Data privacy has never been more important: Nearly 80% of U.S. adults are concerned about how companies use their data. That’s led some to call for more stringent legislation regulating how businesses in the U.S. collect, store, and analyze consumer data.
One of the most popular data privacy legislation emerging, as a result, is the Uniform Personal Data Protection Act or UPDPA. Its proponents argue that it’s much better than the GDPR for businesses while still giving individuals the data privacy they want.
But is that true? And if you run a company, what might your obligations be under the UPDPA?
We’ll answer both questions and reveal more about the UPDPA below.
Understanding the UPDPA
The UPDPA is billed as an “alternative regime” to the existing U.S. privacy regulations. It was specifically designed to provide consumers with a reasonable degree of data privacy protection without burdening businesses.
It’s narrower than other popular data protection legislation, such as the GDPR. This means that consumers have less protection, but businesses can use data more freely.
Drafting legislation is often a tricky balancing act between the interests of two different groups. Those two groups are consumers and businesses. You can think of the UPDPA as tilting the balance a bit more in favor of businesses than what’s been the case historically with other types of data privacy legislation.
What Is the UPDPA law?
Before diving into exactly how the UPDPA differs from other types of data privacy legislation, it’s important to note that it isn’t governing law in the United States.
Instead, it’s a piece of model legislation developed by a non-profit commission called the Uniform Law Commission (ULC). States like Oklahoma and Nebraska have introduced legislation based on the UPDPA, but those efforts are not yet binding.
That means your company doesn’t have to worry about being UPDPA-compliant like it might GDPR compliancy. But the UPDPA is gaining support and could become law soon. It’s worth exploring to make sure you’re ready.
Key points of differentiation from the GDPR
There are a few significant differences between the GDPR and the UPDPA that we’ll cover. But before we get into it, remember that the UPDPA is currently the only model legislation. If a state were to implement it, it would implement its own version – not necessarily the UPDPA in its entirety.
Some of the differences between the GDPA and the UPDPA covered in this section may vary on a state-by-state basis if the legislation were to be passed.
Small business exemption
One of the most significant guest points of differentiation between the UPDPA and the GDPR is the former’s exemption for small businesses.
Under the model legislation, smaller companies only have to use compatible data practices. This takes some of the burdens off their plate, which frees them up to continue using data to grow their company so long as they don’t use any explicitly forbidden practices.
Narrower scope of data
The UPDPA also doesn’t apply to as much consumer data as the GDPR. It’s only relevant when a business “maintains” data as part of a “system of records.” This must also be for personal communication or decisional treatment.
In other words, a company would only need to worry about following UPDPA legislation with data that they’re using consistently to target consumers in personalized ways.
Under the UPDPA, data is split into three categories:
- Compatible
- Incompatible
- Prohibited
A company can use compatible data without consumer consent. But they need special consent to use data that is classified as incompatible.
No consumer right for the deletion of data
Unlike other types of data privacy legislation, the UPDPA doesn’t give consumers the right to request a company delete their data.
Individuals can access and correct their data, but they can’t force a business to delete it from their records as long as the company follows all relevant legal requirements around it.
State-decided punishments for violations
The GDPR has a single set of punishments for companies that violate the act. Businesses that don’t abide by the GDPR when they were supposed to can face fines of up to 20 million Euros or 4% of worldwide turnover.
There aren’t any punishments attached to the UPDPA yet since it hasn’t officially been passed into law. But if a state decides to adopt a version of the UPDPA, it will be free to set its punishments.
This gives the states extra control over how strictly or loosely they regulate consumer data privacy in their territory instead of forcing them to abide by a national standard.
Risk-based approach
The main idea behind the UPDPA is different than every other type of data privacy legislation. It revolves around the concept of risk management.
Essentially, it scales the level of data protection requirements based on the risk that each specific type of data represents.
For example, the GDPR says that the same level of data privacy protection is needed for consumer loyalty programs at grocery stores as is necessary for confidential healthcare records.
The UPDPA sees the risk variance between these two types of data and adjusts businesses’ data privacy requirements accordingly.
Is the Uniform Personal Data Protection Act better for consumers?
It’s difficult to argue that the Uniform Personal Data Protection Act is better for consumers. The sole purpose of the model legislation is to create a version of data privacy law that is fairer to businesses than current laws like the GDPR.
When the balance of regulation shifts more in favor of companies, it naturally shifts away from consumers.
The question is whether the UPDPA still offers enough data privacy protection to consumers while giving businesses more control over their online marketing activities.
There’s no one answer here. Every person and state will have their own opinion about the merits of the UPDPA. We probably won’t see the same version of this model legislation passed in every state.
Is the UPDPA better for companies?
The Uniform Personal Data Protection Act is undoubtedly a better piece of legislation than the GDPR for companies. That’s because it carves out more exceptions for the types of data that companies need to worry about keeping private and even the types of businesses that are subject to following the legislation.
Essentially, if the model version of the UPDPA were to replace the GDPR, businesses would have much more freedom over how they collect, track, and analyze consumer information online.
Plus, companies won’t need to delete a consumer’s data if they don’t want to. That should make it easier for them to maintain high-quality marketing databases.
What’s next for the UPDPA?
As of the time of writing, the future of the UPDPA is still uncertain. It’s not a piece of model legislation that has near-unanimous support.
Most companies are typically in favor of the Uniform Personal Data Protection Act. But many organizations acting as watchdogs for consumer privacy are against this model legislation.
Given the controversial nature of the law, it’s likely that we’ll only see some states adopt it in the future. It will likely be preferred in states looking for a lighter touch when regulating how companies interact with consumer data.
But in states that tend to take data protection more seriously, the UPDPA is probably not a preferred choice. Or, if one of those states does decide to adopt a version of the UPDPA, it will likely need to feature additional protections for consumers to satisfy data privacy watchdog groups.
LeadLander makes it easier to respect your clients’ data privacy
Online marketing is one of the most effective ways to find new leads and work toward converting them into paying customers. But to do that well, you need to track and analyze data showing how your target audience interacts with your website. And that can present some data privacy concerns.
LeadLander can help you get the data you need from your website without violating any governing data privacy legislation – UPDPA, GDPR, or otherwise.
Our website visitor tracking software makes it easy to see who’s visiting your website, how they’re getting to it, and what actions they’re taking (as it pertains to your business). It also presents that information in a simple dashboard that everyone in your organization can use.
But don’t take our word for it. You can sign up for a free demo of LeadLander today to experience the full value.