As data breaches become more common, the heightened public focus on privacy has led to a flurry of state-level activity on the issue. With a federal privacy bill languishing in Congress, states have taken the lead. California, Colorado and Virginia have all passed comprehensive privacy laws in the past three years. In 2021, twenty-one additional states have considered a comprehensive privacy bill.
Considering the serious risk of fragmentation that could arise from dozens of separate privacy laws, the Uniform Laws Commission proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”). Uniform Law Commission model bills, such as the Uniform Commercial Code, often influence the development of state laws. The UPDPA will be available for the 2022 state legislative sessions, with a Invoice having already been introduced into the District of Columbia.
If passed, the UPDPA provides a more business-friendly framework than most existing and proposed national privacy laws.
The UPDPA provides an alternative regime to existing US privacy regulations; according to the Uniform Law Commission, the model law “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.” It focuses on the processing of data that can be linked to people, whether direct or pseudonymised. The proposal is narrower than other regimes – it only applies where a company “retains” data under a “system of records” for the purposes of individualized communication or decision-making, exclusion of ad hoc data transactions or unstructured information. Additionally, the UPDPA exempts small businesses as long as they use only compatible data practices.
Data is classified, based on the listed factors, as compatible, incompatible, or prohibited. Compatible practices are generally permitted without consent, while incompatible practices require varying degrees of consent depending on whether the data is sensitive or not. Prohibited data practices are impermissible. Certain data, such as public records or employment processing, are exempt from the law.
The model bill gives state attorneys general the power to make and enforce rules and expressly excludes a private right of action. Attorneys General may also adopt industry-driven private standards (“voluntary consensus standards”) for any provision of the UPDPA (identifying what constitutes a compatible data practice, how entities can obtain consent, etc. )
A key feature of the law is its approach to how data controllers direct the use of personal data. These practices are classified according to a set of factors.
“Compatible data practices” are permitted without user consent. Factors relevant to determining whether the Processing is a Compatible Data Practice are: the relationship of the individual to the controller, the type of transaction, the type of personal data, the risk posed to an individual, the effectiveness of the safeguards against unauthorized use or disclosure, and the extent to which the practice serves the interests of the individual. Some practices are in itself compatible: practices with the individual’s knowledge or involvement, practices necessary to meet the controller’s legal obligations, processes to create pseudonymised data, general research to develop a product, and purely expressive targeted advertising.
“Incompatible data practices” are only permitted with user consent. For non-sensitive data, a notice and a possibility of refusal are sufficient. For sensitive data, users must register. Sensitive data includes government identification numbers, real-time geolocation, financial account numbers, race, gender, gender, religious beliefs, citizenship, medical diagnosis and child information. under thirteen. Examples of incompatible data practices include using data for differential treatment of individuals, selling personally identifiable data for marketing purposes, or sharing personal data for unlimited purposes.
“Prohibited data practices” are those that present a substantial risk of harm to data subjects, including processing that may cause financial, physical or reputational harm; result in identity theft; constitute a violation of the law; or failure to provide reasonable data security measures.
Comparison with other privacy laws
|Uniform Personal Data Protection Act (“UPDPA”)||California Consumer Privacy Act (“CCPA”)||California Privacy Rights Act (“CPRA”) ||Colorado Privacy Act (“CPO”)||Virginia Consumer Data Protection Act (“VCDPA”)|
|Private right of action||No||Yes, but limited.||Yes, but limited.||No||No|
|Prohibition of discrimination||Yes||No||Yes||Yes||Yes|
|Opt-in required for minors||13||16||16||N/A. Opt-in required for all sensitive data||13|
|Right of access and rectification of user data||Yes||Yes to access. Not to be corrected.||Yes||Yes||Yes|
|User’s right to delete||No||Yes||Yes||Yes||Yes|
|User portability right||No||Yes||Yes||Yes||Yes|
|Penalties||As provided in the applicable state’s consumer protection law||$2,500 per offence; $7,500 per intentional violation||$2,500 per offence; $7,500 per intentional violation||$20,000 per offense||$7,500 per offense|
The UPDPA’s future is uncertain, especially since some privacy advocates see consumer protections as too weak, but the Uniform Law Commission’s credibility means it could be passed by various lawmakers across the country. State seeking an alternative confidentiality regime. The model law’s flexibility, broad exemptions, and eligibility standards could make it an attractive alternative for states and businesses looking for a lighter touch and greater likelihood of compliance, while offering certain consumer protections.
 Information about national privacy laws described in this table is made available by the International Association of Privacy Professionals. See https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
 CPRA has amended the CCPA. The CPRA comes into force on January 1, 2023.