In 2021, the Uniform Law Commission (ULC) finalized its Uniform Personal Data Protection Act (UPDPA), a model law intended to be a guide to states seeking to enact broad privacy laws. Unfortunately, the ULC’s law is beyond disappointing. Quite frankly, the UPDPA is quite terrible. No state should adopt it in whole or in part. It is hard to find anything to salvage in the UPDPA. It’s a law as clunky as its acronym. I find it shocking that the ULC could propose such a awful law. It is, sad to say, quite shameful.
The UPDPA is quite spare and loose. The heart of the law is basically as follows: (1) companies can use personal data without people’s consent as long as there is a “compatible data practice” and (2) if the event of an “incompatible” data practice, companies only need to provide a chance to opt out.
The ULC has cooked up a broth that is so insubstantial, so thin and fetid, that it is hardly any different from bilge water. One might think I’m exaggerating for dramatic effect, but if you look at the law, you’ll see that my comments are far from rhetorical flourishes but are quite restrained.
More specifically, Section 7(a) provides:
A controller or processor may engage in a compatible data practice without the data subject’s consent. A controller or processor engages in a compatible data practice if the processing is consistent with the ordinary expectations of data subjects or is likely to benefit data subjects substantially.
This provision is so vague that it permits companies to do nearly anything. Even data practices that are not expected by people are fine if a company deems them “likely to benefit data subjects substantially.” Every company thinks that what it does provides a benefit and makes the world a better place. It’s hard to imagine how anyone could fail to cook up a rationale for nearly any data use that wouldn’t somehow constitute a “compatible” practice.
The 
