Section 13-61-303 - Processing deidentified data or pseudonymous data(1) The provisions of this chapter do not require a controller or processor to: (a) reidentify deidentified data or pseudonymous data;(b) maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or(c) comply with an authenticated consumer request to exercise a right described in Subsections 13-61-202(1) through (3), if:(i)(A) the controller is not reasonably capable of associating the request with the personal data; or(B) it would be unreasonably burdensome for the controller to associate the request with the personal data;(ii) the controller does not: (A) use the personal data to recognize or respond to the consumer who is the subject of the personal data; or(B) associate the personal data with other personal data about the consumer; and(iii) the controller does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.(2) The rights described in Subsections 13-61-201(1) through (3) do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept: (b) subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.(3) A controller who uses pseudonymous data or deidentified data shall take reasonable steps to ensure the controller: (a) complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and(b) promptly addresses any breach of a contractual obligation described in Subsection (3)(a).Added by Chapter 462, 2022 General Session ,§ 10, eff. 12/31/2023.