Legislators seeking a starting point for privacy legislation should pass the Uniform Personal Data Protection Act (UPDPA) of the Uniform Law Commission. The Uniform Law Commission (ULC) seeks to write model legislation that can be adopted by state legislatures across the country to develop national standards. Sadly, ULC explored its Consumer Privacy Act and created a weak, confusing, and meaningless model bill in UPDPA.

A strong privacy bill must put consumers first. The EFF has established the primary tasks of the privacy law, which include allowing people to act as their own privacy enforcers with full private litigation rights, as well as preventing companies from exercising their rights by enhancing or reducing discrimination against those who wish to provide privacy. Protect their privacy. EFF also advocates the opt-out model, which requires companies to obtain someone’s permission before collecting, sharing, or selling their data, rather than opting out.

UPDPA has shortcomings in many ways. why? Because, despite years of evidence that the company will not protect consumer privacy on its own, UPDPA still listens to the company's complaints that respecting people's privacy is a burden. In fact, Harvey Perlman, chair of the UPDPA committee, publicly acknowledged that one of the main goals of the drafting committee was to reduce the cost of business compliance.

By lowering standards to induce companies to comply, UPDPA allows consumers to waver in the wind.

By seeking middle ground on some of the biggest disagreements between consumer advocates and companies that want to change their practices as little as possible, UPDPA proposes “compromises” that will not work for anyone. Company advocates found its advice confusing because it established another compliance framework. Consumer protectors found the "protection" in the bill to be empty. An Oklahoma lawmaker told the International Association of Privacy Professionals that it is no surprise that the bill is "empty." "Except for the data company's obligation to provide voluntary consent standards, the bill seems to have no other substantive content," he said. "Basically, those who control the data can decide what their policies and procedures will be. So this law is empty because it says [companies] must come up with some way to solve privacy issues, but we didn’t tell you about it. what exactly is it."

By lowering standards to induce companies to comply, UPDPA allows consumers to waver in the wind. The core of the bill depends on whether the company uses your information for the purpose of being "compatible" or "incompatible" with the reason the company originally collected the information. So, for example, if a company wants to do something related to your location for you, such as identifying certain restaurants near you, you might allow the company to collect your location information. This kind of guardrail may sound good at first glance; in fact, it complies with an important privacy principle-companies should only use consumer information for the purpose that the consumer initially approved. However, UPDPA undermines the meaning of "compatibility purpose"-it does not provide real protection for ordinary people.

First of all, individuals have no say in whether the company's final use of their data is "compatible" with the original purpose of collection, and the definition depends entirely on the company. This gives the company broad freedom to process people's information for any reason that it believes is consistent with the reasons for which it was collected. This may include processing that one does not want at all. For example, if a company that collects your location information to tell you nearby restaurants decides that it also wants to use that data to track your regular travel patterns, it can unilaterally classify the new use as "compatible" with the original use without asking you Approve it. 

UPDPA also defines targeted advertising as a “compatible purpose” that does not require additional consent—although targeted advertising is one of the most often ridiculed uses of personal information. In fact, when consumers have the right to choose, the vast majority of them choose not to participate in advertising that tracks their behavior. This distorts the idea of ​​protecting privacy and allows unnecessary privacy violations to slip away to the minimum possible.

In addition, when companies use consumer data for incompatible purposes, the bill only requires companies to notify consumers and have the opportunity to opt-out. In other words, if the weather app has your permission to collect your location information for the purpose of accurate local forecasting, but then decides to share it with a group of advertisers, it does not need to ask for your permission first. It just needs to remind you of "we share with advertisers" and the option to opt-out-probably in the terms and conditions update that no one reads.

Other rights in the bill, including those supported by the EFF, such as the right to access personal data and the right to correct data, are severely restricted. For example, the bill allows companies to ignore requests for corrections that they believe are "inaccurate, unreasonable, or excessive." They can decide which requests meet this criterion without providing any reason. This gives the company too much leeway and can ignore customer needs. Although the bill gives consumers the right to access their data, it does not give them the right to obtain a machine-readable electronic copy-this is often referred to as the right to data portability.

UPDPA also lacks one of EFF's most important privacy principles: to ensure that consumers will not be punished for exercising their right to privacy. Even if the bill requires companies that use data to obtain a license to use it for "incompatible data practices," the company can offer "rewards or discounts" in exchange for that license. In other words, you can only have the right to privacy if you are willing and able to pay for it.

As we said before, this approach treats our privacy as a tradable commodity, rather than a basic right that needs to be protected. This is wrong. People who value privacy but find it difficult to make ends meet will feel pressured to give up their rights for meager gains-monthly telephone bills may be reduced by $29. Privacy legislation should rebalance powers that benefit consumers, rather than redouble efforts to over-expand unhealthy institutions.

UPDPA also failed to address how data flows between private companies and the government. Not alone in this: Although the European General Data Protection Regulation (GDPR) covers government and private entities, many state privacy laws in the United States focus on only one of them.

However, there is an increasing need to address the way data flows from private entities to the government, and UPDPA largely ignores this threat. For example, the bill treats data as “publicly available”—and therefore not protected—if it is “observable from a publicly accessible location.” For example, this seems to eliminate the lens of the ring camera that people put on the door, which records what is happening on the adjacent public sidewalk. Information from Ring and other private cameras needs to be protected, especially to prevent indiscriminate sharing with law enforcement agencies. This is another example of how the model legislation ignores pressing privacy issues.

The definition of publicly available information also seems to completely exempt information posted on social media sites with restricted access such as Facebook-including compliance with privacy policies or security practices. Specifically, UPDPA exempts "access to restricted websites or other forums if the information is available to a wide audience." This is too broad and deliberately ignores the way private companies provide information from social media and other companies to government agencies.

Finally, UPDPA has loopholes in its enforcement clauses. Privacy laws are as good as their teeth. This means strong public law enforcement and strong private action rights. The bill has neither.

Worst of all, it clearly does not create private litigation rights, preventing people from protecting themselves from privacy-violating companies in the most obvious way: litigation. Many privacy regulations include private litigation rights, including federal laws on eavesdropping, storage of electronic communications, video rentals, driving licenses, credit reports, and cable subscriptions. The same is true for many other types of laws that protect the public, including federal laws on clean water, employment discrimination, and access to public records. There is no different reason for consumer privacy.

UPDPA denies that people use this obvious and powerful tool to enforce the few protections they receive in the law and fail the most critical test.

State attorneys do have the power to enforce the bill, but they have broad discretion to choose not to enforce the law. This is too big a gamble to play in privacy. The attorney general may be understaffed or caught by supervision-in these cases, consumers cannot get any recourse for violating the few privacy protections provided by the Act. 

Although UPDPA struggles with many of the most controversial discussions in privacy legislation today, it fails to provide a meaningful solution to any of them. It has seriously failed to solve the privacy issues faced by ordinary people-intrusive data collection, weak control over how their information is used, and no clear means to fight for themselves-these issues first put data privacy on the agenda. Federal or state legislators should not repeat this empty bill and lower privacy standards.