Utah - Data Protection Overview
Utah does not recognise a right to privacy in its constitution. However, there are comprehensive sector specific laws establishing other privacy rights.
Utah has several statutory privacy laws. Chief among them is the Protection of Personal Information Act, §13-44-101 et seq. of the Utah Code ('PPIA'). Generally speaking, under the PPIA businesses in Utah must implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information they collect or maintain. Personal information includes a person's first name or first initial and last name combined with a social security number; a financial account number, credit card number, or debit card number; any security code, access code, or password that would permit access to the person's account, or a driver's license number.
When businesses that own or licenses computerised data that includes personal information become aware of a data breach, they must determine the likelihood that personal information has been or will be misused and, if so, notify each person as soon as possible unless law enforcement asks them not to for investigative purposes. The only other reasons businesses may delay notification are to determine the scope of the breach and after restoring the reasonable integrity of their security systems.
Failure to comply with the PPIA can subject businesses to civil fines up to $2,500 per consumer and up to $100,000 for related violations involving more than one consumer. If the violations involve more than 10,000 consumers fines can exceed $100,000. While not an independent basis for liability for consumers to assert in private lawsuits, the PPIA at least establishes a baseline of notification procedures businesses should follow when personal information has been breached or compromised. The PPIA is enforced by the Utah Attorney General and does not provide for a private right of action.
Further, under the PPIA, businesses must destroy, or arrange for the destruction of, records containing personal information that is not to be retained, by shredding, erasing, or otherwise modifying the personal information to make it indecipherable.
Utah has also enacted the Electronic Information or Data Privacy Act, §77-23c-102 et seq. of the Utah Code ('EIDPA') With the passage of this law in 2019, Utah became the first state to pass legislation prohibiting law enforcement from obtaining personal electronic information from third parties without a warrant. The EIDPA requires law enforcement to give notice to owners of electronic information within 14 days when they execute a search warrant from third parties. The EIDPA was passed in response to the U.S. Supreme Court's holding in Carpenter v. United States, 138 S. Ct. 2206 (2018) that states must pass legislation in order to protect personal information contained on electronic devices from warrantless searches. As stated by the sponsor of the bill amending the EIPDA, the goal was 'to provide the same protections we have in the physical world and apply those to the electronic world.'
Under the Identity Fraud Act, §76-6-1102(2) et seq. of the Utah Code, a person is guilty of identity fraud when the person knowingly or intentionally uses or attempts to use, the personal identifying information of another person, whether the other person is alive or dead, with fraudulent intent, including to obtain or attempt to obtain credit, goods, services, employment, or any other thing of value, or medical information. It is not a defence to the crime that the person did not know that the personal information belonged to another person.
Even though it does not recognise a constitutional right to privacy, Utah does recognise four common law invasion of privacy claims, which were established in the case of Cox v. Hatch, 761 P.2d 556, 563 (Utah 1988), including:
- intrusion upon solitude or seclusion;
- public disclosure of private facts;
- false light privacy; and
- appropriation of one's name or likeness.
Utah provides patients a general right of privacy and certain statutory rights of access to medical records maintained by healthcare providers. Under Utah Code Ann. §78B-5-618(1) et seq. of Utah's Judicial Code, a patient or patient's representative may inspect or receive a copy of the patient's records from a health care provider as defined by federal law when the provider is governed by the Health Insurance Portability and Accountability Act ('HIPAA') privacy regulations.
With respect to healthcare providers not governed by these provisions, access may only be limited by law or judicial order. Copies of records must be provided within deadlines established under HIPAA's Privacy Rule, and a fee may be charged. The copies must be provided within 30 days of a request. Additional fees for locating the documents, reproduction charges, postage, and sales tax are permitted. Similar provisions apply to third-party contactors providing such records.
Under the Utah Communicable Disease Control Act, §26-6-1 et seq. of the Utah Code ('CDCA') healthcare providers and facilities, nursing homes, laboratories, and other specified entities must report to the Department of Health or local health department regarding any person suffering from or suspected of having a communicable disease. Moreover, §26-6-27 of the CDCA provides that information on communicable or reportable diseases is strictly confidential and may not be released by the Department of Health or local health departments unless a specified exception applies.
However, §26-6-30(1) of the CDCA also provides that the confidentiality requirements outlined above do not apply to information relating to an individual who is in the custody of the Department of Corrections, a county jail, or the Division of Juvenile Justice Services, or to a person who has been in the custody of these entities if liability is alleged in a lawsuit concerning transmission of an infectious or communicable disease. A violation of the confidentiality provisions constitutes a class B misdemeanour.
