Contract" means an agreement between a governmental entity and a person for goods or services that involve personal data.
(9) (9)(a) "Contractor" means a person who:
(9)(a)(i) has entered into a contract with a governmental entity; and
(9)(a)(ii) may process personal data under the contract.
(9)(b) "Contractor" includes a contractor's employees, agents, or subcontractors.
(10) "Cyber Center" means the Utah Cyber Center created in Section 63A-16-1102.
(11) "Data breach" means the unauthorized access, acquisition, disclosure, loss of access, or destruction of personal data held by a governmental entity, unless the governmental entity concludes, according to standards established by the Cyber Center, that there is a low probability that personal data has been compromised.
(12) "De-identified data" means information from which personal data has been removed or obscured so that the information is not readily identifiable to a specific individual, and which may not be re-identified.
(13) "Genetic data" means the same as that term is defined in Section 13-60-102.
(14) "Governing board" means the Utah Privacy Governing Board established in Section 63A-19-201.
(15) "Governmental entity" means the same as that term is defined in Section 63G-2-103.
(16) "Government website" means a set of related web pages that is operated by or on behalf of a governmental entity and is:
(16)(a) located under a single domain name or web address; and
(16)(b) accessible directly through the Internet or by the use of a software program.
(17) (17)(a) "High-risk processing activities" means a governmental entity's processing of personal data that may have a significant impact on an individual's privacy interests, based on factors that include:
(17)(a)(i) the sensitivity of the personal data processed;
(17)(a)(ii) the amount of personal data being processed;
(17)(a)(iii) the individual's ability to consent to the processing of personal data; and
(17)(a)(iv) risks of unauthorized access or use.
(17)(b) "High-risk processing activities" may include the use of:
(17)(b)(i) facial recognition technology;
(17)(b)(ii) automated decision making;
(17)(b)(iii) profiling;
(17)(b)(iv) genetic data;
(17)(b)(v) biometric data; or
(17)(b)(vi) geolocation data.
(18) "Independent entity" means the same as that term is defined in Section 63E-1-102.
(19) "Individual" means the same as that term is defined in Section 63G-2-103.
(20) "Legal guardian" means:
(20)(a) the parent of a minor; or
(20)(b) an individual appointed by a court to be the guardian of a minor or incapacitated individual and given legal authority to make decisions regarding the person or property of the minor or incapacitated individual.
(21) "Office" means the Utah Office of Data Privacy created in Section 63A-19-301.
(22) "Ombudsperson" means the data privacy ombudsperson appointed under Section 63A-19-501.
(23) "Person" means the same as that term is defined in Section 63G-2-103.
(24) "Personal data" means information that is linked or can be reasonably linked to an identified individual or an identifiable individual.
(25) "Privacy annotation" means a summary of personal data contained in a record series as described in Section 63A-19-401.1.
(26) "Privacy practice" means a governmental entity's:
(26)(a) organizational, technical, administrative, and physical safeguards designed to protect an individual's personal data;
(26)(b) policies and procedures related to the acquisition, use, storage, sharing, retention, and disposal of personal data; and
(26)(c) practice of providing notice to an individual regarding the individual's privacy rights.
(27) "Process," "processing," or "processing activity" means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, access, retrieval, consultation, use, disclosure by transmission, transfer, dissemination, alignment, combination, restriction, erasure, or destruction.
(28) "Profiling" means the processing of personal data to evaluate or predict an individual's:
(28)(a) economic situation;
(28)(b) health;
(28)(c) personal preferences;
(28)(d) interests;
(28)(e) reliability;
(28)(f) behavior;
(28)(g) location; or
(28)(h) movements.
(29) "Purchase" or "purchasing" means the exchange of monetary consideration to obtain the personal data of an individual who is not a party to the transaction.
(30) "Record" means the same as that term is defined in Section 63G-2-103.
(31) "Record series" means the same as that term is defined in Section 63G-2-103.
(32) "Retention schedule" means a governmental entity's schedule for the retention or disposal of records that has been approved by the Records Management Committee pursuant to Section 63A-12-113.
(33) (33)(a) "Sell" means an exchange of personal data for monetary consideration by a governmental entity to a third party.
(33)(b) "Sell" does not include a fee:
(33)(b)(i) charged by a governmental entity for access to a record pursuant to Section 63G-2-203; or
(33)(b)(ii) assessed in accordance with an approved fee schedule.
(34) (34)(a) "State agency" means the following entities that are under the direct supervision and control of the governor or the lieutenant governor:
(34)(a)(i) a department;
(34)(a)(ii) a commission;
(34)(a)(iii) a board;
(34)(a)(iv) a council;
(34)(a)(v) an institution;
(34)(a)(vi) an officer;
(34)(a)(vii) a corporation;
(34)(a)(viii) a fund;
(34)(a)(ix) a division;
(34)(a)(x) an office;
(34)(a)(xi) a committee;
(34)(a)(xii) an authority;
(34)(a)(xiii) a laboratory;
(34)(a)(xiv) a library;
(34)(a)(xv) a bureau;
(34)(a)(xvi) a panel;
(34)(a)(xvii) another administrative unit of the state; or
(34)(a)(xviii) an agent of an entity described in Subsections (34)(a)(i) through (xvii).
(34)(b) "State agency" does not include:
(34)(b)(i) the legislative branch;
(34)(b)(ii) the judicial branch;
(34)(b)(iii) an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; or
(34)(b)(iv) an independent entity.
(35) "State privacy auditor" means the same as that term is defined in Section 67-3-13.
(36) "Synthetic data" means artificial data that:
(36)(a) is generated from personal data; and
(36)(b) models the statistical properties of the original personal data.
(37) "User" means an individual who accesses a government website.
(38) (38)(a) "User data" means any information about a user that is automatically collected by a government website when a user accesses the government website.
(38)(b) "User data" includes information that identifies:
(38)(b)(i) a user as having requested or obtained specific materials or services from a government website;
(38)(b)(ii) Internet sites visited by a user;
(38)(b)(iii) the contents of a user's data-storage device;
(38)(b)(iv) any identifying code linked to a user of a government website; and
(38)(b)(v) a user's:
(38)(b)(v)(A) IP or Mac address; or
(38)(b)(v)(B) session ID.
(39) "Website tracking technology" means any tool used by a government website to:
(39)(a) monitor a user's behavior; or
(39)(b) collect user data.