The uniform law on the protection of personal data: a new approach to framing | Man’s pepper with trout


Last July, the Uniform Law Commission (ULC) approved a final project of the uniform law on the protection of personal data (UPDPA). The ULC is a non-partisan group that drafts model laws with the aim of being widely adopted by the state. A notable example is the Uniform Commercial Code (UCC), which has been adopted to some extent by all 50 states.

The final version of the UPDPA departs significantly from existing state privacy laws. One of the most notable aspects of the UPDPA is its new approach to reach. Understanding the UPDPA’s scope requirements is vitally important, as they determine to what extent this law will apply to your business. In this article, we take a close look at the UPDPA’s approach to framing and explain its practical impact.

The main UPDPA scope requirements can be found in section 3 (a), which reads:

(to his [act] applies to the activities of a controller[1] or a processor that carries on business in that state or manufactures products or provides services on purpose to residents of that state[2] and:

(1) during a calendar year keeps personal data for more than [50,000][3] data subjects who reside in that State, excluding data subjects whose data is collected or kept only to carry out a payment transaction;
(2) earn more than [50] percentage of its gross annual income during a calendar year from the retention of personal data of data subjects as a controller or processor;
(3) is a processor acting on behalf of a controller whom the processor knows or has reason to know that he complies with paragraph (1) or (2); Where
(4) retains personal data, unless it processes personal data only using compatible data practices.

At first glance, the requirements of 3 (a) (1) and (2) probably seem familiar. All existing national privacy laws have scope requirements based on (i) the amount of data of their residents (between 50,000 and 100,000 residents) that an entity processes, and (ii) the percentage an entity’s income from sharing / selling personal data. While the UPDPA’s scope requirements may seem similar, the definition and function of “maintain” in the UPDPA significantly narrows the scope of its scope thresholds. UPDPA defines maintenance as follows:

“Maintain”, in relation to personal data, means to retain, hold, store or preserve personal data as a system of record.[4] used to retrieve recordings of data subjects for the purposes of individualized communication or decision-making.

Existing state laws base their scope thresholds on a much broader range of data practices. For example, the Virginia Consumer Data Protection Act applies to entities that “control or process personal data of at least 100,000 consumers. Processing is generally defined to include any form of collection, disclosure, storage, modification, etc., while maintenance is limited to retention, retention, storage and preservation.

The definition of maintain is further restricted by the requirement that the data be used for the purposes of “personalized communication” or “decision-making”. This means that the mere storage or accumulation of data is not covered (for example, passive storage of a consumer’s mailing address would not be covered unless that address is used to contact the customer or to inform the entity’s decision-making regarding that consumer). The emphasis on data retention was not incorporated into the UPDPA until the April 2021 project. In the memorandum accompanying this project, ULC notes that the new terminology is intended to limit the scope of the law to exclude systems like email, which collect data “without the function or purpose of making individualized assessments” .

Section 3 (a) (3) expands the scope of the UPDPA to cover processors who process on behalf of covered entities that they know / have reason to know meet the scope requirements of the 3 (a) (1) and (2). Section 3 (a) (4) extends the UPDPA to all entities that retain data for an “incompatible”[5] or “forbidden”[6] data practice. In general, these terms refer to processing activities which are unforeseen or cause harm to the data subject. For example, processing that does not comply with the privacy policy is incompatible.

Section 3 (a) (4) is not limited by volume-based scope thresholds. In practice, this means that even the smallest companies could be liable if they keep personal data for incompatible or prohibited purposes. The ULC addressed the UPDPA request to small businesses in the comments section of its June 2021 project, by declaring “[t]he law recognizes the need for an omnibus privacy law to protect personal data from the excesses and abuses of an unregulated data economy by big and small. Therefore, businesses of all sizes should take into account the UPDPA’s restrictions on data practices to ensure that they only engage in “compatible” activities.[7] data practices.

The UPDPA provides for exemptions in sections 3 (b) and (c). Although these scope exemptions are somewhat limited, there is an exception for publicly available information.[8] and data which is “processed or stored in the course of employment or employment application of a data subject”.

Beyond these exemptions, Article 11 of the UPDPA provides for alternative compliance when companies comply with the “comparable law on the protection of personal data.[s]. To be considered as such, the state attorney general must determine that the other privacy law is ‘equally or more protective.’ In practice, existing national laws and the GDPR may be considered as comparable personal data protection laws, and companies could theoretically comply with the UPDPA by simply expanding their existing privacy compliance policies / programs. In comments on the June 2021 draft, the ULC states that “[t]The purpose of this section is to enable, in practice, companies to settle on a single set of practices relating to their particular data environment.

Section 11 also provides surrogate compliance for the Gramm-Leach-Bliley Act, Medicare Portability and Accountability Act, and Fair Credit Reporting Act; however, this exemption only applies to processing activities covered by these laws. Some existing state laws, such as the Colorado Privacy Act, take a more lenient approach of exempting entities that process data covered by those federal laws.


The potential impact of the UPDPA could be very significant, as more than 20 states are considering / have considered similar personal data protection bills during their legislative sessions in 2021. The stakes are particularly high for small entities which are not subject to any comparable legislation on the protection of personal data. To prepare for this wave of legislation, businesses of all sizes need to take a flexible approach, focusing on the privacy principles that are present in almost all privacy regimes, such as data minimization and transparency. In a later article, we’ll explore the out-of-scope UPDPA requirements in more detail.

[1] Similar to the General Data Protection Regulation (GDPR), the UPDPA uses a controller / processor framework. The UPDPA further separates controllers into two categories: “collection controllers” and “third party controllers”. Different requirements apply depending on the type of entity controller (for example, only the collectors are required to respond to requests for access or rectification).

[2] The jurisdictional requirements that the controller or processor “carry on business in this state or manufacture products or provide services on purpose to residents of that state” comply with existing privacy laws. at the state level.

[3] ULC commented that “[t]Threshold numbers are in parentheses and each state can determine the appropriate level of enforceability. See UPDPA June 2021 project.

[4] Although the “registration system” is not defined in the UPDPA, the ULC notes in the comments to the June 2021 project that the definition of that term and “maintains” are “inspired by definitions in the Federal Privacy Act” (5 USC §552a (a) (3), (a) (5)).

[5] Section 8 of the UPDPA explains what constitutes an “inconsistent data practice”.

[6] Article 9 of the UPDPA explains what constitutes a “prohibited data practice”.

[7] Section 7 of the UPDPA explains what constitutes a “compatible data practice”.

[8] “Publicly Available Information” means information: (A) lawfully made available from a federal, state or local government file; (B) accessible to the general public through widely distributed media, including: (i) a publicly accessible website; (ii) a website or other forum with restricted access if the information is accessible to a wide audience; (iii) a telephone directory or an online directory; (iv) a television, Internet or radio broadcast; and (v) the news media; (C) observable from a location accessible to the public; or (D) that a person reasonably believes to be lawfully made available to the general public if: (i) the information is of a type generally available to the public; and (ii) the individual has no reason to believe that a relevant person with the power to remove the information from public availability has ordered the removal of the information.

Source link

Leave A Reply

Your email address will not be published.