In recent weeks, Connecticut passed a Data Privacy Breach Act (“the Act”) and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”). ). With the growing patchwork of state data privacy laws continuing to pose compliance challenges – and the potential for federal data privacy legislation to be at the forefront of policy debates – the UPDPA can provide lawmakers states a path to a standardized statutory regime.
Connecticut: A Law Concerning Data Privacy Breaches
On July 16, 2021, Governor Lamont signed Data Breach Actwhich will come into force on October 1, 2021. As noted in the Attorney General’s press release, the law includes provisions on the notification of data breaches to the persons and regulatory authorities concerned and modifies the former notification period for data breaches. “People and the Attorney General’s Office”. … from 90 days to 60 days, which is consistent with recent amendments passed in other states.
In addition, the law expands the definition of personally identifiable information, the compromise of which would constitute a data breach, to include patient data and medical data, a general category of health-related information that is not limited health information protected under HIPAA. The law’s definition of personal identification information also includes first name or first initial and last name in combination with, for example, social security number, passport number and biometric information.
Uniform Personal Data Protection Act
On July 14, 2021, the Uniform Law Commission, a voluntary, nonprofit organization focused on uniformity of state laws, approved the Uniform Personal Data Protection Act. The UPDPA has not yet been adopted by any state, but states may choose to adopt some or all of its provisions over time. Unlike the California Consumer Privacy Act (CCPA), but consistent with the more recent Virginia Consumer Data Protection Act and Colorado Privacy Act, the UPDPA does not include a private right of action, leaving enforcement power to regulators. It remains to be seen whether the elimination of the private right of action in the proposed Uniform Act signals a broader trend away from the controversial enforcement mechanism to improve the likelihood that comprehensive privacy legislation become law.
The UPDPA applies to controllers and processors “who business… or produce products or provide services deliberately intended for residents”, and meet one of the four suggested thresholds: retain the personal data of more than 50,000 data subjects; derive more than 50% of its gross annual income in a calendar year from the retention of personal data; be a processor acting on behalf of a controller whose processor knows that it meets the two previous conditions; or retain personal data, unless it processes the personal data only using compatible data practices, as defined by the UPDPA.
The broad scope of “compatible data practices” under the UPDPA may require a wide range of companies to consider compliance requirements, including companies generally exempt from similar laws due to size or of income. The UPDPA defines a compatible data practice as one that “conforms to the ordinary expectations of data subjects or is likely to substantially benefit data subjects”. Certain factors are taken into account in determining whether a Processing is a Compatible Data Practice, including: the Data Subject’s relationship to the Data Controller, the type of transaction in which the Data was collected, the type and nature of the data, the risk of harm to the data subject from using or disclosing the data, the effectiveness of the data protection measures and the extent to which the practice advances the data subject’s economic, health or other interests concerned. Some compatible data practices defined by the UPDPA are those that initiate a transaction with the consent of the data subject, meet an operational need, comply with legal obligations, create anonymized data sets or are necessary to investigate fraud. or malicious activity.
The scope of the UPDPA is similar to that of the California Consumer Protection Act (“CCPA”), although unlike the CCPA, the UPDPA does not have a threshold based on gross income that triggers compliance requirements. Like the CCPA and the General Data Protection Regulation (“GDPR”), the UPDPA provides several rights for data subjects, although not all rights are the same. Specifically, the UPDPA provides data subjects with rights to: notification and transparency; access and correction of personal data; prohibition of discrimination; and restrictions on use of data that is incompatible or prohibited by law.
The UPDPA does not include a definition of a “security breach” or data breach notification requirements to individuals or regulators. Therefore, even if there is substantial adoption of the UPDPA, states will still retain variations in their definitions of breach notification laws and notification requirements. In the UPDPA, personal data is defined as any data that includes a direct identifier or is pseudonymised data that can reasonably be linked to the identity of a data subject. The UPDPA also defines a separate category of “sensitive data” which includes racial origin, credit or debit card numbers, social security number, income and medical information. Like other comprehensive state privacy laws that have been passed thus far, there are notable exceptions for entities that comply with certain other privacy laws. Specifically, entities would be exempt from the UPDPA if they process personal data in accordance with one of six key industry privacy regimes: the Health Insurance Portability and Accountability Act, the of Fair Credit, the Gramm-Leach-Bliley Act, the Driver Privacy Protection Act, the Children’s Online Privacy Protection Act, and the Family Education Rights and Privacy Act.