Under the Psychologist Licensing Act, §58-61-602 of the Utah Code, for mental health providers and facilities, a licenced psychologist may not disclose confidential communication with a client or patient without the express consent of the client or patient, a parent or legal guardian of a minor patient, or an authorised agent of the client or patient. Certain disclosures permitted or required by state or federal law are excepted, as are disclosures made as part of an administrative, civil, or criminal proceeding under an exemption from evidentiary privilege and disclosures made under generally recognised professional or ethical standards. Identical requirements to those outlined above apply to licensed substance abuse counsellors and mental health therapists per the Mental Health Professional Practice Act, §58-60-101 et seq. of the Utah Code.
In addition, under Utah Admin. Code r. 590-206 for Privacy of Consumer Financial and Health Information Rule ('the Rule'), a licensee of the Utah Insurance Department is prohibited from disclosing nonpublic personal health information about a consumer or customer unless an authorisation is obtained from the consumer or customer. Such valid authorisation can be in written or electronic form and must contain (Section 19 of the Rule):
- The identity of the consumer or customer who is the subject of the nonpublic personal health information;
- A general description of the types of nonpublic personal health information to be disclosed;
- General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used;
- The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed; and
- Notice of the length of time for which the authorisation is valid and that the consumer or customer may revoke the authorisation at any time and the procedure for making a revocation.
The authorisation remains valid for two years and a consumer is permitted to revoke the authorisation at any time, subject to their rights which must be stipulated in the aforementioned notice (Sections 17(2) and (3) of the Rule).
The Rule also creates certain privacy rights for non-public financial data. In particular, the Rule governs the treatment of non-public personal health and financial information about individuals by all licensees of the Utah Insurance Department (Section 2 of the Rule). Except as authorised by the sections outlined below, a licensee may not directly or through any affiliate disclose any non-public personal financial information about a consumer to a nonaffiliate third party unless (Section 12 of the Rule):
- The licensee has provided to the consumer an initial notice as required under Section 5 of the Rule;
- The licensee has provided to the consumer an opt-out notice as required in Section 8 of the Rule;
- The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliate third party, to opt-out of the disclosure; and
- The consumer does not opt-out.
Furthermore, the Rule requires that a licensee provide:
- a notice to individuals about its privacy policies and practice;
- a description of the conditions under which a licensee may disclose non-public personal health information and non-public personal financial information about individuals to affiliates and nonaffiliate third parties; and
- provides methods for individuals to prevent a licensee from disclosing that information.
The Rule applies to all non-public personal health information and non-public personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for persona., family, or household purposes from licences. In addition, the rule does not apply to information about companies or about individual who obtain products or services for business, commercial or agricultural purposes (Section 2(2) of the Rule).
All licensee's subject to this Rule must provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to customers and consumers (Section 5(1) of the Rule). Licensees are exempt from this requirement if the licensee does not disclose any non-public personal financial information about the consumer to any nonaffiliate third party, other than as authorised by Section 16 and 17, and the licensees do not have a customer relationship with the consumer. Additionally, a licensee is exempt when a notice has been provided by an affiliated licensee as long as the notice clearly identifies all licenses to whom the notice applies and is accurate with respect to the licensee and the other institutions (Section 5(2) of the Rule). The general rule for determining when a customer relationship is established occurs at the time the licensee and the consumer enter into a continuing relationship (Section (3) of the Rule).
The initial, annual and any subsequent revised privacy notice must include (Section 7 of the Rule):
- The categories of nonpublic personal financial information that the licensee collects;
- the categories of nonpublic personal financial information that the licensee discloses;
- The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under Sections 16 and 17;
- The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information under Sections 16 and 17;
- If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under Section 14, and no other exception in Sections 16 and 17 applies to that disclosure, a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
- An explanation of the consumer's right under Subsection UTAH ADMIN. CODE R. 590-206-12(1) to opt-out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
- Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt-out of disclosures of information among affiliates);
- The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
- Any disclosure that the licensee makes under Subsection 7(2) of the Rule.
Where a licensee is required to provide an opt-out notice they must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt-out and (Section 8 of the Rule):
- That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
- That the consumer has the right to opt-out of that disclosure; and
- A reasonable means by which the consumer may exercise the opt-out right.
Finally, failure of a licensee to observe the requirements of this rule will result in appropriate enforcement action by the Department which may include forfeiture, penalties, and revocation of license (Section 25 of the Rule).
