Concerns over data privacy remain at the forefront of legal issues affecting businesses all over the globe. Numerous government entities and legal organizations have proposed and/or implemented data privacy rules and regulations. The Uniform Law Commission is the latest organization to join the ranks through its proposed uniform data privacy legislation entitled the “Collection and Use of Personally Identifiable Data Act”.
The Uniform Law Commission (ULC) is an organization that proposes non-partisan, draft legislation addressing critical areas of statutory law for state consideration. The ULC is comprised of lawyers, judges, legislators and legislative staff, and law professors who are appointed by state governments, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The organization researches, drafts, and promotes the enactment of uniform laws in areas of state law “where uniformity is desirable and practical.” The ULC can only propose uniform legislation, meaning that its proposals are not effective unless and until they are adopted by a state legislature. More information about the ULC is available here.
The proposed Collection and Use of Personally Identifiable Data Act tracks similar data privacy legislation, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and aims to protect and limit the collection, storage, and processing of personal data, as well as establishing new user rights in data. The latest draft of the proposed uniform legislation was uploaded on to the ULC’s website approximately three weeks ago. The drafting committee held meetings to discuss the proposed uniform legislation on February 21 and February 22, 2020 at the Madison Hotel in Washington, D.C.
The Act defines “personal data” as “information that identifies or describes a particular individual, household, or device, and information that can be associated with a particular individual, household, or device by using a reasonable amount of effort.” The definition further clarifies that “[p]ersonal data need not have been collected directly from a data subject. Probabilistic inferences about an individual, household, or device, including inferences derived from profiling, are included in the definition of personal data.” Data that has been de-identified, i.e., data from which personally identifiable information has been removed, and publicly available data are not considered “personal data” under the Act.
The proposed legislation prohibits individuals or entities who collect, store, and process personal data from processing that data for purposes other than those that were disclosed to the data subject. The proposed legislation also seeks to limit the transfer and sharing of personal data.
The Act mandates that entities who collect, store, and process personal data designate an individual employee or contractor to serve as a data privacy officer. The data privacy officer (DPO) is responsible for supervising the collection, storage, and processing of the personal data and overseeing the data privacy assessments required under the Act. The Act suggests several data privacy assessments designed to evaluate each data processing activity undertaken by the entity and the material risks, harms, and benefits associated therewith. These assessments are to take place every two years and should be updated any time changes in data processing activities “may materially increase privacy risks to data subjects.” The assessments incorporate an evaluation of a number of factors, such as the type of personal data being processed, the presence of any sensitive data, (i.e., data revealing an individual’s race or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, gender or sexuality, citizenship or immigration status, biometric data, and data pertaining to children) the scale of the processing activities, the context in which the personal data is being collected and/or processed, the seriousness of the privacy risks imposed on the data subjects as a result of the processing activities, etc.
The Act also requires custodians of personal data to implement reasonable security measures to protect the confidentiality and integrity of the personal data in their possession or control. Those measures and their effectiveness are to be evaluated as part of the data privacy assessments. Additionally, data custodians are only permitted to collect, process, or retain personal data to the extent is necessary to achieve their processing purpose.
Similar to both the GDPR and the CCPA, transparency is key under the Act. Data subjects are entitled to receive a privacy notice outlining, among other things, the categories of personal data that are collected or processed, the purpose for which their personal data is being processed, with whom their personal data is being shared, and the means by which they may exercise the rights afforded to them under the Act. Data custodians must provide the data subjects with at least two methods to contact the custodian in order to exercise their rights under the Act, one of which must be a toll-free telephone number. If the custodian maintains a website, data subjects must have the option to contact the custodian through the website. If personal data is processed for targeted advertising, the privacy notice must provide an opt-out option.
Data subjects are also afforded access and portability rights under the Act, including the right to confirm whether the custodian controls or processes any personal data pertaining to the data subject and the right to receive a copy of the data subject’s personal data for a reasonable fee (a copy of which must be provided to the data subject at least once per year, free of charge). Data subjects can also restrict the right of a custodian to process or transfer data for purposes of targeted advertising and/or profiling, request corrections to inaccuracies in their personal data, and request that a custodian delete all of their personal data. Data custodians must promptly respond to such requests from data subjects and are required to establish procedures for determining responses to requests from data subjects.
Lastly, the Act permits data subjects to bring private causes of action for certain violations under the Act. The proposed damages provision entitles the data subjects to receive the greater of their actual damages or $100. This provision does not
The full text of the proposed Collection and Use of Personally Identifiable Data Act can be found here.
As technology continues to permeate nearly every aspect of our lives, we are sharing an ever-increasing amount of our personal data online. Especially in the digital age, there is a much greater demand for ensuring the protection of personal data. Given the number of entities that transact business internationally and collect, store, and process personal data from data subjects all over the world, there is an even greater need to ensure uniformity in data privacy regulation. The ULC’s proposed Collection and Use of Personally Identifiable Data Act recognizes this need and aims to provide a basic framework from which states can craft their own data privacy rules and regulations within a uniform and predictable framework. Although the amount of traction this proposed uniform legislation will receive is yet to be determined, data privacy regulation is a critical area of the law that businesses should be prepared to address sooner rather than later.
Ms. Bagnato is an Associate attorney with
Sherrard, German & Kelly, P.C. where she serves
as a member of the firm’s Litigation and
Dispute Resolution and Privacy and CyberSecurity groups.
Marjorie F. Bagnato