Georgetown Law
Technology Review

In October 2021, the Uniform Law Commission (ULC) adopted the Uniform Personal Data Protection Act (UPDPA).  This Act is purported to apply “fair information practices to the collection and use of personal data from consumers by business enterprises.” Despite the ULC’s efforts, the Act prioritizes the interests of businesses over consumers. More than a year later, only three states have introduced the Act to their legislature which, along with the inadequacy of the Act itself, suggests that the ULC is not the proper mechanism to propose a privacy law.

The ULC: an Overview

The Uniform Law Commission, a non-partisan national non-profit made up of lawyers, provides states with model legislation to bring clarity to conflicting state and federal laws. Among other uniform laws, they promulgated the Uniform Commercial Code (UCC), which has been adopted, at least partially, by all 50 states. The ULC comes together to study and review the law of the states to “determine which areas of the law should be uniform.” In one of their many committee and study group meetings, the ULC determined that the states needed a uniform data protection law.

The Act is Overly Broad and Convoluted

According to the ULC’s website, the purpose of the UPDPA is to provide a “reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.” The Act is a model for states to define fair use of consumer data and defines compatible, incompatible, and prohibited uses of data. At issue here are compatible and incompatible uses.

Compatible data practices are allowed to be performed without consumers’ consent. As long as consumers expect a form of data processing to occur, or if the data processing “benefits” consumers, it is considered a compatible data practice. Daniel Solove, a law professor well known for his academic work on privacy, notes that the law defines these beneficial practices in a way that is “so vague that it permits companies to do nearly anything.” The overly broad nature of this provision harms users by allowing companies to proscribe consumer benefits to practically any form of data collection.

Incompatible data practices can be performed with notice and consent from the user. The notice and consent approach has been criticized for its inadequacy, with good reason. A company may hide its intent to engage in incompatible data practices in long, convoluted, oft-ignored privacy disclosures. As long as an individual quickly scrolls down to click “I accept,” this would qualify as a company giving notice. However, this does not ensure that individuals have the opportunity to give meaningful consent.

The Act’s First Amendment Confusion

The Act purports to promote transparency and accountability by requiring companies to post privacy policies and by granting individuals the right to access and correct their data.

However, the Act does not allow individuals to delete their data. The prefatory note of the Act cites Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011) as their reasoning behind this. The ULC states that the holding of Sorrell is that “data collected and analyzed by private companies was found to be speech and thus protected from governmental regulation unless justified by a significant governmental interest.” But Sorrell involved a statute that imposed content-based restrictions on speech, not a blanket law regulating data collected and analyzed by private companies. Thus, the ULC misunderstands the true holding of the case, which is that the government cannot impose restraints on particular speakers based on the content of the speech without advancing a substantial state interest.

The ULC does not propose any arguments regarding whether a substantial state interest may include the right of a consumer to delete their data. The organization also does not comment on other states, such as California and Virginia, that have introduced privacy laws that include the right to delete and have not been subject to constitutional challenges. The ULC instead focuses on a blanket prohibition of the right to delete based on the assumption that government regulation of this form of speech does not advance a substantial state interest, and that Sorrell applies to any and all data collection and analysis, instead of particular speech restraints.

The Act Does Not Prioritize Individuals

Not only is there no right to delete data, but individuals also do not have the option to opt-out of data collection, or to prohibit companies from selling their data. Instead, individuals must rely on companies’ goodwill to not abuse the broad latitude provided by the Act or by companies’ privacy notices.

Leading industry think tanks, including the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC), agree: this Act does not prioritize individuals appropriately. The Act does not address how data should flow from private companies. There is no mechanism for government enforcement, nor private rights of action, which limits the possibility of strong oversight. Without private rights of action, individuals cannot bring their grievances against a company to a courtroom and demand change.

The compliance practices that the Act suggests are also inadequate. The Act allows companies to engage in substitute compliance with other privacy laws that provide similar data protection mechanisms. A final draft of the Act states: “Compliance with other legislative privacy regimes, such as GDPR or CCPA, and that provide similar data protection to this Act, will be deemed to be sufficient to comply with this Act.” If it is possible for companies to be in compliance with the Act by continuing to comply with existing laws, there is no point in adopting this Act.

These shortcomings did not resonate with the DC, Nebraska, or Oklahoma ULC Chairs, who introduced the bill to their respective legislatures. Thus far, the bill has not yet been adopted anywhere. Because of the compliance structure and lack of priority for individuals, states should instead write a statute better suited for their residents, or support current federal legislation discussions.

The ULC is not the proper mechanism for proposing a privacy law. The ULC’s own goal of uniformity of laws is not important enough for states to adopt an Act that only provides mild comfort to consumers while giving companies too much control over the data they collect. The California Consumer Privacy Act and the Virginia Consumer Data Protection Act provide an example of state legislation that makes individuals a priority by allowing them to control their personal information. These laws are not only proof of what state legislatures can enact regarding privacy, but it is further proof that the creation of state-level laws prioritizing individual privacy is possible.