Texas A&M law professor Brian Larson and public-health professors Cason Schmit and Hye-Chung Kum advise legislators and public-health professionals in the U.S. to act on the proposed Uniform Personal Data Protection Act (UPDPA), likely to be adopted July 10, 2021 by the Uniform Law Commissioners (ULC). The Act is designed to be adopted by states seeking a comprehensive data privacy statute, and it has important effects on public-health research and interventions.
Key points:
It has become a cliché that U.S. data privacy laws are a patchwork of federal and state statutes and regulations. Unlike the European Union’s “GDPR,” there is no comprehensive national privacy law in the U.S. If state legislatures begin adopting the UPDPA, it could bring some much-needed uniformity to U.S. privacy law.
There are key questions about how UPDPA would affect public-research and interventions in states that adopt it. Research co-authored by Schmit and Kum demonstrates that consumers find university and non-profit research and public-health efforts the most acceptable uses of personal data, much more so than uses for business purposes. They administered a national survey in February 2020, before COVID struck. (Preliminary results from a larger survey, conducted in late October 2020, confirm the earlier results.) Consumers responded to 72 data-use scenarios, and researchers found that the ten scenarios most acceptable to consumers involved use by a university researcher or non-profit for scientific research or public health. The five most disfavored scenarios involved for-profit businesses using data for profit-driven or marketing activities. Interestingly, which types of data were used had little effect on consumers’ choices.
As a comprehensive privacy act, the Uniform Personal Data Protection Act (UPDPA) focuses not on specific types of data, but on the conduct of the “controllers” and “processors” who maintain data, a step closer to the consumer preferences identified in Schmit and Kum’s work. As of July 6, the draft UPDPA includes a revision that makes “generalized research” a “compatible data practice.” The Act defines generalized research as “the use of personal data to discover insights related to public health, public policy, or other matters of general public interest and does not include use of personal data to make a prediction or determination about a particular data subject.” The revision is in response to June comments from Schmit, Kum, and Larson to the ULC urging that the Act take into account public-health concerns. This is a positive development, but some public-health concerns remain:
But the UPDPA does not remove all obstacles to appropriate research. By making generalized research a “compatible data practice,” the Act requires that businesses collecting data and planning to share it with researchers must disclose that fact to consumers in their privacy policies. Also of concern is that the UPDPA lacks clarity about the extent to which businesses could cooperate with university and non-profit organizations attempting to develop public-health interventions. For example: Assuming research already identifies a connection between purchasing a certain product and a certain public-health issue, could a university or non-profit cooperate with a retailer to reach out to customers who might be affected by the issue? It’s not clear. Finally, because of the nature of the Act, it permits an industry or category of data user to convene stakeholders to develop a voluntary consensus standard (VCS)—a kind of publicly debated industry standard that the state attorney general reviews and approves—that clarifies what data disclosures and uses are permitted.
Action items for public-heath researchers and professionals include:
With questions and comments on these recommendations, contact Brian Larson (mob: 612-703-8814, brian@tendallarson.com) or Cason Schmit (schmit@tamu.edu).
The authors are grateful for research support from a Texas A&M University Triads for Transformation (T3) grant and the Texas A&M Population Informatics Lab.