§ 13–61–203. Controller’s response to requests

  1. Subject to the other provisions of this chapter, a controller shall comply with a consumer’s request under Section 13–61–202 to exercise a right.
  2. (a) Within 45 days after the day on which a controller receives a request to exercise a right, the controller shall:
    (i) take action on the consumer’s request; and
    (ii) inform the consumer of any action taken on the consumer’s request.

    (b) The controller may extend once the initial 45–day period by an additional 45 days if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller.
    (c) If a controller extends the initial 45–day period, before the initial 45–day period expires, the controller shall:

    (i) inform the consumer of the extension, including the length of the extension; and
    (ii) provide the reasons the extension is reasonably necessary as described in Subsection (2)(b).

    (d) The 45–day period does not apply if the controller reasonably suspects the consumer’s request is fraudulent and the controller is not able to authenticate the request before the 45–day period expires.

  3. If, in accordance with this section, a controller chooses not to take action on a consumer’s request, the controller shall within 45 days after the day on which the controller receives the request, inform the consumer of the reasons for not taking action.
  4. (a) A controller may not charge a fee for information in response to a request, unless the request is the consumer’s second or subsequent request during the same 12–month period.
    (b)(i) Notwithstanding Subsection (4)(a), a controller may charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request, if:
    (A) the request is excessive, repetitive, technically infeasible, or manifestly unfounded;
    (B) the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or
    (C) the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller’s business.
    (ii) A controller that charges a fee or refuses to act in accordance with this Subsection (4)(b) bears the burden of demonstrating the request satisfied one or more of the criteria described in Subsection (4)(b)(i).
  5. (5) If a controller is unable to authenticate a consumer request to exercise a right described in Section 13–61–201 using commercially reasonable efforts, the controller:
    (a) is not required to comply with the request; and
    (b) may request that the consumer provide additional information reasonably necessary to authenticate the request.