Uniform Law Commission Publishes Proposed Uniform Personal Data Protection Act

Written by: Brett Lawrence, Esq.

In July 2020, the Uniform Law Commission (“ULC”) voted to approve and recommend the proposed Uniform Personal Data Protection Act (“UPDPA”). Like the Uniform Commercial Code, the UPDPA is a model law designed as a cut-and-paste piece of legislation that states can tailor and subsequently adopt to their liking.

The ULC relied on the European Union’s General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), and the recent Virginia Consumer Data Protection Act (“VCDPA”), among other laws in drafting the UPDPA. After the UPDPA passes through some final amendments, it will be introduced to state legislatures by January 2022.  We highlight key areas of the UPDPA below:

A. Scope of the Law

UPDPA only applies to businesses that conduct business in the state, or produce products or provide services directed to residents in the state. Theses types of businesses are regulated only if one of the following categories are met:

1. 1. The business maintains personal data of more than [50,000]* residents, besides resident personal data maintained to complete a payment transaction;
   2. The business earns more than [50%]* gross annual revenue in a calendar year from maintaining resident personal data;
   3. The business is processing personal data on behalf of another business that meets either of the two categories above; or
   4. The business maintains personal data less than [50,000]* residents, unless it processes personal data solely using compatible data practices

Category 4 shows that even small businesses can be regulated, but they can be exempted from compliance if they use personal data only for “compatible purposes” (see below).

*The brackets indicate where states can decide their own thresholds for personal data maintenance and revenue percentages.

B. Personal Data Exempted

Like CCPA and VCDPA, UPDPA has an employee exemption. UPDPA does not apply to personal data “processed in the course of a data subject’s employment or application for employment.”

C. Categories of Data Practices

There are three (3) different categories of “data practices” that prescribe the rules for a business processing personal data. These distinctions are based on the likelihood of benefit or harm incurred on data subject resulting from a particular data practice.

1. 1. Compatible Data Practice: A business does not need to obtain consent from the data subject before processing.
   2. Incompatible Data Practice: A business must provide the data subject sufficient notice before processing and an opportunity to opt-out. But, if the personal data is “sensitive” personal data (e., ethnicity, religious beliefs, etc.), the business must receive affirmative, opt-in consent from the data subject.
   3. Prohibited Data Practice: A business cannot process any personal data if it is likely to cause the data subject specific and significant harm. Harm can come in various forms, such as financial harm, ridicule, or through some other physical or other intrusion highly offensive to a reasonable person.

D. Data Subject Rights

UPDPA provides much narrower data subject rights compared to GDPR and CCPA. UPDPA gives a data subject the limited right to access and correct their personal data. Notably, UPDPA does not give the data subject the right to delete their personal data or direct the transfer of their personal data to another business or entity.

E. Voluntary Consensus Standards

UPDPA stipulates that a business complies with its requirements if the business adopts and complies with a “voluntary consensus standard” addressing an applicable requirement (“VCS”). A VCS is a specific standard created by industry groups, consumers, and public interest groups that comply with UPDPA. This is a unique caveat to UPDPA because it allows business sectors to develop rules and procedures that are tailored to a particular industry but are still compliant with UPDPA. A VCS can only be created once the state Attorney General recognizes it and concludes that it does not contradict the UPDPA.

F. No Private Right of Action

UPDPA does not grant a private right of action. However, the ULC in its official comment left it to each state’s discretion if they want to include any consumer litigation rights.

G. Exemptions

Like CCPA and other state data breach notification laws, UPDPA exempts businesses who are already obligated to comply with the following laws:

1. 1. The Health Insurance Portability and Accountability Act (“HIPAA”);
   2. The Fair Credit Reporting Act (“FCRA”);
   3. The Gramm-Leach-Bliley Act (“GLBA”);
   4. The Drivers Privacy Protection Act (“DPPA”);
   5. The Family Education Rights and Privacy Act (“FERPA”); and
   6. The Children’s Online Privacy Protection Act (“COPPA”).

Click here to find the approved draft.