The Uniform Law Commission (ULC), an organization that seeks to develop model legislation to help bring consistency and uniformity to state laws, has been working on a model privacy law for several years — and had the opportunity to introduce a meaningful consensus document that raises the bar for consumer data privacy. But the ULC’s finalized Uniform Personal Data Protection Act (UPDPA), approved last month, misses the mark.
The model law would do little to reform companies’ inappropriate data collection and sharing behaviors — including by explicitly exempting behavioral advertising from the protections in the bill. If such a bill were to be implemented, it could be worse than doing nothing at all, as it could forestall future privacy legislation that is more beneficial to consumers and holds companies accountable.
American consumers have few protections with respect to the data collection, use, and sharing of their personal information, especially as there is no federal privacy law providing baseline protections over data privacy and security. Consumers need strong legislation that limits collection, use, and sharing of data to what is reasonably necessary to provide the service requested by the consumer, with strong enforcement to back it up. In the absence of federal action, states like California and Colorado have stepped in and adopted baseline privacy legislation that gives consumers the right to access, delete, and stop the sale of personal information, spurring interest in legislation across the country. But industry has pushed back. Companies have used bad faith interpretations to ignore the CCPA’s opt out with respect to targeted advertising, further highlighting the need for clear guidelines and strong enforcement. While Virginia also signed into law a privacy bill, the legislation is weaker than the CCPA thanks to pressure from industry, making it more difficult for consumers to control their data.
As an initial matter, the drafters of the UPDPA appear to have been primarily concerned with limiting compliance costs for companies rather than providing meaningful privacy protections for consumers. The prefatory note to the June 30 version notes that concerns about compliance costs have forestalled progress in several states, and explicitly states that the ULC bill is designed to provide a “reasonable level” of protections while avoiding the compliance costs associated with California and even Virginia’s privacy framework.
The problems with the ULC bill are numerous. The bill vaguely exempts “compatible data practices” — practices that are consistent with consumers’ ordinary expectations or from which they are likely to benefit. CR agrees that consent should not be required for strictly necessary data processing, so that consumers aren’t pummeled with confusing consent pop-ups, but the definition of compatible is too loosely defined to rein in companies. Rather than punt a determination of what is “compatible” to self-interested companies, privacy law should instead specify what processing activities are allowable without consent, and what activities are extraneous and prohibited.
This framework gives companies far too much leeway to decide whether to share consumers’ data with third parties — rendering it meaningless as privacy legislation. By defining “incompatible data practices” as those that are not “compatible data practices,” in other words, inconsistent with consumers’ expectations or with little expected benefit for consumers, companies are given broad authority to decide whether or not to extend privacy rights to consumers, even though companies may have a very different interpretation of what is expected or beneficial than ordinary consumers. The measure directs companies to pursue risk assessments to help identify inappropriate practices, but again, companies are squarely in control of these determinations, especially as under the bill, such risk assessments would remain confidential.
Under UPDPA, companies must obtain consumers’ consent for “incompatible data practices” — but this process for consent is not specified. In most cases, companies must only offer some ability for consumers to opt out of the processing. For incompatible processing of sensitive data, companies are required to obtain “explicit consent” — but that process is undefined. Potentially, the law would allow for privacy rights to be waived away by boilerplate language in a Terms of Service or End User License Agreement.
Arguably the most striking element of the UPDPA is that it explicitly exempts behavioral advertising from any controls or protections — even though reining in these privacy-invasive practices is generally considered to be a privacy motivator and goal of any privacy law. For example, companies routinely share consumers’ most personal information for targeted advertising. In 2020, the Norwegian Consumers Council found that 10 apps, including dating apps and period trackers, shared user information with 135 advertising companies and data brokers. And recent reports have highlighted that this kind of data can be linked to specific consumers.
Other problems with this bill include:
- Loopholes for third-party data brokers and facial recognition technologies. In addition to the general exemption for targeted advertising, the bill also exempts data brokers from the law’s access provisions, perversely limiting those rights to companies with which consumers have a direct relationship. Further, data brokers have no obligation to delete unnecessary data at the request of a consumer — indeed, the bill offers consumers no right to deletion for any data for any company. The bill would also broadly exempt facial recognition through its expansive definition of publicly available information. In addition, the bill has a weak definition of “deidentified data” that could offer further loopholes to companies.
- Consumers can be penalized for exercising their privacy rights. Under this bill, companies are permitted to charge consumers for declining to consent to incompatible practices. Consumers should not be penalized for exercising their privacy rights — otherwise those rights would only apply to those who could afford them. While privacy rules should not inhibit true loyalty programs that keep track of consumer purchases in order to incentivize repeat business, companies should not be permitted to provide discounts in exchange for building a profile for targeting offers, or for selling information about customer habits to third-party data brokers. That behavior does nothing to reward consumer loyalty, and runs counter to what participating consumers would reasonably expect.
- Unnecessary safe harbor. Under this bill, compliance with voluntary industry standards or another federal or state privacy framework would satisfy the requirements of the law, if that approach is approved by the attorney general. This gives an attorney general overly broad authority to limit the scope of the bill’s already weak protections by blessing a weaker industry self-regulatory program. A better approach would be to clearly outline the rules that companies must follow to respect consumers’ privacy, and provide enforcement provisions that are strong enough to incentivize companies to comply.
It’s illuminating that even this weak framework generated disapproval from many businesses because the measure would be enforced under state consumer protection laws. They objected because some states allow consumers to hold companies accountable for violations under their consumer protection law. Enforcement under such statutes should be the minimum for any consumer protection measure; better yet would be an explicit private right of action covering the measure to incentivize companies to comply.
Nevertheless, the UPDPA reflects the concerns of businesses over the interests of consumers. We welcome continued discussions with state privacy stakeholders to hammer out a framework that protects consumers without creating unduly onerous compliance costs — in many ways, Consumer Reports’ model bill already reflects this approach. But UPDPA does not represent consumers. We urge legislators to ignore the ULC’s framework, and instead, pursue legislation that protects consumer privacy.