Under the Genetic Testing Privacy Act, §26-45-103(2) et seq. of the Utah Code, employers may not, in connection with a hiring, promotion, retention, or other hiring decision, access or otherwise take into consideration private genetic information about an individual, request or require an individual to consent to a release for the purpose of acquiring genetic information about the individual, request or require an individual or blood relative to submit to a genetic test, or inquire into or otherwise take into consideration the fact that an individual or blood relative has taken or refused to take a genetic test.
For more information about online privacy rules in Utah please see section 2 above outlining the obligations for electronic communication services under EIDPA.
Under the Rule, a licensee is prohibited from disclosing, directly or through an affiliate, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarking, direct mail marketing or other marketing through electronic mail to the consumer (Section 14(1) of the Rule). The exception to this rule occurs when a licensee provides a notice in accordance with Section 5 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in Sections 16 and 17 in the ordinary course of business to carry out those purposes (Section 15(1) of the Rule).
In addition, the Utah Child Protection Registry Act of 2005 Utah Statutes 13-39-101 et seq ('the Child Protection Registry Act') prohibits the sending of communications to a contact point that has been registered for more than 3o calendar days if the communication (Section 202 of the Child Protection Registry):
- Has the primary purpose of advertising or promoting a product or service that a minor is prohibited by law from purchasing;
- Or contains or has the primary purpose of advertising or promoting material that is harmful to minors, as defined by Section 1201 of Title 76 Chapter 10 of Utah Code.
A contact point is defined as an electronic identification to which a communication may be sent including email addresses, mobile or telephone numbers, facsimile numbers, or an electronic address (Section 102 of the Child Protection Registry Act). Internet service providers may subject to the above provisions, send communication to a contact point if they receive prior consent from an adult who controls the contact point (Section 202(4)(a) of the Child Protection Registry Act). The person sending this communication must also verify the age, obtain a written record indicating the adult's consent, include a notice outline rights to opt-out, and notify the Attorney General's1 office of this communication (Section 202(4)(b) of the Child Protection Registry Act).
Furthermore, the Child Protection Registry establishes that companies and marketers that send adult-oriented content and messages must screen their mailing list with the State of Utah and remove registered addresses and numbers before sending their solicitations. Individuals can register via a form here.
Please note - some provisions above may be preempted by the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, for more information please see our USA – Emarketing Guidance Note.
In 2016, Utah enacted the Computer Abuse and Data Recovery Act, §63D-3-101 et seq. of the Utah Code ('CADRA'). CADRA's purpose is to safeguard businesses from the unauthorised use and/or access of computers, platforms, or data by establishing a civil remedy that provides monetary and injunctive relief against hackers or unauthorised persons. A person violates CADRA when he or she knowingly and with intent causes harm or damage by:
- obtaining information from a protected computer;
- causing the transmission of a program, code, or command to the protected computer; or
- trafficking any technological access barrier that an unauthorised user could use to access the protected barrier.
CADRA is notable for providing specific remedies. A person who brings a civil action against an individual violation of CADRA may:
- recover actual damages, including the person's lost profits, economic damages, and the reasonable cost of remediation efforts related to the violation;
- recover consequential damages, including for interruption of service;
- recover, from the individual, the individual's profit obtained through trafficking in anything obtained by the individual through the violation
- obtain injunctive or other equitable relief to prevent a future violation; and
- recover anything the individual obtained through the violation.
As noted above in Section 2, Utah is also the first state to enact the EIDPA. This act prohibits law enforcement from obtaining personal electronic information from third parties without a warrant.
In addition, Utah is currently considering passing a law that would provide legal safe harbours to organisations with written cybersecurity programs. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act ('the Proposed Act'), if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program, it has an affirmative defence to a civil tort claim.
Under the Proposed Act, a 'data breach' would mean unauthorised access that compromises personal information and causes or may cause identity theft or other fraud to an individual or an individual's property. A covered entity would include: '[a] business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of this state.'
The Proposed Act would require that a covered entity's written cybersecurity program contain safeguards to protect personal information and that it be designed to:
- protect the security and confidentiality of personal information;
- protect against any anticipated threat or hazard to the security or integrity of personal information; and
- protect against a data breach of personal information
The Proposed Act would also require that a covered entity's written cybersecurity program 'reasonably conform to an industry recognised cybersecurity framework.' It lists 'the framework for improving critical infrastructure developed by NIST' and the 'Center for Internet Security Critical Controls for Effective Cyber Defense,' among others.