Government of the District of Columbia
UNIFORM LAW COMMISSION
kak
=
ey
October 18, 2021
The Honorable Phil Mendelson
Chairman
Councilofthe District of Columbia
The John A. Wilson Building,
1350 Pennsylvania Avenue, NW
Washington, DC 20004
RE: Request for introduction of the Uniform Personal Data Protection Act of 2021.
Dear Chairman Mendelson:
Pursuant to Rule 401(b)(1) of the Rules of Organization and Procedure for the
Council, this is to request, on behalf of the District of Columbia Uniform Law
Commission, that you introduce the proposed Uniform Personal Data Protection Act of
2021. This bill is based on the Uniform Personal Data Protection Act (UPDPA),
which was adopted by the National Conference of Commissioners on Uniform State
Laws (NCCUSL) in July of this year. UPDPA is the productofseveral years work by
NCCUSL with the participation of a broad mixture of organizations and individuals
concerned with personal data privacy. UPDPA applies fair information practice
principles to the collection and useofpersonal data from consumers by businesses. It is
not regulatory and, thus, avoids the high compliance and enforcement costs and the
anticompetitive effects of regulatory acts. It balances the interests of consumers and
businesses and permits flexibility and innovation, which will benefit consumers.
One of the inducements for NCCUSL to undertake this project was the threat of
federal preemption. A number of bills have been introduced in Congress that would
preempt state laws in this area and regulate data practices and consumers privacy rights
through the Federal Trade Commission. NCCUSL believes that state law should govern
areas of the law traditionally governed by state law, such as consumer protection.
UPDPA applies to data controllers, which determine the purpose and means of
data processing, and to data processors, which process the data at the direction of the
controllers. The act applies to personal data, which includes (1) data linked to an
individual by a direct identifier, such as name, address, and telephone number, and
(2) pseudonymized data, which is data that lacks direct identifiers but that can be readily
accessed by useof a code, such as an Internet Protocol Address.
UPDPA divides data practices into three categories: (1) compatible data
practicesi.e., those that are consistent with the data subjects interests or reasonable
expectations; (2) prohibited data practicesi.e., those that pose substantial risk of harm
to data subjects; and (3) incompatible (but consentable) data practicesi.e., those that are
neutral as to their benefit or harm and may be used with the consent of the data subject.
UPDPA provides special protections for sensitive data, including information as to
race, religious belief, gender, sexual orientation, citizenship, immigration status,
geolocation in real time, criminal record, medical diagnoses, Social Security Number,
numbers of government issued identification, and information pertaining to children
under 13. An incompatible data practice involving sensitive data may only be used with
the express consent of the data user in advance.
UPDPA applies to controllers or processors that conduct business in the District or
provide products or services directed to District residents. The Act applies to controllers
or processors that maintain personal data of more than 50,000 District residents or that
earn more than 50% of their annual income from maintaining this data, and also to any
such business that maintains data for incompatible or prohibited data practices. To be
maintained, data must be partof a system of records about individuals for purposes of
individualized communication or decisions. Thus, it excludes data transactions used
solely for credit card purchases or unstructured e-mail communications. UPDPA does
not apply to data maintained by the District, data subject to disclosure by law or court
order, data maintained for employment purposes, or publicly available information. The
latter exemption is included to avoid challenges under the First Amendment.
UPDPA gives data subjects important, nonwaivable, rightsnotably the right a
copy of their data and the right to have the collecting controller correct or amend data.
UPDPA does not contain a right to deletion of data because, among other reason, this
would invite challenges under the First Amendment. It was considered that the
restrictions of use of data for compatible practices and for incompatible practices only
with consent are sufficient. UPDPA also requires controllers to adopt a clear and
accessible data privacy policy, and requires controllers and processors to undertake data
privacy security risk assessments.
To avoid unnecessary duplicative enforcement schemes, UPDPA provides that
transactions covered by specific federal statutes, including the Health Insurance
Portability and Accountability Act, the Gramm-Leach-Bliley Act for financial
information, and the Childrens Online Privacy Protection Act, are exempted. UPDPA
also authorizes the Attorney General for the District of Columbia to determine, on a case-
by-case basis, whether transactions subject to laws of other jurisdictions that are at least
protective as UPDPA are similarly exempt.
 To provide flexibility to respond to unforeseen developments in the future
affecting personal data, UPDPA authorizes the creation of voluntary consensus
standards with the participation of all pertinent stakeholders for an industry. These
standards would have to be adopted by the attorneys general of states that have enacted
UPDPA and promulgated by rule. UPDPA contemplates that the adoption of these
standards will be coordinated by the National Association of Attorneys General, which
has a Working Group on Data Privacy, and, thus, will achieve national uniformity.
Similar approaches have been taken in other areasof the law, including consumer protect
safety and childrens on-line privacy.
