There were steps taken in 2021 toward the ominous "patchwork" of U.S. state privacy laws, but the full concept has yet to be realized. While many believe federal privacy legislation will be the saving grace to stave off a patchwork, the Uniform Law Commission has settled on a potential game-changing alternative.
The ULC, made up of qualified law practitioners from across the U.S., finalized its Uniform Personal Data Protection Act at its annual meeting in July following a two-year drafting process. The bill was approved 52-1 among ULC members and is now available for state legislatures to take up and consider.
The aim with the UPDPA or any of the ULC's statutes is to have widespread adoption among states to create uniformity and a de facto national standard. While the initiative is well-intentioned, there will not be complete uniformity due to existing privacy laws in California, Colorado and Virginia, but also with other states poised to try and pass their own comprehensive privacy laws following near-success during 2021 legislative sessions.
Despite those potential departures from uniformity, UPDPA Committee Chairman Harvey Perlman doesn't want state lawmakers to shy away under the assumption of an unavoidable patchwork.
"I'm hopeful states and businesses will see that we said if there's another statute out there providing equal protection and you comply with that then you're in compliance with us," Perlman said. "What we didn't want is for companies to have multiple compliance regimes. So if they were to comply with California, they wouldn't have to do anything additional for the states adopting our act."
The claims to equal protections and aligned provisions between UPDPA and other state privacy laws has raised eyebrows among a range of stakeholders in the privacy space. An initial point of contention is the business-friendly nature of the framework. Perlman admitted promoting widespread compliance was a top priority.
"Between the first and second draft we took a very different tact," Perlman said. "We thought if one could lower the compliance costs then there could be more compliance and, in a way, expand the act to a broader segment of the business community without incurring too much objection and therefore provide consumers with, in total, more protection."
The law does have broad coverage, applying to all entities collecting personal data on 50,000 data subjects in a given state or those earning more than 50% gross revenue as a controller or processor. Perlman added there are no business exceptions within the law.
Balancing compliance and consumer protection has been no small task for legislators working on state privacy bills in recent years. Though some state lawmakers might appreciate how the UPDPA could improve overall conformity, others argue it leaves constituents behind. The ULC's law only contains a right to copy or correct data, which vastly differs from the array of data subject rights found in existing state laws.
"There appears to be nothing else substantive in this bill besides an obligation for the data company to provide a voluntary consent standard," State Rep. Collin Walke, D-Okla., said. Walke was a co-sponsor for House Bill 1602, the Computer Data Privacy Act, which passed the Oklahoma House 85-11 in March before lobbyists killed the bill in the Senate before the end of the session. "Essentially those in control of the data get to decide what their policies and procedures are going to be. So this law is empty because it's saying you have to come up with something to address privacy, but we're not telling you exactly what it is."
Privacy advocates also question whether the UPDPA offers consumers sufficient protections for and rights over their data. Consumer Reports Policy Analyst Maureen Mahoney said her group doesn't support the framework as it "misses the mark" and further noted that "pursuing it may be worse than doing nothing at all."
"The provisions are so vague that the law ends up giving companies too much flexibility on whether or not to extend protections to consumers," Mahoney said. "I couldn't imagine a consumer going to the attorney general, flagging this behavior and having a company be held accountable. I'm sure you could find some kind of justification in here with how vague it is."
From a compliance standpoint, stakeholders also question whether some of the divergences in definitions, terminology and concepts in the ULC's approach may be too confusing. In particular, UPDPA's provisions for collecting controllers and third-party controllers along with compatible practices versus incompatible practices has generated debate. They aren't outlandish concepts, but they aren't common for what's been written into existing laws and recent bills.
"The two controllers is something we saw and had to stop and say, 'Wait, what the heck?'" Innovators Network Foundation Privacy Fellowship Coordinator Matt Schwartz said. Schwartz's group works in connection with the App Association. "If the controller is the person that dictates the means for processing, how can you have two people doing that? You can only have one. It was internally logical once we got through it, but it's definitely going to be confusing for businesses and cause a few headaches."
Perlman acknowledged the potential stumbling block in comprehending the existence of two controllers, but defended the differentiation and how it was required for clarity and transparency.
"There are some people that collect directly from consumers and others that go from collector to collector," Perlman said. "If a consumer wants to go seek access to their information, they're not going to know about third-party controllers. They gave their data to the local supermarket and didn't know somebody else got it. I just don't think both controllers should have the same obligations."
The dual controller concept might be unfamiliar in U.S.-focused privacy circles, but the global privacy community has seen this before, according to Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP.
"It's unnecessary and the terminology is obviously different, but I wouldn't say really confusing," Kagan said. "This is really similar to Article 26 of the (EU General Data Protection Regulation), which discusses joint controllership. When you have joint controllers, they are doing things together. Usually one takes the lead, but they have to coordinate and make sure data subjects get their rights and know who to turn to."
Kagan didn't explicitly take a position on UPDPA, noting some areas of intrigue and pointing to the same pitfalls others have recognized. However, she did conclude the ULC's initiative does have value for the bigger picture on federal privacy legislation.
"This looks different, but what is the practical difference between compliance with this versus U.S. laws and (the GDPR)?" Kagan said. "This piece is more in line with the GDPR. So an angle to look at here is that the point of this approach is to have a uniform standard in the U.S. If we're going to do that, then a standard that brings us closer to the GDPR may have its advantages in the sense of adequacy, making life simpler for companies to comply."
State lawmakers' alternative to running UPDPA is to continue piecemealing provisions from bills that have or have not crossed the finish line in other states. Perlman indicated at least one state legislator who proposed a privacy bill in 2021 connected with him about potentially running UPDPA over the failed bill in 2022.
"The question those folks that are concerned about this are going to have to ask is whether they want 50 new divergences or whether they're comfortable with 47 that are the exact same through our act with three slightly different," Perlman said.
A couple other states have shown interest in UPDPA, but Perlman did not disclose those that have checked in. Schwartz envisions interested parties are those that might be new to the privacy scene.
"This seems like something that states with a little interest and not fully looking to start from scratch might pick up. Maybe in a weird way that will put pressure on the federal government if a few of these less-involved states do end up taking this up and passing it," Schwartz said.
Walke expects inevitable consideration for UPDPA by some state legislatures, however, he doesn't expect it to be a huge talking point for him and fellow state lawmakers when they convene for the National Conference of State Legislature's Privacy Summit Sept. 22 to 24 in Alexandria, Virginia. Walke said he and a majority of the lawmakers that will be in attendance are talking about the same terms and provisions for their bills, which means filing the UPDPA framework may stem from different motivations.
"This model legislation is so business-friendly that it might very well be the case that a state puts the feelers out and runs this as a flagpole. And what business isn't going to say yes to something that doesn't have teeth in it," Walke said. "As far as getting campaign talking points about getting data privacy to pass, this bill might not be a bad way to go and get done pretty easily. But that doesn't mean you've done anything for your constituents."
The UPDPA's framework is intended to be taken up as is, meaning it can't be built upon or altered by legislatures or it loses its uniformity. On the possibility of piecemealing from UPDPA, Mahoney wasn't certain if its provisions could be copied and pasted like provisions from other bills.
"The way it's set up, it's all kind of of interconnected," Mahoney said. "It would be hard to take a piece out. I think our approach would simply be more specific about what companies need to do and appropriate enforcement to back it up rather than an extremely flexible model that doesn't provide clear guidance."
Photo by John-Mark Smith on Unsplash