Texas A&M law professor Brian Larson and public-health professors Cason Schmit and Hye-Chung Kum advise legislators and public-health professionals in the U.S. to act on the proposed Uniform Personal Data Protection Act (UPDPA), likely to be adopted July 10, 2021 by the Uniform Law Commissioners (ULC). The Act is designed to be adopted by states seeking a comprehensive data privacy statute, and it has important effects on public-health research and interventions.
Key points:
- Getting non-health data from private sources about things like consumer purchasing habits is valuable for understanding public-health problems and for intervening to solve them.
- Poorly conceived data privacy laws can hamper responses to catastrophic health events, such as the COVID-19 pandemic, opioid abuse, and even the health effects of systemic racism.
- UPDPA will promote public-health research, responding to the fact that consumers find non-profit and university research and public-health efforts the most acceptable uses of personal data.
- Public-health professionals will need to act so that state legislatures and private businesses do not blunt the Act’s positive effects.
It has become a cliché that U.S. data privacy laws are a patchwork of federal and state statutes and regulations. Unlike the European Union’s “GDPR,” there is no comprehensive national privacy law in the U.S. If state legislatures begin adopting the UPDPA, it could bring some much-needed uniformity to U.S. privacy law.
- Federal privacy statutes are mostly limited to specific types of data, like health, education, and video-rental records.
- Some state legislatures have adopted comprehensive laws since 2018, including California, Virginia, and Colorado.
- ULC is expected to approve the UPDPA at its annual meeting in Madison, Wisconsin. The ULC has had success getting states to adopt other uniform acts; for example, the Uniform Anatomical Gift Act, governing organ donations in 46 states.
There are key questions about how UPDPA would affect public-research and interventions in states that adopt it. Research co-authored by Schmit and Kum demonstrates that consumers find university and non-profit research and public-health efforts the most acceptable uses of personal data, much more so than uses for business purposes. They administered a national survey in February 2020, before COVID struck. (Preliminary results from a larger survey, conducted in late October 2020, confirm the earlier results.) Consumers responded to 72 data-use scenarios, and researchers found that the ten scenarios most acceptable to consumers involved use by a university researcher or non-profit for scientific research or public health. The five most disfavored scenarios involved for-profit businesses using data for profit-driven or marketing activities. Interestingly, which types of data were used had little effect on consumers’ choices.
As a comprehensive privacy act, the Uniform Personal Data Protection Act (UPDPA) focuses not on specific types of data, but on the conduct of the “controllers” and “processors” who maintain data, a step closer to the consumer preferences identified in Schmit and Kum’s work. As of July 6, the draft UPDPA includes a revision that makes “generalized research” a “compatible data practice.” The Act defines generalized research as “the use of personal data to discover insights related to public health, public policy, or other matters of general public interest and does not include use of personal data to make a prediction or determination about a particular data subject.” The revision is in response to June comments from Schmit, Kum, and Larson to the ULC urging that the Act take into account public-health concerns. This is a positive development, but some public-health concerns remain:
But the UPDPA does not remove all obstacles to appropriate research. By making generalized research a “compatible data practice,” the Act requires that businesses collecting data and planning to share it with researchers must disclose that fact to consumers in their privacy policies. Also of concern is that the UPDPA lacks clarity about the extent to which businesses could cooperate with university and non-profit organizations attempting to develop public-health interventions. For example: Assuming research already identifies a connection between purchasing a certain product and a certain public-health issue, could a university or non-profit cooperate with a retailer to reach out to customers who might be affected by the issue? It’s not clear. Finally, because of the nature of the Act, it permits an industry or category of data user to convene stakeholders to develop a voluntary consensus standard (VCS)—a kind of publicly debated industry standard that the state attorney general reviews and approves—that clarifies what data disclosures and uses are permitted.
Action items for public-heath researchers and professionals include:
- Public-health (and other) researchers will need to engage in awareness campaigns to get businesses to include this kind of data practice in their privacy policies so researchers can access the data.
- Public-health professionals should seek revisions to the UPDPA as it is actually enacted in states to ensure these public-health interventions are permitted.
- Public-health professionals may wish to develop one or more VCSs to permit them to make appropriate use of personal data for public-health research and interventions.
With questions and comments on these recommendations, contact Brian Larson (mob: 612-703-8814, brian@tendallarson.com) or Cason Schmit (schmit@tamu.edu).
The authors are grateful for research support from a Texas A&M University Triads for Transformation (T3) grant and the Texas A&M Population Informatics Lab.