This summer, after two years of work on a model privacy law, the Uniform Law Commission (ULC) entered the privacy debate by passing the Uniform Law on Privacy. protection of personal data (the “Uniform Law”) by a 52-1 vote, with Maine being the only dissenting vote. The Uniform Law takes a different approach to privacy protection than existing legislation in California, Virginia, and Colorado. For example, although it understands the right of a data subject to obtain a copy of their personal data and to correct inaccurate data contained therein, there is no right to require a company to deletes personal data. Some of the other unique features of the Uniform Act are as follows:
The Uniform Act approach creates three categories of data practice and regulates the use of personal data depending on the type of data practice involved.
- Compatible data practices: generally, practices that are (i) consistent with consumer expectations based on the particular transaction, or (ii) likely to benefit the consumer. In particular, the use of personal data, or even their disclosure to a third party if they are pseudonymized, for targeted advertising purposes is considered a compatible data practice. A controller is free to use personal data for compatible data practices, without the need to obtain the individual’s consent or provide a right to refuse such use.
- Prohibited Data Practices: Generally, practices that may cause substantial harm, including financial, physical or reputational harm, embarrassment or harassment, to the individual. This also includes the failure to provide reasonable data security measures, the use of inconsistent data practices without the required consent, and the re-identification of pseudonymized or anonymized data, except in limited circumstances. As the name suggests, prohibited data practices are not permitted under any circumstances.
Scope of the law
Unlike most existing privacy laws, the application of the Uniform Act is not expressly limited to large entities, as it applies, at least in part, to any person (defined in broad sense to include individuals and entities) that maintains personal data and conducts business in the state or provides services on purpose for its residents. To avoid excessive burdens on small businesses, however, the Uniform Law provides thresholds below which a person can avoid most of their restrictions. More specifically, the Uniform Act exempts persons who: (1) do not maintain more than [50,000] files concerning persons of that State; (2) earn more than  percentage of gross annual income from retaining personal information as a controller or processor; (3) act as a processor for a controller whose processor knows it meets the thresholds in (1) or (2); or (4) retain personal data, unless it processes the data only using compatible data practices. Note that the record amounts and income thresholds are in brackets, inviting States to adopt their own thresholds. A compatible data practice is defined as processing that meets the ordinary expectations of the data subjects or is likely to substantially benefit the data subjects, taking into account the factors listed to be taken into account. Therefore, even persons exempted from the Uniform Act because they are below the thresholds must limit their data processing activities to compatible business practices, or the entire Uniform Act applies.
Like other privacy laws, the Uniform Act covers a wide range of information as part of the definition of personal data. Any recording (material, electronic or otherwise) that identifies or describes a data subject by a direct identifier, and pseudonymized data, but not anonymized data. Anonymized data is personal data that does not have direct identifiers, providing a reasonable guarantee that the recording cannot be identified to a data subject without personal knowledge or special access to the information of the data subject. There are exemptions for certain data, such as publicly available information and information processed in the course of a job or job application.
Requirements of the Uniform Act
The Uniform Act imposes requirements on controllers and subcontractors. A controller is a person who determines the purposes and means of processing; a processor is a person who processes personal data on behalf of a controller.
The Uniform Act obliges subcontractors to: (i) provide the controller with access to personal data; (ii) correct inaccuracies at the request of the controller; (iii) limit processing to the purpose requested by the controller; (iv) conduct and maintain privacy and security risk assessments; and (iv) provide redress for inconsistent or prohibited data practices.
Compliance with specified federal privacy laws including Medicare Portability and Liability Act, Fair Credit Reporting Act, and Gramm-Leach-Bliley Act (among others) may be considered to be in conformity with the uniform law, but only in relation to the treatment which is the object of these statutes. Thus, it does not provide for a general exemption for these regulated entities. For example, a bank that processes information in a way that is not subject to Gramm-Leach-Bliley would still be subject to and should comply with the Uniform Act with respect to that processing.
The Uniform Act also allows, by complying with (i) a comparable privacy law of another jurisdiction (such as CCPA or GDPR) or (ii) a voluntary consensus standard, to ‘be considered sufficient to comply with this Uniform Act. These methods of deemed compliance only apply if the state attorney general has determined that the comparable law is as or more protective than the Uniform Act, or has specifically approved the standard of voluntary consensus.
Enforcement, and in particular whether or not a private right of action was included, was probably the most contested provision in the development of the Uniform Act. The final uniform law attempts to sidestep the problem by providing for the application of the state’s existing consumer protection law. Some states have consumer protection laws that provide for a private cause of action and some do not. The Uniform Act also contains optional language that a state can use to prevent a private cause of action under the Uniform Act even if its consumer protection law provides for one. As a result, the struggle over whether or not to include a private cause of action will now shift to the various state legislatures that are considering enacting the Uniform Law.
The ULC intends that the Uniform Data Protection Act promotes consistency by providing a template that states can use to enact their own privacy laws. The ULC plans to start promoting state adoption from January 2022, when many state legislatures begin the new legislative session. It remains to be seen whether the ULC is successful in getting the 47 states that currently do not have comprehensive privacy legislation in place to adopt the Uniform Law, and to what extent its unique privacy concepts. will influence future privacy legislation.