The Uniform Law Commission’s “Privacy Bill” Fails to Protect Privacy
January 7, 2022
By Calli Schroeder, EPIC Global Privacy Counsel
The rising clamor for clear privacy regulations from privacy advocates, consumers, lawmakers, states, and even some businesses has prompted numerous proposals at the federal, state, and local levels. The Uniform Law Commission (ULC) approved a proposed bill, the Uniform Personal Data Protection Act (UPDPA), in June 2021. Though purportedly designed to bring “clarity and stability,” this proposal does not align with already enacted privacy laws in states such as California and Colorado, deepening the split among state approaches to privacy regulation, and does very little to protect privacy. Frankly, the UPDPA does not appear to be a privacy law at all. At best, it is a data access law and a poor one at that.
The ULC’s focus throughout the bill on minimizing burdens for businesses has prevented any useful privacy protections in the final product. A prefatory note in a June 2021 draft states that a key consideration when crafting the UPDPA was avoiding major compliance and regulatory costs to businesses while providing a “reasonable level” of protection to individuals. The result is a proposal that allows corporate surveillance to continue and does little to protect the privacy or security of individuals’ personal data.
Limited Rights For Users
The UPDPA diverges sharply from individual rights and protections that have been included in global and state laws for the past several years. Despite the fact that residents of California, Colorado, and Virginia (in addition to all residents of the European Union, Brazil, and several additional countries) already have the right to request that covered businesses delete the personal data held about them, the UPDPA simply didn’t include this widely-recognized privacy right. User rights are limited to rights of access and correction and, even then, only in limited circumstances and subject to a host of exceptions. Collection restrictions (such as opt-out rights) and dissemination restrictions (such as California’s “do not sell” option) are conspicuously absent from the UPDPA. This extreme limitation on individual privacy rights not only deprives individuals of the important right to request deletion of their personal data, but also creates increased overhead for businesses who must determine which state an individual resides in before determining which rights apply to them.
Individuals should not be forced to give up basic privacy rights to access websites or obtain internet services. Such arrangements are antithetical to the purposes of privacy law: to establish enforceable rights for individuals and impose responsibilities on data collectors. Privacy is a fundamental human right. The provisions in the UPDPA allowing controllers to offer “rewards or discounts” in exchange for the use of personal data undermines this right and are unfair and discriminatory against individuals who are economically disadvantaged. The provisions allowing businesses to mandate that individuals “consent” to personal data collection and use in order to access services, even where not necessary to deliver the specific service, are also problematic and essentially undermine any privacy protection the UPDPA may offer.
Behavioral Advertising Not Covered
Perhaps most surprisingly, the UPDPA fully exempts behavioral advertising from protections or limitations, explicitly stating that behavioral advertising is considered a compatible data practice (as further described below) and does not require user consent. The UPDPA’s stance is shocking here, particularly when user distaste for surveillance advertising is exceedingly clear, such as in the iOS 14.5 update where 96% of users opted out of ad tracking. Since curbing this invasive practice has been a key motivator of many existing and proposed privacy laws, as well as the groundswell of calls for additional privacy protections, one can only conclude that the ULC has more interest in protecting existing manipulative and invasive business practices than protecting personal data.
Fails to Promote Privacy Innovation
Good privacy legislation should also promote privacy innovation, encouraging companies to adopt practices that provide useful services and minimize privacy risk. Privacy Enhancing Techniques (“PETs”) seek to minimize the collection of personal data.
Global opt-out mechanisms are one such technique – settings that can be configured in browsers or other devices to send a signal to all websites that an individual wants to opt-out of their information being sold. These mechanisms would make it easier for individuals to exercise their rights and make it clear to companies when users are opting out. It is unrealistic to expect that internet users are going to take multiple steps to separately opt-out of data disclosure on every website they visit. Indeed, decades of experience with website “cookie” policies has shown that users quickly suffer “consent fatigue” and ignore these settings. Many opt-out procedures are intentionally designed to be difficult to follow or even intentionally designed to confuse users (referred to as “dark patterns”). Global opt-out mechanisms will simplify the opt-out process but are only effective if enforceable. Two of the three existing comprehensive state privacy laws, the California Consumer Protection Act and Colorado Privacy Act, both require covered businesses to comply with global opt-out settings, but the ULC chose not to include this privacy-protective provision that would have been consistent with other state laws.
