This July, the Uniform Law Commission (ULC) approved a final draft of the Uniform Personal Data Protection Act (UPDPA). The ULC is a nonpartisan group, which drafts model laws with the goal of widespread state adoption. One noteworthy example is the Uniform Commercial Code (UCC), which has been adopted to some extent by all 50 states.

The final draft of the UPDPA deviates significantly from existing state privacy laws. One of the most noteworthy aspects of the UPDPA is its novel approach to scoping. Understanding the UPDPA’s scoping requirements is vitally important, as they establish the extent to which this law will apply to your business. In this article we closely analyze the UPDPA’s approach to scoping and explain its practical impact.

The UPDPA’s primary scoping requirements are found in Section 3(a), which reads as follows:

(a) This [act] applies to the activities of a controller[1] or processor that conducts business in this state or produces products or provides services purposefully directed to residents of this state[2] and:

(1) during a calendar year maintains personal data about more than [50,000][3] data subjects who are residents of this state, excluding data subjects whose data is collected or maintained solely to complete a payment transaction;
(2) earns more than [50] percent of its gross annual revenue during a calendar year from maintaining personal data from data subjects as a controller or processor;
(3) is a processor acting on behalf of a controller the processor knows or has reason to know satisfies paragraph (1) or (2); or
(4) maintains personal data, unless it processes the personal data solely using compatible data practices.

At first glance, the requirements in 3(a)(1) and (2) likely look familiar. All of the existing state privacy laws have scoping requirements based on (i) the amount of their residents’ data (between 50,000-100,000 residents) an entity processes, and (ii) the percentage of an entity’s revenue that is earned from sharing/selling personal data. While the UPDPA’s scoping requirements may appear similar, the definition and function of “maintains” in the UPDPA significantly narrows the reach of its scoping thresholds. The UPDPA defines maintains as follows:

“Maintains,” with respect to personal data, means to retain, hold, store, or preserve personal data as a system of records[4] used to retrieve records about individual data subjects for the purpose of individualized communication or decisional treatment.

Existing state laws base their scoping thresholds on a much wider range of data practices. For example, Virginia’s Consumer Data Protection Act applies to entities that “control or process personal data of at least 100,000 consumers.” Processing is typically defined to include any form of collection, disclosure, storage, modification, etc., while maintains is limited to retaining, holding, storing, and preserving.

The definition of maintains is narrowed further by the requirement that the data be used for purposes of “individualized communication” or “decisional treatment.” This means that merely storing or accumulating data is not covered (e.g., passive storage of a consumer’s mailing address would not be covered unless that address was used to contact the customer or to inform the entity’s decision-making with regards to that consumer). The focus on maintaining data was not incorporated into the UPDPA until the April 2021 draft. In the memorandum accompanying this draft, the ULC notes that the new terminology is meant to limit the scope of the law to exclude systems like email, which collect data “without the function or purpose of making individualized assessments.”

Section 3(a)(3) extends the UPDPA’s scope to cover processors that process on behalf of covered entities that they know/have reason to know satisfy the scoping requirements in 3(a)(1) and (2). Section 3(a)(4) extends the UPDPA to all entities that maintain data for an “incompatible”[5] or “prohibited”[6] data practice. Generally, these terms refer to processing activities that are unanticipated or cause harm to the data subject. For instance, processing in a manner that is inconsistent with the privacy policy is incompatible.

Section 3(a)(4) is not limited by the volume-based scoping thresholds. In practice, this means that even the smallest businesses could be subject if they maintain personal data for any incompatible or prohibited purpose. The ULC addressed the UPDPA’s application to smaller businesses in the comments section of its June 2021 draft, stating “[t]he Act recognizes the need to create an omnibus privacy law to protect personal data from the excesses and abuses of an unregulated data economy by small actors as well as large.” Accordingly, businesses of all sizes must consider the UPDPA’s data practice restrictions to ensure that they only engage in “compatible”[7] data practices.

The UPDPA provides exemptions in Sections 3(b) and (c). While these scoping exemptions are somewhat limited, there is a carve-out for publicly available information[8] and data that is “processed or maintained in the course of a data subject’s employment or application for employment.”

Beyond these exemptions, Section 11 of the UPDPA provides for substituted compliance when businesses comply with “comparable personal-data protection law[s].” To qualify as such, the state’s attorney general must determine that the other privacy law is “equally or more protective.” In practice, existing state laws and the GDPR may qualify as comparable personal data protection laws, and businesses could theoretically comply with the UPDPA by simply extending their existing privacy compliance policies/programs. In the comments to the June 2021 draft, the ULC states that “[t]he purpose of this section is to permit, in practice, firms to settle on a single set of practices relative to their particular data environment.”

Section 11 also provides substituted compliance for the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act; however, this exemption only applies to processing activities covered under these laws. Some existing state laws, such as Colorado’s Privacy Act, take the more lenient approach of exempting entities that process data covered by these federal laws.

Conclusion

The potential impact of the UPDPA could be very significant as over 20 states are considering/have considered similar personal data protection bills during their 2021 legislative sessions. The stakes are particularly high for smaller entities that are not subject to any comparable personal data protection laws. To prepare for this wave of legislation, businesses of all sizes should take a flexible approach, focusing on privacy principals that are present across nearly all privacy regimes, such as data minimization and transparency. In a subsequent article, we will further explore the non-scoping requirements of the UPDPA.

 


[1] Similar to the General Data Protection Regulation (GDPR), the UPDPA utilizes a controller/processor framework. The UPDPA further separates controllers into two categories: “collecting controllers” and “third-party controllers.” Different requirements apply based on the entity’s controller type (e.g., only collecting controllers are required to respond to access or correction requests).

[2] The jurisdictional requirements that the controller or processor “conducts business in this state or produces products or provides services purposefully directed to residents of this state” are consistent with existing state-level privacy laws.

[3] The ULC has commented that “[t]he threshold numbers are in brackets and each State can determine the proper level of applicability.” See UPDPA June 2021 draft.

[4] While “system of records” is not defined in the UPDPA, the ULC notes in the comments to the June 2021 draft that the definition of this term and “maintains” are “modeled after the federal Privacy Act’s definitions” (5 U.S.C. §552a(a)(3), (a)(5)).

[5] Section 8 of the UPDPA explains what constitutes an “incompatible data practice.”

[6] Section 9 of the UPDPA explains what constitutes a “prohibited data practice.”

[7] Section 7 of the UPDPA explains what constitutes a “compatible data practice.”

[8] “Publicly available information” means information: (A) lawfully made available from a federal, state, or local government record; (B) available to the general public in widely distributed media, including: (i) a publicly accessible website; (ii) a website or other forum with restricted access if the information is available to a broad audience; (iii) a telephone book or online directory; (iv) a television, Internet, or radio program; and (v) news media; (C) observable from a publicly accessible location; or (D) that a person reasonably believes is lawfully made available to the general public if: (i) the information is of a type generally available to the public; and (ii) the person has no reason to believe that a data subject with authority to remove the information from public availability has directed the information to be removed.