Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use customer data for marketing purposes without violating privacy laws in Utah? What are the requirements?

Using Customer Data for Marketing Purposes in Utah

In Utah, the privacy laws require controllers to provide consumers with a reasonably accessible and clear privacy notice that includes the categories of personal data processed by the controller, the purposes for which the categories of personal data are processed, and how consumers may exercise their rights [4.1].

Requirements for Using Customer Data for Marketing Purposes

To use customer data for marketing purposes in Utah, the following requirements must be met:

  1. Provide a clear and accessible privacy notice that includes the categories of personal data processed, the purposes for which the data is processed, and how consumers may exercise their rights [4.1].
  2. Obtain informed, affirmed consent from the consumer before processing sensitive data [4.1].
  3. Do not discriminate against a consumer for exercising their rights [4.1].
  4. Use reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data [4.1].

There are some exceptions to the consent requirement for processing customer data. For example, a controller may use pseudonymous data or deidentified data without obtaining consent if the controller demonstrates that any information necessary to identify a consumer is kept separately and subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual [4.2].

Additional Requirements for Genetic Data

If you are a direct-to-consumer genetic testing company, you must provide essential information about the company’s collection, use, and disclosure of genetic data, and a prominent, publicly available privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices. You must obtain a consumer’s initial express consent for collection, use, or disclosure of the consumer’s genetic data that clearly describes the company’s use of the genetic data that the company collects through the company’s genetic testing product or service, specifies who has access to test results, and specifies how the company may share the genetic data. If you engage in marketing to a consumer based on the consumer’s genetic data, you must obtain express consent from the consumer [2.1].

Additional Requirements for Student Data

If you are an education entity, you must use reasonable data industry best practices to maintain and protect stored student data, and provide a student data collection notice and obtain written consent before collecting student data [1.2][1.3].

Conclusion

In summary, to use customer data for marketing purposes in Utah, controllers must provide a clear and accessible privacy notice, obtain informed, affirmed consent for processing sensitive data, not discriminate against consumers for exercising their rights, and use reasonable data security practices. There are exceptions to the consent requirement for pseudonymous or deidentified data. If you are a direct-to-consumer genetic testing company, you must also comply with additional requirements for genetic data. If you are an education entity, you must also comply with additional requirements for student data.

Source(s):
Jurisdiction

Utah