The modest and limited protections which the UPDPA does contain remain functionally useless due to the narrow scope of the proposed bill. A business will only fall under the regulation if it provides products or services “purposefully directed” to residents of the state—the bill does not state what constitutes purposeful direction. The UPDPA does not apply to “publicly available information,” which includes anything observable in “public spaces,” such as social media information, footage or recordings from these spaces, or facial recognition information collected in public. It does not apply to government use or employment use. It excludes any data collected or maintained for payment transactions from companies’ “data subject count” for the year. And it wholly excludes companies who maintain personal data solely for “compatible” data practices, which include use consistent with “ordinary expectations” or likely to benefit data subjects (as determined by the company), “purely expressive content” (which is undefined), and any targeted or behavioral advertising. With exemptions like these, one wonders what consumer risks the ULC believed it was addressing.
Lacks Meaningful Enforcement Mechanisms
EPIC has long argued that strong enforcement is a critical piece of privacy legislation. Without robust enforcement mechanisms, businesses have little incentive to comply with privacy laws. There must be consequences for violations of privacy laws.
A strong state privacy law would establish an independent state-level privacy agency with resources, technical expertise, rulemaking authority, and effective enforcement powers, like California has done with the California Privacy Protection Agency. This can complement enforcement authority by State Attorneys General, who have long held an important role in protecting consumer privacy.
A strong state privacy law must also include a private right of action. While government enforcement is essential, the scope of data collection is simply too vast for one entity to regulate. Individuals and groups of individuals who use these services are in a good position to identify privacy issues and bring actions to vindicate their interests. Cases brought under a private right of action preserve the state’s resources, and statutory damages ensure that companies will face real consequences if they violate the law. We have seen this with the Illinois Biometric Information Privacy Act. Many privacy laws include a private right of action and these provisions have historically made it possible to hold companies accountable for their privacy violations.
Unfortunately, the ULC chose not to include strong enforcement provisions in its proposed bill. In the event a company somehow manages to run afoul of the limited obligations within the UPDPA, not much will happen. Beyond the barrage of loopholes and confusing language, private rights of action are explicitly barred by proposed subsections and Attorneys General are granted broad discretion on whether or not to enforce the UPDPA.
Permits Weak Risk Assessments and Voluntary Consensus Standards
Protections contained in the UPDPA do little to identify or prevent abuses. Take, for example, the non-public risk assessments required by businesses. The UPDPA does not provide clear guidelines for how these assessments must be conducted or what must be included, essentially allowing for assessments that “cover” every processing activity conducted by the business, are not publicly shared for review, and are held to no clear standard. Voluntary consensus standards are another example—four sections of the draft are dedicated to their development and use, none of which require any specific privacy protections that should be included in the standards.
UPDPA Is Definitely Not “Better Than Nothing”
Some may argue that a flawed privacy law is better than no privacy law at all. We strongly disagree. Passage of a toothless privacy law that does little or nothing to empower individuals and provides legal cover for privacy-invasive business practices actively erodes progress that advocates, consumers, and lawmakers have pushed for while stalling the push for meaningful regulation as states respond “but we already acted.”
The UPDPA is not a privacy law. The ULC’s proposed bill simply gives permission to businesses to continue the business practices that have gotten us into the mess we are in today. State legislators would be better served listening to what their constituents want—a privacy law that changes the status quo by putting meaningful obligations on companies collecting data, giving individuals enforceable privacy rights, and holding companies accountable. The UPDPA does none of that.