Coalition Letter to ULC on Collection and Use of Personally Identifying Data Act

Uniform Law Commission
111 N. Wabash Ave                                               
Suite 1010
Chicago, IL 60602

RE: Collection and Use of Personally Identifiable Data

Dear Commissioners:

While we appreciate the Commission’s attempt to craft model privacy legislation that grants citizens robust privacy rights, the undersigned organizations have serious concerns about the ability of state legislatures to enact the proposal due to enforcement provisions already rejected by some states.

Although we believe that Congress should ultimately pass national privacy legislation, it is crucial that any uniform state privacy bill promotes harmonization. Despite many laudable improvements to the substance of the draft before the Commission, the proposed Uniform Personal Data Protection Act (“UDPA”) discourages uniformity through its enforcement provisions.

The enforcement provisions of Section 16 of UDPA state that “[a] knowing violation of this [act] is subject to all remedies, penalties, and authority granted by [cite to state consumer protection act].”  Although the proposed model language does not explicitly grant aggrieved parties a private right of action (“PRA”), referencing the use of “all remedies” under state consumer protection statutes would open the door to PRAs.  Twenty-two states have broad unfair and deceptive trade practices/consumer protection statues that enable a PRA.1  

Enactment of the UDPA, in its present form, would result in disparate enforcement between states having and lacking PRAs. Consequently, the identical law will be interpreted differently in each state through litigation. Exclusive Attorney General(or, as applicable, other equivalent single, state regulatory authority) enforcement will bring greater uniformity across states as such authorities can collaborate with each other in developing effective privacy regulatory regimes to protect consumers.  

For states that provide PRAs through consumer protection statutes, such enforcement leads to unequal treatment and fosters uncertainty from district to district.  PRAs, especially class action lawsuits based on technical violations with no actual consumer harm, have been shown to have negative effects on surrounding communities. They drain judicial resources, stifle business growth and limit the availability of technological innovation to state residents.2  Moreover, PRAs will create a permanent state of uncertainty for consumers and businesses as courts continually reinterpret the law and create differences from court to court.  Relying on a single  regulator to enforce the rights afforded consumers under state privacy laws will produce greater protections and certainty of outcomes as well as  make it easier for consumers to understand their rights.

Voters in California adopted the California Privacy Rights Act in November 2020, which empowers a state agency with sole enforcement rights for privacy violations.3  Virginia recently enacted the Consumer Data Protection Act which similarly gives exclusive enforcement authority to the Commonwealth’s Attorney General.4  Colorado’s legislature passed in June 2021 the Colorado Privacy Act which explicitly bars PRAs for violations of the bill in addition to “any other provision of law.”5  It is clear that a consensus has emerged among states that have passed comprehensive privacy legislation;  PRAs are explicitly not authorized for privacy as opposed to the proposed UDPA.

The inclusion of PRAs has reportedly caused numerous state privacy proposals to fail.6 Legislative chambers have rejected private rights of action in states like Florida, North Dakota, Oklahoma, and Washington State.  In fact, a provision similar to the UDPA in Washington State has prevented passage of the overall bill over the last two years.7

The Uniform Law Commission should follow this emerging uniform approach of giving attorneys general sole enforcement authority and not subjecting companies to lawsuits that complicate the compliance environment.  Given the rejection of PRAs by both Republican and Democratic controlled legislatures and the lack of uniformity encouraged by such enforcement, the ULC should empower state attorneys general with sole enforcement authority. 

The business community stands ready to work with all stakeholders to establish robust privacy protections.  However, a model bill that creates new uncertainty and unequal treatment across states by encouraging the use of PRAs, as the current draft does, will face significant resistance and difficulty being enacted in state legislatures across the country.  

We thank you for this opportunity to comment and look forward to working with you on ways that privacy laws can become more uniform. 

Sincerely,

AFSA
Alliance for Automotive Innovation
Arizona Chamber of Commerce & Industry
Association of Test Publishers
BPI
CDIA
ChamberRVA
Consumer Banking Association
Consumer Technology Association
CTEC
CTIA
Electronic Transactions Association
Escrow Association
FMI, Food Industry Association
Greater Boston Chamber
Greater North Dakota Chamber of Commerce
Illinois Chamber
Insights Association
Internet Association
ITI
MPA – The Association fo Magazine Media Advamed
NAFCU
National Association of Realtors
National Grocers Association
National Restaurant Association
National Retail Federation
NetChoice
New Jersey Coalition for Civil Justice Reform
News Media Alliance
Pennsylvania Chamber
Pennsylvania Coalition for Civil Justice Reform
Real Estate Services Provider Council
SIFMA
SIIA
TechNet
Texas Association of Business
The Business Council of New York
U.S. Chamber Institute for Legal Reform
US Telecom—The Broadband Association
Virginia Bankers Association
Virginia Chamber of Commerce
Washington Retail Association


[1] Alabama, Arizona, Arkansas, California, Connecticut, Idaho, Iowa, Kentucky, Louisiana, Maine, Mississippi, Missouri, Montana, New Jersey, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, West Virginia, and Wisconsin.

[2] U.S. Chamber Institute for Legal Reform, Ill-Suited: Private Rights of Action and Privacy Claims at 14 (July 2019) available at https://instituteforlegalreform.com/wp-content/uploads/media/Private_Rights_of_Action__Ill_Suited_Paper.pdf. 

[3] See California Privacy Rights Act at Section 17 (https://iapp.org/media/pdf/resource_center/ca_privacy_rights_act_2020_ballot_initiative.pdf).

[4] See Virginia Consumer Data Protection Act at §59.1-580(A) (https://lis.virginia.gov/cgibin/legp604.exe?212+ful+SB1392ER+pdf)

[5] See Colorado Privacy Act at § 6-1-1310 (https://leg.colorado.gov/sites/default/files/documents/2021A/bills/2021a_190_rer.pdf)

[6] Compliance Week, “Private right of action proving problematic for state privacy laws,” (May 20210) available at https://www.complianceweek.com/data-privacy/private-right-of-action-proving-problematic-for-state-privacylaws/30343.article.

[7] https://www.jdsupra.com/legalnews/private-right-of-action-may-again-7379283/