UPDPA does not attempt to create its own enforcement scheme, but incorporates
the consumer protection procedures of each enacting state. Enforcement of UPDPA
would be by the Attorney General for the District of Columbia. It is contemplated that
enforcement of data practices of controllers and processors that engage in multistate
activities will be coordinated by the state attorneys general.
Finally, UPDPA does not displace general causes of action under statute or the
common law, such as those for defamation, invasion of the right of privacy, and
intentional infliction of emotional harm. These general rightsofaction remain intact.
In sum, enactment of UPDPA would provide real protections for consumers
personal data without imposing onerous, and often impossible, burdens on controllers and
processors. It is a law that will encourage the responsible growth of data practices in
the District.
The proposed Uniform Personal Data Protection Act of 2021 and a copy of the
official version of UPDPA with comments is being filed with the Secretary with this
letter. In addition, we have filed (1) a short summary of UPDPA; (2) a statement as to
why UPDPA should be adopted, and (3) the official version of the UPDPA with
comments. Please let us know if you have any questions.
Sincerely,
ON haa
James C. McKay, Jr.
Chair
D.C. Uniform Law Commission
ce: Uniform Law Commissioners
 Lhe
Chairman Phil Mendelson at the request
ofthe
District of Columbia Uniform Law Commission
ABILL
IN THE COUNCIL OF THE DISTRICT OF COLUMBIA.
To enact the Uniform Personal Data Protection Act, to apply fair information practice principles
to the collection and useofconsumers personal data by businesses; to permit without
consent compatible data practices that are consistent with the data user's general
expectations or benefit the data users; to permit incompatible data practices that are not
harmful with notice and consent; to prohibit certain data practices that pose a substantial
risk of harm; to cover data controllers and processors that conduct business in the District
or provide products of services directed toward District residents and maintain personal
data of more than 50,000 residents or earn more than 50%ofannual income from
maintaining this data, or any businesses that maintain incompatible or prohibited data
practices; to exempt data maintained by District agencies and certain other data,
including publicly available information, data subject to disclosure by court order or
statute, and data relating to employment; to give data subjects the right to a copy of, and
to the correction or amendment of, their data; to require data controllers to adopt a data
privacy policy; to require controllers and processors to conduct appropriate security risk
assessments; to provide that compliance with certain federal laws, and laws ofother
jurisdictions designated by the Attorney General, suffices as compliance with this
chapter; to encourage the creation of voluntary consensus standards by stakeholders that
are recognized by the Attorney General by rule; to provide for enforcement through
existing consumer protection procedures; and to provide that existing common-law
causes of action are not displaced by this chapter,
BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this
act may be cited as the Uniform Personal Data Protection Act of 2021.
Sec. 2. Subtitle Ilof Title 28of the District of Columbia Code is amended as follows:
42 (@) The table of contents is amended by adding a new chapter designation to read as
43 follows:
44 Chapter 55. Personal Data Protection; Uniform Act.
45 (b) A new Chapter 55 is added to read as follows:
46 CHAPTER 55. PERSONAL DATA PROTECTION; UNIFORM ACT
47 Section
48 28-5501, Title.
49 28-5502. Definitions.
50 28-5503. Scope.
51 28-5504. Controller and processor responsibilities.
92. 28-5505. Right to copy and correct personal data.
33 28-5506. Privacy policy.
54 28-5507. Compatible data practice.
35 28-5508. Incompatible data practice.
56 28-5509. Prohibited data practice
37 28-5510. Data-privacy and security-risk assessment.
38 28-5511. Compliance with other law protecting personal data.
39 28-5512. Compliance with voluntary consensus standard.
28-5513. Contentof voluntary consensus standard.
61 28-5514. Procedure for development of voluntary consensus standard.
62 28-5515. Recognition of voluntary consensus standard.
63 28-5516. Rules and enforcement.
64 28-5517. Limits of chapter.
65 28-5518. Uniformity of application and construction.
66 28-5519. Electronic Records and Signatures in Global and National Commerce Act.
61 28-5501. Title.
68 This chapter may be cited as the Uniform Personal Data Protection Act.
69 28-5502. Definitions.
70 In this chapter:
n (1) Attomey General means the Attorney General for the District of Columbia.
n (2) Collecting controller means a controller that collects personal data directly from a
B data subject.
74 (3) Compatible data practice means processing consistent with 28-5507.
15 (4) Controller means a person that, alone or with others, determines the purpose and
16 meansofprocessing.
7 (5) Data subject means an individual who is identified or described by personal data.
B (6) Deidentified data means data that is modified to remove all direct identifiers and to
9 reasonably ensure that the record cannot be linked to an identified data subject by a person that
80 does not have personal knowledge of or special access to the data subject's information.
81 (7) Direct identifier means information that is commonly used to identify a data
82 subject, including name, physical address, email address, recognizable photograph, and
83, telephone number.
84 (8) District means the District of Columbia.
