The Uniform Law Commission Takes on Developing a Model Comprehensive Privacy Law for the States

Since the passage of the California Consumer Privacy Act in 2018, at least two dozen states have introduced their own comprehensive privacy bills.  Although some are modeled on the CCPA, the proposals vary in terms of the rights granted to individual consumers and employees, compliance obligations imposed on controllers and processors of personal information, as well as how key terms (such as “personal data” or “sale of data”) are defined in the legislation.  Once these proposals are enacted into law, the companies across the country will face a proverbial “patchwork” of regulatory requirements that will complicate and increase the cost of compliance.

The Uniform Law Commission (ULC), composed of practicing lawyers, judges, legislators,  legislative staff, and law professors appointed by the state governments, set out to bring some uniformity into the privacy legislative process.  The ULC plans to draft a uniform or model state law addressing the collection and use of personal data, including provisions governing the sharing, storage, security, and control of personal data.  The ULC has successfully developed model state legislation in the past, the best known example of their work being the Uniform Commercial Code, which has been adopted in all 50 states.

The April 24, 2020 “discussion” draft of the model Collection and Use of Personally Identifiable Data Act would provide data subjects with the rights of access, portability, rectification, and deletion of their personal data, as well as the right to restrict data controllers from processing and transferring personal data for purposes of targeted advertising or profiling.  The data custodians (which includes data controllers and processors) would be subject to the duties of loyalty (i.e. an obligation not to engage in processing activities that are unfair, deceptive, or abusive), data security, data minimization, transparency, and purpose limitation.

The discussion draft envisions that data controllers would be required to publish and file with the state Attorney General a “privacy commitment,” a document that would specify the manner in which data subjects may exercise their rights and the method by which the controller will respond to assertion of those rights.  That would allow companies to adopt codes of conduct particular to their industry and the nature of data processing.

The discussion draft would provide for a private right of action limited to circumstances in which the obligation on data custodians is either clear or can be tailored by the custodian to create a safe harbor.  For example, as long as the company’s privacy commitment remains in force, its compliance will serve as a safe harbor from private actions.

The Commission’s goal is to draw up a model legislation by 2021.  Given that privacy legislation will likely remain on hold in the coming months as states are focused on dealing with the COVID-19 pandemic, the timing of the ULC’s effort might work out towards implementing uniform, or at least consistent, privacy laws next year.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653