As we look ahead at 2022, we here provide a quick wrap-up of key developments for U.S. state privacy laws in the past year:

  • California Privacy Protection Agency is appointed and commences rulemaking. In June, the new California Privacy Protection Agency (CPPA) held its inaugural public meeting, creating subcommittees focused on rulemaking and regulations, public awareness and guidance, and startup and administration.  The CPPA will have rulemaking authority under the CPRA, which goes into effect in January 2023.  In September, the CPPA kicked of its preliminary rulemaking activities by inviting public comments regarding any area on which the CPPA has authority to adopt rules.  Submitted comments are now publicly available.
  • Virginia enacts the Virginia Consumer Data Protection Act. In March, the Virginia governor approved the Virginia Consumer Data Protection Act (VCDPA), a comprehensive consumer privacy law with requirements for data controllers and processors.  Under the law, controllers must provide consumers a privacy notice containing specific information, provide certain data subject rights, and conduct data protection assessments, and processors must include certain provisions in contracts with controllers, such as a requirement to cooperate with compliance assessments by the controller or conduct such assessments independently.  The VCDPA mandated a working group of the General Assembly’s Joint Commission on Technology and Science to consider public recommendations, by November 1, 2021, which the state legislature can consider if it amends the VCDPA before it goes into effect on January 1, 2023.  One point the working group raised in its Final Report is whether the law should direct an agency to promulgate regulations.  See our posts on the passage and enactment of the VCDPA and the working group’s Final Report.
  • Colorado enacts the Colorado Privacy Act. In July, Colorado enacted the Colorado Privacy Act (CPA), a comprehensive data privacy law.  The CPA provides consumers the rights of access, correction, deletion, and to opt-out of processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling.  It also imposes a duty of care to secure personal data and requires affirmative consent prior to processing sensitive data about the customer.  The CPA, discussed further here, will go into effect on January 1, 2023.
  • Uniform Law Commission finalizes a model state privacy bill. In July, the Uniform Law Commission voted to approve its Uniform Personal Data Protection Act (UPDPA) as a model template for uniform state privacy legislation.  The UPDPA departs from previously enacted state privacy frameworks with the intent of “provid[ing] a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with the California and Virginia regimes.”

Looking forward to 2022, we anticipate continued progress on privacy rulemakings prompted by the CPRA and CPA and interest in comprehensive privacy legislation by state legislatures.  The rulemaking underway with California’s CPPA will continue, and the Colorado Attorney General may begin the process of promulgating rules for carrying out the CPA (it must adopt rules creating specifications for the universal opt-out mechanism by July 1, 2023).

Several states are already considering comprehensive privacy bills that will carry into 2022, including Oklahoma, Minnesota, North Carolina, Ohio, Pennsylvania, Alaska, D.C., Illinois, Massachusetts, and New York.  We expect additional states to introduce comprehensive data privacy bills in 2022, including Tennessee.  Several states are also considering legislation on more narrow issues concerning consumer data, such as commercial facial recognition.

We will continue to monitor these developments and keep you apprised here on Inside Privacy.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”