Uniform Law Commission Approves Template for State Privacy Laws

Breach NotificationCCPAComplianceConsumer PrivacyData PrivacyData ProtectionGovernancePrivacyUS Data Privacy Legislation
Written By Jason Shoup

Last month, the Uniform Law Commission (ULC), a nonpartisan coalition of U.S. legal professionals, released a framework from which states can design privacy laws.

The framework, called the Uniform Personal Data Protection Act (UPDPA), has been in development since 2019, and governs how organizations handle U.S. citizens’ sensitive personal data. The framework, or model bill, is not as comprehensive as many existing privacy laws, such as the California Privacy Rights Act (CPRA), which mandates a host of privacy rights outlined here. Lacking from the UPDPA, for example, is the right to delete data, which is a standard right across most privacy laws, including CCPA, and laws introduced or passed in Ohio, Colorado, and Pennsylvania. UPDPA also does not grant the right to portability; organizations would not be required to provide consumers their data in a transmissible format. Data portability is also a right granted by many other state privacy laws.

Predictably, UPDPA also does not include a private right of action, which has been a contentious sticking point for many state privacy bills. Several bills, including in Florida and Washington, have not passed due to the inclusion of a private right of action–or lack thereof.

The UPDPA would apply to data processors in possession of personal data belonging to 50,000 or more state residents, earns more than half of its annual revenue from processing personal data, or processes data on behalf of a data controller (this would include vendors). Personal data, as defined by UPDPA, includes pseudonymized data and data that is directly identifiable, but does not include de-identified data. Sensitive data is defined as a separate category from personal data, and includes “geolocation in real time, diagnosis or treatment for a disease or health condition, and genetic sequencing information, among other categories of data,” according to reporting by JD Supra.

UPDPA will be provided to state legislatures in January 2022, following an amendment process. Though the bill could allow for more uniform state privacy laws, it’s arguably less effective than vanguard bills like CCPA. Precedent shows that bills with less teeth struggle to become law, and it’s unclear whether UPDPA will shift that paradigm.

To learn more about how Data Privacy and Protection Specialists can incorporate and prepare for UPDPA, click here.

Jason Shoup
Previous

Infrastructure Bill Allocates Nearly $2 Billion to Cybersecurity
Next

Deleting Data: A Guide