District of Columbia Uniform Personal Data Protection Act of 2021: Bill 24-451

Note: This act did not pass and died in committee in 2021.

The Uniform Law Commission (ULC) voted to endorse the Uniform Personal Data Protection Act (UPDPA) in July of 2021. The UPDPA is a prototype data privacy law designed to be sponsored in state legislatures throughout the United States that seeks to provide a comprehensive framework for data privacy laws in the United States, and it is based on standards of transparency, choice, accountability, and data security.

This article will provide an overview of B24-0451 - Uniform Personal Data Protection Act of 2021 in Washington, D.C., what it includes, whom it will affect, and what businesses should do to get ready if it passes.

General Background of the District of Columbia Uniform Personal Data Protection Act of 2021 (UPDPA)

District of Columbia residents may soon have greater control over their personal data. On October 18, 2021, D.C. Council Chairman Phil Mendelson presented B24-0451 to the D.C. council.

The bill would give residents the right to know what personal data is being collected about them, the right to refuse the collection of specific data, and the right to have their data deleted.

In addition, the bill would establish penalties for companies that violate these rights. Accompanying the bill's text is a letter from James C. McKay, Jr., the Chair of the D.C. Uniform Law Commission, explaining why the UPDPA should be passed.

If passed, the act will apply to any controller or processor that conducts business in Washington, D.C., or produces products or services purposefully directed to its residents.

Furthermore, the act will apply to entities that:

• Maintain personal data about more than 50,000 residents of Washington, D.C.,
• Earn more than 50% of its gross annual revenue from maintaining personal data,
• Act on behalf of a controller the processor knows or has reason to know satisfies (1) or (2), or
• Maintain personal data unless it processes the personal data solely using compatible data practices

If the UPDPA is adopted, it will significantly impact how companies do business in Washington, D.C., so it is essential to stay informed of any developments.

The District of Columbia Uniform Personal Data Protection Act's Novel Approach

The ULC, or the Uniform Law Commission, is a non-profit organization that provides legal guidance to states on various issues. In recent years, the ULC has turned its attention to the problem of data privacy, and it has drafted a model act that it claims will improve upon existing state laws.

The ULC's approach is novel in several respects.

First, it seeks to create a more flexible framework for data privacy laws, one that can be customized to the particular needs of each state.

Second, it seeks to reduce the cost of compliance for businesses by exempting small companies and startups from certain provisions of the law.

Finally, it sets forth several principles that it believes will guide states in enacting their own data privacy laws.

In July 2021, the ULC approved the final version of the Uniform Personal Data Protection Act (UPDPA). B24-0451 is virtually identical to it.

How B24-0451 Differs from Other American Privacy Laws

While B24-0451 is similar to other privacy legislation currently proposed in various states, it still differs in several respects. Let's look at some of them.

Compatibility

The UPDPA divides data practices into three categories:

• Compatible,
• Prohibited, and
• Incompatible

The "data practice category" specifies the permissibility and restrictions applicable to a given activity.

Controllers may pursue "compatible data practices" without consent, irrespective of the information's sensitivity. Compatible data practices include data processing activities which are "consistent with the ordinary expectations of data subjects or are likely to benefit data subjects substantially."

Controllers must, however, take into account the effects of the processing on the rights and freedoms of data subjects and the expected consequences of the processing.

Informed consent is not required where the processing is needed for the execution of a contract to which the data subject is party or where the processing is required by law.

However, controllers must still consider the rights and freedoms of data subjects when engaging in compatible data practices.

The UPDPA presents six factors that may be considered when determining whether a processing activity constitutes a compatible data practice. It also provides 10 examples of data processing activities that are considered "per se compatible," such as processing required under legal requirements processing to carry out a transaction.

Notably, in what appears to be an effort not to obstruct the data-driven economy, divulging pseudonymized data, like a device identifier, to a third party for targeted advertising is per se compatible.

The UPDPA's comprehensive and balanced approach is designed to protect big data while also ensuring that people have some control over their personal information. This will undoubtedly be a relief to many businesses who were worried about the possible restrictions on data processing under the GDPR.

However, it is crucial to mention that the UPDPA is not yet in effect, and it remains to be seen how it will be interpreted and applied in practice.

Prohibited Practices

On the other hand, controllers are forbidden from engaging in "prohibited data practices." Under the UPDPA, banned practices include those that will probably lead to assorted forms of physical, emotional, financial, or reputational damage.

Prohibited practices extend to those that may represent a "highly offensive" intrusion on seclusion or solitude. The UPDPA specifically states that processing in the absence of reasonable data security measures is a forbidden data practice.

