Understanding the ULC's Model Privacy Law

Ketan Bhirud, Graham Dean, Lissette Payne, Kamran Salour
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

In July 2021, the Uniform Law Commission (ULC) approved the final version of the Uniform Personal Data Protection Act (UPDPA). The ULC took a novel approach when drafting this model act, which it claims has "elements that make [the UPDPA] more practical, more flexible, and less costly than other models of state privacy legislation."

At this point, it remains unclear whether the UPDPA's novel approach struck the balance needed to gain traction at the state level. To date, UPDPA-based legislation has been introduced in Nebraska, Oklahoma, and Washington, D.C. Rather than following this model law, many states have focused their efforts on legislation modeled after either the Virginia Consumer Data Protection Act (VCDPA) or the California Consumer Privacy Act (CCPA). Perhaps the most noteworthy early takeaway is the extent to which the UPDPA deliberately departs from these existing regimes.

This article provides an overview of this new framework and provides context for how it differs from privacy regimes already in use.

The Compatibility Framework

Under the UPDPA, the "data practice category" determines the permissibility and restrictions applicable to a data processing activity. The UPDPA separates data practices into three categories: compatible, prohibited, and incompatible.

Controllers may engage in "compatible data practices" without consent regardless of the data's sensitivity. Compatible data practices include data processing activities that are "consistent with the ordinary expectations of data subjects or are likely to benefit data subjects substantially."

The UPDPA provides six factors that may be considered when determining whether a processing activity constitutes a compatible data practice, as well as 10 examples of data processing activities that are considered "per se compatible," such as processing required under legal requirements, and processing to effectuate a transaction. Notably, in what seems to be an effort not to disrupt the data-driven economy, the disclosure of pseudonymized data, like a device identifier, to a third-party for targeted advertising is per se compatible.

Conversely, controllers are barred from engaging in "prohibited data practices." Under the UPDPA, prohibited practices include those that are likely to lead to various forms of financial, physical, reputational, or emotional harm. Prohibited practices extend to those that may constitute a "highly offensive" intrusion on solitude or seclusion. The UPDPA explicitly states that processing in the absence of reasonable data security measures is a prohibited data practice. And, of course, processing activities not described in a controller's privacy policy also are deemed incompatible.

The UPDPA treats "incompatible data practices," as all data practices that are neither compatible nor prohibited. Controllers engaging in an incompatible data practice involving non-sensitive data must provide consumers notice and the opportunity to opt-out. Additionally, express written consent is required for sensitive data.

Whether a data processing activity is compatible, incompatible, or prohibited depends on the circumstances surrounding its processing. For example, suppose that a business's mobile application collects personal data for fraud detection purposes, but the business's privacy policy did not discuss this processing purpose. While processing for purposes of fraud detection would typically constitute a compatible data practice, its omission in the business' privacy policy makes this processing activity incompatible.

Privacy Policy Requirements

While the UPDPA follows the lead of other state privacy laws that require businesses to publish privacy policies, the requirements for these policies differ to such an extent that businesses will likely need to draft new versions of these documents. For instance, under the UPDPA privacy policies must explain how a controller's data processing activities align with the data practice categories described above. This potentially burdensome drafting task is mitigated in part by the substituted compliance features described below.

Data Subject Rights

The UPDPA provides data subjects with access and correction rights; however, these rights only apply to data the controllers originally collected. The ULC has noted that this decision was based on the difficulties non-collecting controllers faced attempting to verify the authenticity of such requests.

Notably, the UPDPA does not provide consumers with a right to request the deletion of their information. In the annotated version of the UPDPA, the ULC notes the difficulties associated with carrying out deletion requests, and states that the aforementioned compatibility framework provides "sufficient protection." The omission of this right was also likely driven by the ULC's desire to avoid significant disruptions to the data-driven economy. The omission of this right is a departure from nearly every U.S. and international privacy regime and has been a major focus of this model law's critics.

Substituted Compliance

The UPDPA permits the attorney general to offer substituted compliance to covered entities that comply with a privacy law from another jurisdiction that "is equally or more protective of personal data." In practice, this means that an entity subject to the CCPA could comply with the UPDPA by implementing their CCPA policies and procedures in the UPDPA-governed jurisdiction. This provision is intended to significantly reduce the compliance costs associated with businesses that operate in multiple jurisdictions.

Enforcement

The UPDPA is primarily enforced by state attorneys general, under the authority and penalties set out in existing state-level consumer protection laws. The ULC did not decide whether to extend the private rights of action provided under some state consumer protection laws, which has been a significant topic of debate in states such as Florida and Washington.

Conclusion

It's too early to know whether the UPDPA's novel approach will gain traction in states beyond the early adopters who have introduced legislation based on the model law. It will be interesting to watch as more states enact privacy laws whether those states will follow this framework that departs so significantly from previous ones.

As published in Bloomberg Law on April 2022. Reprinted here with permission.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide