U.S. Chamber Comment Letter on the Uniform Personal Data Act (UDPA)

Harvey Perlman, Chair
Jane Bambauer, Reporter
Collection and Use of Personally Identifiable Data
Uniform Law Commission
111 N. Wabash Ave
Suite 1010
Chicago, IL 60602

Dear Chairman Perlman and Reporter Bambauer:

The U.S. Chamber of Commerce and the U.S. Chamber Institute for Legal Reform (collectively, “the Chamber”) thank you for the opportunity to provide comments to the Uniform Law Commission (“ULC” or “Commission”) on the April 2021 meeting draft on the Uniform Personal Data Act (“UDPA”). Although the Chamber believes that it is Congress that should pass national privacy legislation that establishes one national standard and protects all Americans equally, it is crucial that any uniform state privacy bill promotes real harmonization. Unfortunately, despite many laudable improvements to the substance of the proposed legislation, the UDPA discourages uniformity through its enforcement provisions.

The enforcement provisions of Section 16 of UDPA state that “[a] knowing violating of this [act] is subject to all remedies, penalties, and authority granted by [cite to state consumer protection act.”  Although the proposed model language does not explicitly grant aggrieved parties a private right of action (“PRA”), enabling the use of “all remedies” under state consumer protection statutes would open the door to PRAs.  Twenty-two states have broad unfair and deceptive trade practices / consumer protection statues that enable a PRA.[1]  Enactment of the UDPA, in its present form, would facially encourage disparate enforcement among those states that have and do not have PRAs to enforce state consumer protection statutes. 

For states that provide PRAs through consumer protection statutes, such enforcement leads to unequal treatment of what is actionable and fosters uncertainty in jurisprudence from district to district.  PRAs have been shown to drain judicial resources, threaten innovation by encouraging potential class action lawsuits based on technical violations and not actual harm to consumers.[2]

Voters in California adopted the California Privacy Rights Act in November 2020 which empowers a state agency with sole enforcement rights for privacy violations.[3] Virginia recently enacted the Consumer Data Protection Act which similarly gives exclusive enforcement authority to the Commonwealth’s Attorney General.[4]  Legislative chambers have also rejected private rights of action in states like North Dakota, Oklahoma, and Washington State.  The Uniform Law Commission should follow this emerging uniform approach of giving state agencies sole enforcement authority and not subjecting companies to lawsuits which would complicate the compliance environment. 

Given the rejection of PRAs by both Republican and Democratic controlled legislatures and the lack of uniformity encouraged by such enforcement, the ULC should follow the recommendation of the vast majority of observers present during the drafting process and empower state agencies with sole enforcement authority.  The business community stands ready to work with all stakeholders to codify robust privacy protections but a model bill that discourages uniformity through the inclusion of PRAs will face significant resistance and difficulty being enacted in state legislatures across the country.

We thank you for this opportunity to comment and look forward to working with you on ways that privacy laws can become more uniform. 

Respectfully Submitted,

Tom Quaadman
Executive Vice President
Chamber Technology Engagement Center     

[1] Alabama, Arizona, Arkansas, California, Connecticut, Idaho, Iowa, Kentucky, Louisiana, Maine, Mississippi, Missouri, Montana, New Jersey, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, West Virginia, and Wisconsin.

[2] U.S. Chamber Institute for Legal Reform, Ill-Suited: Private Rights of Action and Privacy Claims at 14 (July 2019) available at https://instituteforlegalreform.com/wpcontent/uploads/media/Private_Rights_of_Action__Ill_Suited_Paper.pdf. 

[3] See California Privacy Rights Act at Section 17 (https://iapp.org/media/pdf/resource_center/ca_privacy_rights_act_2020_ballot_initiative.pdf)

[4] See Virginia Consumer Data Protection Act at §59.1-580(A) (https://lis.virginia.gov/cgibin/legp604.exe?212+ful+SB1392ER+pdf)