Colorado has now joined California and Virginia by passing a data privacy protection act, to be effective 7/1/23. If more states adopt their own laws with material differences between them, businesses operating across state lines will have to keep track of multiple compliance issues. An alternative approach is a model law applicable with limited modifications nationwide. The Uniform Law Commission has now adopted a Uniform Personal Data Protection Act which if accepted by the states would do just that.
The Act creates three categories of data practices:
- Compatible - consistent with consumer expectations or likely to benefit the consumer. Individual consent would not be needed and there is no right to opt out.
- Incompatible - neither beneficial nor harmful but not disclosed in a privacy policy. Personal data can only be used if the practice is disclosed when information is collected. Use of sensitive personal information requires express signed consent; otherwise individuals can opt out.
- Prohibited - practices likely to cause substantial harm.
The Act is not limited to entities above a specific size, but states can exempt individuals who do not maintain a minimum number of records or earn more than a specific percentage of their revenue from maintaining personal information. Below these thresholds entities must still limit their data processing to compatible practices.
Requirements apply to data controllers and processors.
Compliance with specified federal privacy laws, comparable laws of another jurisdiction or a voluntary consensus standard is considered compliance with the Uniform Act.
Whether enforcement includes a private right of action will be left to states.
The ULC plans to promote adoption by state legislatures starting with January 2022 sessions. Be alert for action in your state.