The Uniform Personal Data Protection Act
The Uniform Law Commission is a national, non-partisan, non-profit group that develops model legislation with particular attention to maintaining stability between state and federal laws. They were responsible for the Uniform Commercial Code and their partners in drafting the Uniform Commercial Code, the American Law Institute were the drafters of the Model Penal Code.
These groups are essentially brain trusts that in a non-biased way try to come up with the best laws for the welfare of all. They think about the interests of government, big business, small business, consumers, etc. Their considerations don’t focus on local or regional issues because their members come from all over the United States. They attempt to come up with universal laws that will work and be acceptable to all impacted parties.
The Uniform Personal Data Protection Act (UPDPA) is a draft law promulgated by the Uniform Law Commission to address data privacy. It was drafted to be generally applicable. Municipalities, states, or even the federal government could use its language for their own privacy laws. Oklahoma, Nebraska, and the District of Columbia have all introduced comprehensive data privacy bills based on the UPDPA.
The UPDPA applies to entities that collect or maintain personal data. It uses a risk-based approach to privacy regulation.
Because it uses a risk-based approach to privacy regulation, it allows some data processing without consent. It categorizes these processing activities as being “compatible data practices.” These generally consist of practices that reasonable consumers would expect to occur or practices that directly benefit the consumer.
It permits “incompatible data practices” if the controller provides notice to the data subject about the data practices and receives their consent to proceed with the data practices.
The UPDPA prohibits data practices that may cause a substantial risk of harm to data subjects. This harm could be reputational, financial, or likely to cause harassment.
In relation to other laws, the UPDPA allows businesses to comply with more restrictive laws and be deemed compliant the UPDPA.
There is a lot of sense to the risk-based approach modeled in the UPDPA. The less risk to the consumer in a behavior, the less restriction on engaging in that behavior by the controller. The more risk to the consumer, the more restriction on engaging in that behavior. The incentives are aligned to encourage data controllers to engage in less risky behavior or at least make sure the consumer knows and agrees to any risky behavior.
Companies can choose to use consumer data when doing so constitutes a “compatible data practice.” They can also choose to either not engage in “incompatible data practices” or be sure to gather consent after giving notice to their proposed behavior prior to engaging in it.
Whether contending with “compatible data practices,” “incompatible data practices,” and prohibited data practices or “personal information” and “sensitive personal information,” it’s important to understand what data your company collects. Clarip provides automated data mapping so you can understand what data your company collects and how it flows through your digital domain. We also provide data subject request fulfillment, website scanning, vendor management, consent management, and much more. Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Other Articles on this Topic:
GIPA: The Genetic Information Privacy Act
What Your Company Needs to Know about the Colorado Privacy Act
Understanding the Data Care Act
Information Transparency & Personal Data Control Act
What is the Virginia Consumer Data Protection Act and How Does it Affect Your Privacy Program?
What is the Virginia Consumer Data Protection Act and How Does it Affect Your Privacy Program?
What Your Company Needs to Know About the Virginia Consumer Data Protection Act
What Does California Privacy Rights Act Mean for Employers?