Hello U.S. Privacy Digest readers!
I say it about this time every summer, and it stands true once again … I can’t believe how quickly this season (my favorite) whizzes by. It’s these later weeks in July when I start rushing to fit it all in — mini-golf excursions, nighttime bonfires, relaxing summer reads, outdoor projects around the house — all of it.
The flurry of activity shouldn’t be a shock to my system, similar to our coverage of privacy happenings. This past week, Connecticut Gov. Ned Lamont signed a new cybersecurity law and California Attorney General Rob Bonta unveiled a new California Consumer Privacy Act reporting tool.
Also, the Uniform Law Commission completed its process of drafting the Uniform Personal Data Protection Act, designed for U.S. states to adopt as written or use as a model in creating legislation. The law, which would provide individuals with limited rights to access and correct personal data, applies to controllers and processors conducting business in a state and maintain personal data of more than 50,000 residents during a calendar year or earn more than 50% of gross annual revenue from maintaining personal data. Rulemaking authority is granted to state attorneys general and does not include a private right of action.
“The Uniform Personal Data Protection Act provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes,” the ULC said.
The ULC’s Collection and Use of Personally Identifiable Data Committee Reporter Bill McGeveran previously told my colleague IAPP Staff Writer Joe Duball the uniform law offers state legislatures an option while keeping them “in the driver’s seat.”
“This is an alternative where the legislature wouldn’t have to choose between moving away from uniformity or doing nothing,” he said. “It’s a third option of moving in this space to regulate, but doing it in a way that doesn’t break from uniformity.”
As states continue grappling with privacy legislation, it will be interesting to see whether the UPDPA is considered and potentially passed in future sessions, or if some states will use it as a starting point toward their own regulation. We often discuss a “patchwork” of privacy laws on the state legislative front and potential compliance issues this could raise down the road. Could the UPDPA provide a path for states to reach a consensus on effective, more uniform regulation?
We’ll be watching to find out.