85 (9) Incompatible data practice means processing that may be performed consistent
86 with 28-5508,
87 (10) Maintains, with respect to personal data, means to retain, hold, store, or preserve
88 personal data as a system of records used to retrieve records about individual data subjects for
89 the purpose of individualized communication or treatment.
90 (11) Person means an individual, estate, business or nonprofit entity, or other legal
a1 entity. The term does not include a public corporation or government or governmental
92 subdivision, agency, or instrumentality.
93 (12) Personal data means a record that identifies or describes a data subject by a direct
94 identifier or is pseudonymized data. The term does not include deidentified data.
95 (13) Processing means performing or directing performance of an operation on
96 personal data, including collection, transmission, use, disclosure, analysis, prediction, and
7 modificationofthe personal data, whether or not by automated means. Process has a
98 corresponding meaning.
99 (14) Processor means a person that processes personal data on behalfofa controller.
100 (15) Prohibited data practice means processing prohibited by 28-5509,
101 (16) Pseudonymized data means personal data without a direct identifier that can be
102 reasonably linked to a data subjects identity or is maintained to allow individualized
103 communication with, or treatment of, the data subject. The term includes a record without a
104 direct identifier ifthe record contains an Internet protocol address, browser, software, or
105 hardware identification code, or other data uniquely linked to a particular device. The term does
106 not include deidentified data.
107 (17) Publicly available information means information:
108 (A) lawfully made available from a federal, state, or local government record;
109 (B) available to the general public in widely distributed media, including:
110 (i A publicly accessible website;
mW (i) A website or other forum with restricted access ifthe information is
12 available to a broad audience;
113 (iii) A telephone book or online directory;
14 (iv) Atelevision, Internet, or radio program; and
us (v) News media;
116 (C) Observable from a publicly accessible location; or
7 (D) That a person reasonably believes is made available lawfully to the general
8. public if:
119 (i) The information is of a type generally available to the public; and
120 (i) The person has no reason to believe that a data subject with authority
121 to remove the information from public availability has directed the information to be removed.
122 (18) Record means information:
123 (A) Inscribed on a tangible medium; or
124 (B) Stored in an electronic or other medium and retrievable in perceivable form.
125 (19) Sensitive data means personal data that reveals:
126 (A) Racial or ethnic origin, religious belief, gender, sexual orientation,
127 citizenship, or immigration status;
128 (B) Credentials sufficient to access an account remotely;
129 (C)A credit or debit card number or financial account number;
130 (D) A Social Security number, tax-identification number, drivers license
131 number, military identification number, or identifying number on a government-issued
132 identification;
133, (E) Geolocation in real time;
134 (F) A criminal record;
135 (G) Income;
136 (H) Diagnosis or treatment for a disease or health condition;
137 () Genetic sequencing information; or
138 (J) Information about a data subject the controller knows or has reason to know
139 is under 13 years ofage.
140 (20) Sign means, with present intent to authenticate or adopt a record:
141 (A) Execute or adopt a tangible symbol; or
142 (B) Attach to or logically associate with the record an electronic symbol, sound,
143 or procedure.
(21) Stakeholder means a person that has, or represents a person that has, a direct
145 interest in the developmentofa voluntary consensus standard.
146 (22) State means a state of the United States, the District of Columbia, Puerto Rico,
147 the United States Virgin Islands, or any other territory or possession subject to the jurisdiction of
148, the United States. The term includes a federally recognized Indian tribe.
149 (23) Third-party controller means a controller that receives from another controller
150 authorized access to personal data or pseudonymized data and determines the purpose and means
151 of additional processing.
152 28-5503. Scope.
153 (a) Except as provided in subsections (b) and (c) of this section, this chapter applies to
154 the activities of a controller or processor that conducts business in the District or produces
155 products or provides services purposefully directed to residentsofthe District and:
156 (1) At any time during a calendar year maintains personal data about more than
157 50,000 data subjects who are residents of the District, excluding data subjects whose data is
158 collected or maintained solely to complete a payment transaction;
159 (2) Ears more than 50 percent of its gross annual revenue during a calendar year
160 from maintaining personal data as a controller or processor;
161 (3) Is a processor acting onbehalfof a controller the processor knows or has
162 reason to know satisfies paragraph (1) or (2)ofthis subsection; or
163, (4) Maintains personal data, unless it processes the personal data solely using
164 compatible data practices.
165 (b) This chapter does not apply to an agency or instrumentality of the District.
166 (c) This chapter does not apply to personal data that is:
167 (1) Publicly available information;
168 (2) Processed or maintained solely as part of human-subjects research conducted
169 in compliance with legal requirements for the protection of human subjects;
170 (3) Processed or disclosed as required or permitted by a warrant, subpoena, or court
im order or rule, or otherwise as specifically required by law;
172 (4) Subject to a public-disclosure requiremen