The New Proposed Uniform Personal Data Protection Act

Privacy Plus+

Privacy, Technology and Perspective

The New Proposed Uniform Personal Data Protection Act:  The Uniform Law Commission (“ULC”) has proposed a new uniform privacy act for states to consider. Called the Uniform Personal Data Protection Act (“UPDPA”), it establishes a framework for privacy protections at a state level.

Uniform Acts in General: Also known as the “National Conference of Commissioners on Uniform States Laws,” the ULC is a volunteer, non-for-profit body of about 300 judges, lawyers, and scholars who draft, study, and recommend acts from time to time in subject areas where states have primary concern, where the subject area often involves activities which cross states or take place in several states at once,  and where uniformity of treatment among the states is therefore be a principal objective. Good examples include the Uniform Commercial Code, uniform statutes on how to treat certain family-law matters, and the Uniform Trade Secret Act. (For fun: do you know the difference between a proposed “Uniform Act” and a “Model Act?”  “Uniform” acts are proposed where uniformity is a principal objective.  In “Model” acts, uniformity would be nice but isn’t a principal objective.)           

It is entirely up to each state whether to enact a proposed Uniform Act in its own state. So it is no surprise that the title “Uniform” is largely aspirational, and by the time many “Uniform” acts are finally enacted “Uniform” acts are anything but. It may also take years for “Uniform” acts to make their ways through state legislative processes, depending on how sensitive the issues are or how firmly existing practices are entrenched. The Uniform Trade Secrets Act has been proposed for decades, and though 49 states have ratified it, at last report New York State is still considering it. 

Don’t Expect the UPDPA to be Enacted Easily, Much Less Quickly:  Privacy (or “Personal Data Protection”) has so many hot buttons that it’s very unlikely for the UPDPA to be enacted quickly, except perhaps in a few states.  (Remember that the World Wide Web Consortium, a standards-setting group, recently found itself so divided on an important definition that it tried to cut the knot according to which side could hum the loudest.)

But we do believe the UPDPA will advance the national conversation, by providing a neutral framework for discussion which doesn’t come with “red state” or “blue state” labels attached. 

Highlights of the UPDPA: 

Definitions.  The UPDPA mostly follows the now-familiar “controller, processor, data subject” format, with additional notes for “third-party controllers” (who are to cooperate with “collecting controllers” which collect personal data from data subjects), and for “Sensitive” data (like race/ethnic, gender, citizenship/immigration, real-time geolocation, criminal record, or genetic sequencing information) which require written opt-in consent to be processed in any “incompatible way (see below).  It does not cover “publicly available” information, which (besides the obvious) includes information found on websites even with restricted access, if the information is available to a broad audience; and belief that data is “publicly available” will be enough, if the information is of a type that is generally available to the public and the user has no reason to know it is not. 

 Scope.  The UPDPA applies to all private persons who conduct business or produce goods or services “purposefully directed” to residents of a state, so long as they are above a certain threshold: the UPDPA suggests 50,000, not including persons whose data is processed “solely in order to complete a payment transaction.”  The UPDPA also does not extend to personal data of employees or applicants. 

 Rights of Data Subjects.

  • - Notice and Transparency:  Privacy policies must be “reasonably” clear and accessible.

  • - Access to (and Correction of) Personal Data:  Controllers must establish procedures for authentication and access and respond to requests within within either a reasonable time, or 45 days – the UPDPA leaves that to the states.  Controllers must also provide annual statements of what data they collect and process, and make reasonable efforts to get Third-Party Controllers to do the same. 

  • - Discrimination is prohibited. 

  • - Controllers must also “provide redress” for Incompatible or Prohibited data uses. 

  • - Processors must provide personal data to Controllers upon request at no cost to the Controllers, use the personal data only for the specified purposes, and “provide redress” for improper processing they knowingly perform or allow others to perform. 

  Compatible, Incompatible, and Prohibited Data Uses The UPDPA introduces these concepts:

  • “Compatible” uses are consistent with the ordinary expectations of the data subject or will benefit the data subject.

    • - A Controller may use personal data to deliver targeted ads to a data subject, though it cannot use it to offer terms which are different from those offered to data subjects generally.

  • “Incompatible” uses are everything else, including acts which violate a privacy policy.  But there are twists:  NON-Sensitive Data may be used for other than “compatible” uses IF, at the time it is collected, the data subject is given notice and an opportunity to opt-out.  Use of Sensitive Data for anything except a Compatible Use, however, requires written OPT-IN.  A Controller may require consent as a condition for access to goods or services and may offer rewards or discounts in exchange. 

    • - subject a data subject to a “specific and significant risk” of harm, embarrassment, or intrusion which a reasonable person would find highly offensive,

    • - result in identify theft or violation of law,

    • - fail to provide reasonable data security,

    • - result in Incompatible uses without consent, or

    • - result in re-identifying personal data inappropriately.

Security Assessments -- taking into account the size, scope, type of business and resources available to the controllers and processors – are expressly required.  Records must be kept, and the assessments updated as conditions change.  All but the fact that an assessment has been made, the records analyzed, and the date of the assessment will be confidential and not subject to civil discovery. 

Compliance with Other States’ Laws.  Compliance with another state’s law is sufficient if the Attorney General determines that it provides for equal or stricter data protection. The AG may charge for its cost in making this determination.  In particular industry segments, compliance with other federal law (Gramm-Leach-Bliley, etc.) is also sufficient. 

Voluntary Consensus Standards.”  With the AG’s approval, industries may comply with the UPDPA by adopting and adhering to standards of practice that are workable within their industries. These must at least have been reached by a wide and diverse range of stakeholders, be fairly considered with reasonable responses to concerns which are raised, and provide:

  • - Compatible data practices;

  • - Procedures for consent to Incompatible uses;

  • - Common data-subject access and response procedures;

  • - Privacy-notice formats; and

  • - Reasonable security standards.

Enforcement and RemediesThe AG may adopt rules and enforce the UPDPA, but the UPDPA does not take a position on the crucial question of whether there should be a private cause of action.  The draft explicitly ties enforcement and remedies to the state’s consumer protection act, but also provides explicit language that a “private cause of action is not authorized despite [the section tying enforcement and remedies to the state’s consumer protection act]. 

You may read the text of the UPDPA by clicking on the following link:    

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=009e3927-eafa-3851-1c02-3a05f5891947&forceDialog=0

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Previous
Previous

EU Fines Amazon, and the Future of the GDPR

Next
Next

New MSP Guidance and U.S. Government Ransomware Website