As we look ahead at 2022, we here provide a quick wrap-up of key developments for U.S. state privacy laws in the past year:

• California Privacy Protection Agency is appointed and commences rulemaking. In June, the new California Privacy Protection Agency (CPPA) held its inaugural public meeting, creating subcommittees focused on rulemaking and regulations, public awareness and guidance, and startup and administration.  The CPPA will have rulemaking authority under the CPRA, which goes into effect in January 2023.  In September, the CPPA kicked of its preliminary rulemaking activities by inviting public comments regarding any area on which the CPPA has authority to adopt rules.  Submitted comments are now publicly available.
• Virginia enacts the Virginia Consumer Data Protection Act. In March, the Virginia governor approved the Virginia Consumer Data Protection Act (VCDPA), a comprehensive consumer privacy law with requirements for data controllers and processors.  Under the law, controllers must provide consumers a privacy notice containing specific information, provide certain data subject rights, and conduct data protection assessments, and processors must include certain provisions in contracts with controllers, such as a requirement to cooperate with compliance assessments by the controller or conduct such assessments independently.  The VCDPA mandated a working group of the General Assembly’s Joint Commission on Technology and Science to consider public recommendations, by November 1, 2021, which the state legislature can consider if it amends the VCDPA before it goes into effect on January 1, 2023.  One point the working group raised in its Final Report is whether the law should direct an agency to promulgate regulations.  See our posts on the passage and enactment of the VCDPA and the working group’s Final Report.

• Colorado enacts the Colorado Privacy Act. In July, Colorado enacted the Colorado Privacy Act (CPA), a comprehensive data privacy law.  The CPA provides consumers the rights of access, correction, deletion, and to opt-out of processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling.  It also imposes a duty of care to secure personal data and requires affirmative consent prior to processing sensitive data about the customer.  The CPA, discussed further here, will go into effect on January 1, 2023.

• Uniform Law Commission finalizes a model state privacy bill. In July, the Uniform Law Commission voted to approve its Uniform Personal Data Protection Act (UPDPA) as a model template for uniform state privacy legislation.  The UPDPA departs from previously enacted state privacy frameworks with the intent of “provid[ing] a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with the California and Virginia regimes.”

Looking forward to 2022, we anticipate continued progress on privacy rulemakings prompted by the CPRA and CPA and interest in comprehensive privacy legislation by state legislatures.  The rulemaking underway with California’s CPPA will continue, and the Colorado Attorney General may begin the process of promulgating rules for carrying out the CPA (it must adopt rules creating specifications for the universal opt-out mechanism by July 1, 2023).

Several states are already considering comprehensive privacy bills that will carry into 2022, including Oklahoma, Minnesota, North Carolina, Ohio, Pennsylvania, Alaska, D.C., Illinois, Massachusetts, and New York.  We expect additional states to introduce comprehensive data privacy bills in 2022, including Tennessee.  Several states are also considering legislation on more narrow issues concerning consumer data, such as commercial facial recognition.

We will continue to monitor these developments and keep you apprised here on Inside Privacy.