Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ignore consumer requests for information or deletion in Utah? What are the requirements?

Consumer Requests for Information or Deletion in Utah

As a controller, you cannot ignore consumer requests for information or deletion in Utah. You must comply with the consumer rights outlined in [1.1].

Access and Deletion

A consumer has the right to confirm whether a controller is processing their personal data and to access their personal data. Additionally, a consumer has the right to delete their personal data that they provided to the controller [1.1].

Controller’s Response to Requests

Under UTCO 13-61-203, a controller must comply with a consumer’s request to exercise their rights within 45 days after the day on which the controller receives the request. The controller may extend once the initial 45-day period by an additional 45 days if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller. If a controller chooses not to take action on a consumer’s request, the controller must inform the consumer of the reasons for not taking action within 45 days after the day on which the controller receives the request [1.2].

Fees

A controller may not charge a fee for information in response to a request, unless the request is the consumer’s second or subsequent request during the same 12-month period. A controller may charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request if the request is excessive, repetitive, technically infeasible, or manifestly unfounded. A controller that charges a fee or refuses to act in accordance with this rule bears the burden of demonstrating the request satisfied one or more of the criteria described in the rule [1.2].

Exceptions

There are exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information [2.1]. However, these exceptions do not apply to personal data outside of the financial sector.

Requirements

If you are a licensee that collects nonpublic personal financial information, you must also comply with the requirements outlined in [2.1] and [2.3]. Additionally, if you receive nonpublic personal financial information from a nonaffiliated financial institution, your disclosure and use of that information is limited [2.4].

Consumer Privacy Restricted Account

The Consumer Privacy Restricted Account is created to fund investigation and administrative costs incurred by the division in investigating consumer complaints alleging violations of this chapter, recovery of costs and attorney fees accrued by the attorney general in enforcing this chapter, and providing consumer and business education regarding consumer rights under this chapter and compliance with the provisions of this chapter for controllers and processors [3.1].

Use of Personally Identifiable Information

Any personally identifiable information an individual provides to a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless this rule is superseded by a federal statute, federal regulation, or State statute in which case the personally identifiable information shall be used by other parties only to the extent required by the superseding federal statute, federal regulation, or State Statute, or the information is designated as public record by an individual State agency as authorized under Title 63G, Chapter 2 of the Utah Code, Government Records Access and Management Act [4.1][5.1].

Source(s):
Jurisdiction

Utah