In response to the privacy compliance nightmare that appears to be developing from the proliferation of state privacy legislation, the Uniform Law Commission (ULC) has recently started the process to develop a uniform state privacy law that, once completed, will provide a template for all 50 states to use in enacting consistent privacy legislation. The proposed uniform privacy law, titled the Collection and Use of Personally Identifiable Data (CUPID) Act, has been put on a fast track to completion.
The ULC initiated the project in late 2019, motivated largely by concerns that the enactment of the California Consumer Privacy Act (CCPA), along with enacted and pending legislation in several other states, could lead to a patchwork of different state privacy laws. According to the ULC, “the drafting committee is seeking to draft a proposal that can achieve reasonable consensus between data collectors and data subjects and would thus have a reasonable opportunity to be adopted on a uniform basis.”
This project to draft the CUPID Act bears close watching due to the influence of other uniform laws that are adopted by all or most of the states. Perhaps some of the best-known examples include the Uniform Commercial Code (adopted in all 50 states) and the Uniform Electronic Transactions Act (adopted in 48 states). In this climate, where most states are already looking to address privacy, a uniform law produced by the ULC may offer a well-vetted option.
An initial framework draft of the CUPID Act was produced by the drafting committee’s reporter, and was considered at an in-person meeting in February 2020. It was then refined based on the February discussion and forms the basis of the current draft.
Overview of the CUPID Act
As currently drafted, the CUPID Act applies to the commercial activities of a person that conducts business in the enacting state or produces products or provides services targeted to the enacting state, provided that the person:
- is the custodian of personal data concerning more than [50,000] data subject in one year;
- earns more than  percent of its gross annual revenue directly from its activities as a data controller or data processor; or
- is a data processor acting on behalf of a data controller whose activities the processor knows or has reason to know satisfy paragraph (1) or (2).
For covered entities, the current draft of the CUPID Act exempts publicly available data, as well as data collected by an em-ployer about an employee in the in the context of the employment relationship. Data subject to regulation under GLB, HIPAA, and FCRA is also exempt.
The draft Act is somewhat of a hybrid between GDPR and CCPA. Generally, it provides certain rights for data subjects, and imposes certain duties on both data controllers and data processors.
The rights granted to data subjects can be summarized as follows:
- Right to require the data controller to confirm whether or not it has retained or is processing personal data of the data subject;
- Right to obtain a copy of the data subject’s personal data from the data controller;
- Right to have the data controller correct inaccuracies;
- Right to have the data controller delete the data subjects data;
- Right to restrict the data controller from processing or transferring personal data for the purposes of targeted advertising; and
- Right to restrict the data controller from processing or transferring personal data for the purposes of profiling in furtherance of decisions that result in a provision or denial of a variety of listed services.
The obligations imposed on data controllers and data processors can be summarized as follows:
- Duty of loyalty – i.e., not to engage in processing practices that are unfair, deceptive, or abusive;
- Duty of data security – requirement to adopt, implement, and maintain reasonable data security measures;
- Duty of data minimization – prohibition on collecting, processing, or retaining more personal data than necessary to achieve the purposes of processing;
- Duty of transparency – Duty to provide data subjects with reasonably accessible, clear, and meaningful privacy notices which makes a series of specified disclosures;
- Duty of purpose limitation – prohibition on processing personal data or allowing others to do so for purposes that are not specified in the privacy notice to data subjects;
- Duty to conduct all processing by written agreement – processing by a data processor must be governed by written agreement between the processor and the controller that covers a series of designated items;
- Duty to designate a data privacy officer – individual or contractor to perform duties specified in the Act;
- Duty to conduct a data privacy assessment – controllers and processors must conduct a written data privacy assessment of each data activity undertaken by it to evaluate all material risks, harms, and benefits (items the assessment must evaluate are listed); and
- Duty of nondiscrimination – prohibition on discrimination against data subjects for exercising their rights to access and copy their personal data or correction of in accuracies.
For purposes of enforcement, the act provides for regulatory enforcement by the Attorney General as well as a limited private right of action.
Unlike some legislative drafting processes, the ULC drafting committee process is very open and transparent. All drafts of the CUPID Act, as well as all comments submitted by interested parties are available on the ULC website. Additionally, ULC drafting committee meetings are open and anyone is allowed to attend and fully participate. The ULC also encourages the submission of written comments. So far, the project has attracted over 130 observers from a wide variety of technology and other industries interested in data collection as well as from consumer groups.
The CUPID Act is in the early stages of development by the drafting committee. The ULC process typically takes at least two years to complete, and requires that a draft act be “read” at two separate annual meetings of the ULC before it can be formally adopted as a final uniform act. Because the CUPID Act process is on a fast track, the drafting committee has sent its initial (May 20, 2020) version of the CUPID Act to the ULC as a “discussion draft” for first reading without significant amendments and without consideration of the stakeholder comments received to date. Over the course of the summer, separate meetings will be held with some individual stakeholders as well as meetings of the Drafting Committee focused on specific issues. It anticipates that the final (i.e., second) reading will occur in the summer of 2021, after which the CUPID act will be considered final and ready for adoption by the states.
The Drafting Committee has voted to submit this draft to the Conference for its comments but no committee vote has been taken to approve any section or the work as a whole. This draft, like most first reading drafts, is designed to solicit comments from other Commissioners and, importantly, keep this project on schedule for a final reading in the summer of 2021.
Information regarding the status of the CUPID Act, as well as the current draft of the Act, submissions by outside groups, and meeting information is available at the ULC website at https://www.uniformlaws.org/home. The Collection and Use of Person-ally Identifiable Data Drafting Committee page (where all of the documents can be found) is at https://www.uniformlaws.org/projects/committees/drafting.