As data breaches become more common, increased public attention on privacy has led to a flurry of state-level activity on the issue. With a federal privacy bill languishing in Congress, the states have taken the lead. California, Colorado, and Virginia have all passed comprehensive privacy laws in the past three years. In 2021, an additional twenty-one states considered a comprehensive privacy bill.
Considering the serious risk of fragmentation that could arise from dozens of distinct privacy statutes, the Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”). The Uniform Law Commission’s model bills, such as the Uniform Commercial Code, are often influential in the development of state laws. The UPDPA will be available for states’ 2022 legislative sessions, with a bill having already been introduced in the District of Columbia.
If adopted, the UPDPA offers a more business-friendly framework than many of the existing and proposed state privacy laws.
The UPDPA provides an alternative regime to existing U.S. privacy regulations; according to the Uniform Law Commission, the model law “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.” It focuses on data processing that can be connected to persons, whether direct or pseudonymized. The proposal is narrower than other regimes – it applies only when a business “maintains” data as a part of a “system of records” for the purpose of individualized communication or decisional treatment, excluding one-time data transactions or unstructured information. Further, the UPDPA exempts smaller businesses so long as they use only compatible data practices.
Data is categorized, based on listed factors, as either compatible, incompatible, or prohibited. Compatible practices are generally permissible without consent, while incompatible practices need varying degrees of consent based on the whether the data is sensitive or not. Prohibited data practices are impermissible. Certain data, like public records or employment processing, are exempt from the law.
The model bill vests state Attorneys General with rulemaking and enforcement authority, and expressly precludes a private right of action. Attorneys General can also adopt private industry-oriented standards (“Voluntary Consensus Standards”) for any provision of UPDPA (identifying what constitutes compatible data practice, how entities can obtain consent, etc.)
A key feature of the law is its approach to how data controllers direct the use of personal data. These practices are classified based on a set of factors.
“Compatible data practices” are permissible without the consent of the user. The relevant factors for determining whether processing is a compatible data practice are: the individual’s relationship with the controller, the type of transaction, the type of personal data, the risk posed to an individual, the effectiveness of safeguards against unauthorized use or disclosure, and the extent to which the practice advances the individual’s interests. Certain practices are per se compatible: practices with the individual’s knowledge or participation, practices necessary to meet the controller’s legal obligations, processes to create pseudonymized data, general research to develop a product, and purely expressive targeted advertising.
“Incompatible data practices” are permissible only with the user’s consent. For non-sensitive data, notice and an opportunity to opt-out is sufficient. For sensitive data, users must opt in. Sensitive data includes government identification numbers, real time geolocation, financial account numbers, race, sex, gender, religious belief, citizenship, medical diagnosis, and information about children under thirteen. Examples of incompatible data practices include using data for differential treatment of individuals, selling personally identifiable data for marketing, or sharing personal data for unrestricted purposes.
“Prohibited data practices” are those that pose a substantial risk of harming the data subjects, including processing that would likely cause financial, physical, or reputational harm; result in identity theft; constitute a violation of law; or a failure to provide reasonable data security measures.
Comparison with Other Privacy Laws
|Uniform Personal Data Protection Act (“UPDPA”)||California Consumer Privacy Act (“CCPA”)||California Privacy Rights Act (“CPRA”) ||Colorado Privacy Act (“CPA”)||Virginia Consumer Data Protection Act (“VCDPA”)|
|Private Right of Action||No||Yes, but limited.||Yes, but limited.||No||No|
|Prohibition on Discrimination||Yes||No||Yes||Yes||Yes|
|Opt-in required for individuals under age||13||16||16||N/A. Opt-in required for all sensitive data||13|
|User Right to Access & Rectify Data||Yes||Yes to Access. No to Rectify.||Yes||Yes||Yes|
|User Right of Deletion||No||Yes||Yes||Yes||Yes|
|User Right of Portability||No||Yes||Yes||Yes||Yes|
|Penalties||As provided in relevant state consumer protection law||$2,500 per violation; $7,500 per intentional violation||$2,500 per violation; $7,500 per intentional violation||$20,000 per violation||$7,500 per violation|
The future of the UPDPA is uncertain, especially given that some privacy advocates view the consumer protections as too weak, but the Uniform Law Commission’s credibility means that it might be adopted by various state legislators looking for an alternative privacy regime. The model law’s flexibility, broad exemptions, and permissibility standards could make it an appealing alternative for states and businesses looking for a lighter touch—and greater likelihood of compliance—while still providing some protections for consumers.
 Information about the state privacy laws described in this table is made available by the International Association of Privacy Professionals. See https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
 The CPRA has amended the CCPA. The CPRA goes into effect on January 1, 2023.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.