And, of course, processing activities not outlined in a controller's Privacy Policy are also prohibited.

Incompatible Data Practices

Whether a data processing action is compatible, incompatible, or prohibited is dependent upon its processing circumstances. In other words, the same data processing activities can shift between these different legal statuses depending on contextual changes.

For example, if a business's mobile application collects personal data for fraud detection purposes but the business's Privacy Policy says that it will only use that data for marketing purposes, then the collection would be an incompatible data practice.

However, if the business subsequently updates its Privacy Policy to state that it will also use collected personal data for fraud detection purposes, then the collection would become a compatible data practice.

Controllers must provide notice and the opportunity to opt out of incompatible data practices involving non-sensitive data.

Likewise, controllers must get express written consent from consumers for sensitive data.

Data Subject Rights Under the District of Columbia Uniform Personal Data Protection Act (UPDPA)

For individuals concerned about their data privacy, the UPDPA provides some protections in the form of access and correction rights. However, these rights only apply to data that controllers initially collected.

This determination was based on the difficulties non-collecting controllers face when attempting to verify the authenticity of such requests.

The UPDPA does not provide consumers with a right to request the deletion of their data. In the annotated edition of the UPDPA, the ULC states the challenges associated with carrying out deletion requests and notes that the previously mentioned compatibility framework bestows "sufficient protection."

The exclusion of this right was also likely motivated by the ULC's desire to avoid substantial disruptions to the data-driven economy. The omission of this right is a divergence from nearly every U.S. and international privacy regime currently on the books.

Privacy Policy Requirements Under the District of Columbia Uniform Personal Data Protection Act (UPDPA)

The UPDPA is modeled after other state privacy laws, but there are significant differences in the requirements for businesses' Privacy Policies.

For example, under the UPDPA, businesses must explain how their data processing activities align with the data practice categories described in the law. This potentially burdensome drafting task is partially mitigated by the substituted compliance features described below.

Substituted Compliance

The attorney general may elect to offer substituted compliance to a covered entity, which means that the entity would comply with another privacy law that is just as protective, if not more so.

In other words, a business that is subject to the California Consumer Privacy Act (CCPA) could comply with the UPDPA by implementing its CCPA policies and procedures in the UPDPA-governed jurisdiction.

This would significantly decrease the compliance costs associated with businesses that operate in multiple jurisdictions.

The attorney general may consider factors such as the degree of similarity between the two laws, the hardship imposed on the covered entity, and whether the covered entity's compliance with the other law would adequately protect the personal data of individuals.

Additionally, transactions covered by specific federal statutes, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) for financial information, and the Children's Online Privacy Protection Act (COPPA), are exempted.

This helps to avoid unnecessary enforcement schemes and keeps things more streamlined.

Enforcement of the District of Columbia Uniform Personal Data Protection Act (UPDPA)

The Attorney General for the District of Columbia will oversee the enforcement of the Uniform Data Practices Act.

Meanwhile, it is anticipated that state attorney generals across the United States will oversee the enforcement of controller and processor data practices within their respective regions. This coordination would help ensure that all entities subject to the act comply with its provisions.

The UDPA does not provide for private rights of action, which means that individuals cannot sue for damages under the law.

However, some state consumer protection laws do provide for private rights of action. The debate over whether to extend this provision to the UDPA has been ongoing in states such as Florida and Washington.

Summary

Data is becoming increasingly important in our society, and the way that information is used and collected is becoming more and more complex.

The ULC approved the UPDPA in July 2021, and the District of Columbia Council introduced b24-0451, based on the UPDPA framework, a few months later, on October 18, 2021.

The bill, which is presently in committee, seeks to apply fair information practices to the collection and use of consumer data by businesses.

The National Conference of Commissioners on Uniform State Laws (NCCUSL) is actively advocating for its adoption, believing that "state law should govern areas of the law traditionally governed by state law, such as consumer protection."

The NCCUSL is confident that other jurisdictions will have a similar appetite for data privacy legislation within the coming months.

With the UPDPA, states will be able to pass their own laws that are tailored to their specific needs and demographics. The UPDPA allows states to adopt consumer privacy laws that best protect their citizens while still providing businesses with predictability and certainty.

Given the ULC's stature, the UPDPA framework could potentially become the de facto standard for data privacy in the United States if enough states adopt it.

Thus, even though B24-0451 hasn't been passed into law and the UPDPA's fate is uncertain, it is worth paying heed to. In the coming months it could have a significant impact on data privacy in America and elsewhere.