In response to the privacy compliance nightmare that appears to be developing from the proliferation of state privacy legislation, the Uniform Law Commission (ULC) has recently started the process to develop a uniform state privacy law that, once completed, will provide a template for all 50 states to use in enacting consistent privacy legislation. The proposed uniform privacy law, titled the Collection and Use of Personally Identifiable Data (CUPID) Act, has been put on a fast track to completion.
The ULC initiated the project in late 2019, motivated largely by concerns that the enactment of the California Consumer Privacy Act (CCPA), along with enacted and pending legislation in several other states, could lead to a patchwork of different state privacy laws. According to the ULC, “the drafting committee is seeking to draft a proposal that can achieve reasonable consensus between data collectors and data subjects and would thus have a reasonable opportunity to be adopted on a uniform basis.”
This project to draft the CUPID Act bears close watching due to the influence of other uniform laws that are adopted by all or most of the states. Perhaps some of the best-known examples include the Uniform Commercial Code (adopted in all 50 states) and the Uniform Electronic Transactions Act (adopted in 48 states). In this climate, where most states are already looking to address privacy, a uniform law produced by the ULC may offer a well-vetted option.
An initial framework draft of the CUPID Act was produced by the drafting committee’s reporter, and was considered at an in-person meeting in February 2020. It was then refined based on the February discussion and forms the basis of the current draft.
Overview of the CUPID Act
As currently drafted, the CUPID Act applies to the commercial activities of a person that conducts business in the enacting state or produces products or provides services targeted to the enacting state, provided that the person:
For covered entities, the current draft of the CUPID Act exempts publicly available data, as well as data collected by an em-ployer about an employee in the in the context of the employment relationship. Data subject to regulation under GLB, HIPAA, and FCRA is also exempt.
The draft Act is somewhat of a hybrid between GDPR and CCPA. Generally, it provides certain rights for data subjects, and imposes certain duties on both data controllers and data processors.
The rights granted to data subjects can be summarized as follows:
The obligations imposed on data controllers and data processors can be summarized as follows:
For purposes of enforcement, the act provides for regulatory enforcement by the Attorney General as well as a limited private right of action.
Unlike some legislative drafting processes, the ULC drafting committee process is very open and transparent. All drafts of the CUPID Act, as well as all comments submitted by interested parties are available on the ULC website. Additionally, ULC drafting committee meetings are open and anyone is allowed to attend and fully participate. The ULC also encourages the submission of written comments. So far, the project has attracted over 130 observers from a wide variety of technology and other industries interested in data collection as well as from consumer groups.
The CUPID Act is in the early stages of development by the drafting committee. The ULC process typically takes at least two years to complete, and requires that a draft act be “read” at two separate annual meetings of the ULC before it can be formally adopted as a final uniform act. Because the CUPID Act process is on a fast track, the drafting committee has sent its initial (May 20, 2020) version of the CUPID Act to the ULC as a “discussion draft” for first reading without significant amendments and without consideration of the stakeholder comments received to date. Over the course of the summer, separate meetings will be held with some individual stakeholders as well as meetings of the Drafting Committee focused on specific issues. It anticipates that the final (i.e., second) reading will occur in the summer of 2021, after which the CUPID act will be considered final and ready for adoption by the states.
The Drafting Committee has voted to submit this draft to the Conference for its comments but no committee vote has been taken to approve any section or the work as a whole. This draft, like most first reading drafts, is designed to solicit comments from other Commissioners and, importantly, keep this project on schedule for a final reading in the summer of 2021.
Information regarding the status of the CUPID Act, as well as the current draft of the Act, submissions by outside groups, and meeting information is available at the ULC website at https://www.uniformlaws.org/home. The Collection and Use of Person-ally Identifiable Data Drafting Committee page (where all of the documents can be found) is at https://www.uniformlaws.org/projects/committees/drafting.
Sign up for our newsletter and get the latest to your inbox.