Privacy Developments: The Fast-Tracked Uniform State Privacy Law


By: The NBI Team

Tuesday, August 25, 2020

Privacy Developments: The Fast-Tracked Uniform State Privacy Law

The legal community has been buzzing recently about the development and enactment of state privacy legislation. To that end, the development of a uniform state law for data privacy is on the fast track.

While several pieces of federal legislation concerning consumer privacy data and information are pending in Congress, states have already begun passing laws. In 2018, California passed its Consumer Privacy Act (CCPA), which seemingly provided the driving force for other states to take the initiative in enacting similar laws. Shortly after, Nevada and Maine passed bills concerning personal information collection and internet privacy. Many other states have also followed suit to introduce consumer and data privacy regulatory measures.

The Uniform Law Commission’s Collection and Use of Personally Identifiable Data Act

Proposed federal legislation concerning data privacy could end up preempting state law —this would resolve any issues that could arise from conflicting state laws that significantly restrict state-to-state business activity. However, since a preempting federal law could take a considerable amount of time to pass, the Uniform Law Commission (ULC) has provided states with clarity and guidance for uniformity.

Earlier this year, the ULC drafted the Collection and Use of Personally Identifiable Data Act (CUPID) to address the problems with compliance that could arise due to state-by-state data privacy laws. The ULC’s committee moved quickly in drafting the Act, which has already garnered considerable attention. The project commenced in November 2019, and the first drafting session took place in February 2020.

More than 130 stakeholders, including financial institutions, insurance companies, tech companies, various privacy coalitions, and consumer groups, are observing the Act's development. Many have also offered commentary, insight, and suggestions.

Another drafting session for the Act was held in April 2020 to revise the initial draft. The current version of the uniform law would provide states with a template for drafting and enacting data privacy laws to protect consumers' rights and impose obligations on data controllers. The committee expects to have a finalized draft of the Act in place by the summer of 2021. After the final reading occurs, the Act would be available for state legislatures to adopt during their 2022 sessions.

Framework and Provisions Included in the ULC’s Privacy Act

With the increasing use of companies collecting personal data for many different purposes, the Act aims to provide a model law for states concerning the regulation of such collection, in addition to providing certain data rights to consumers. The ULC committee studied other legislative adoptions, including the California law, the European model (GDPR), and statutes already enacted by other state legislatures in considering the best way to approach the framework. The current draft of the Act specifically addresses:

  • Data privacy commitment statements
  • Data privacy assessments
  • A data custodian’s duty to not engage in unfair, abusive, or deceptive practices
  • A data custodian’s responsibility to implement and maintain reasonable data security measures
  • Purpose limitations in processing data
  • A data subject's right to a privacy notice
  • The data subject’s rights to control, correct, consent to, or delete personal data
The drafted Act also provides for regulatory enforcement by the Attorney General and a private right of action under certain circumstances. It includes exemptions for small businesses as well as data that is already subject to other laws.

Data Privacy Regulations and the Practice of Law

As more states pass privacy laws concerning data use and collection, attorneys must be aware of the new and rapidly changing developments, especially those that pertain to their practice areas. With the increasing use of technology, data privacy issues have become increasingly relevant across the legal landscape. The NBI course GDPR, CCPA and Data Privacy Essentials provides a complete overview of what all U.S. attorneys should know about this emerging topic.

Data privacy is not the only issue or challenge that can arise as a result of evolving technology. For information on the latest developments in the area of privacy laws and more, review the NBI Course Catalog for a full list of CLE courses on information privacy, technology, and their impact on the practice of law.


This blog post is for general informative purposes only and should not be construed as legal advice or a solicitation to provide legal services. You should consult with an attorney before you rely on this information. While we attempted to ensure accuracy, completeness and timeliness, we assume no responsibility for this post’s accuracy, completeness or timeliness.

This website uses cookies to ensure you get the best experience. We use this information in order to improve and customize your browsing experience, in addition to improving our internal analytics and metrics about our visitors. To find out more about the cookies we use, please see our Privacy Policy.