As we look ahead at 2022, we here provide a quick wrap-up of key developments for U.S. state privacy laws in the past year:

  • California Privacy Protection Agency is appointed and commences rulemaking. In June, the new California Privacy Protection Agency (CPPA) held its inaugural public meeting, creating subcommittees focused on rulemaking and regulations, public awareness and guidance, and startup and administration.  The CPPA will have rulemaking authority under the CPRA, which goes into effect in January 2023.  In September, the CPPA kicked of its preliminary rulemaking activities by inviting public comments regarding any area on which the CPPA has authority to adopt rules.  Submitted comments are now publicly available.
  • Virginia enacts the Virginia Consumer Data Protection Act. In March, the Virginia governor approved the Virginia Consumer Data Protection Act (VCDPA), a comprehensive consumer privacy law with requirements for data controllers and processors.  Under the law, controllers must provide consumers a privacy notice containing specific information, provide certain data subject rights, and conduct data protection assessments, and processors must include certain provisions in contracts with controllers, such as a requirement to cooperate with compliance assessments by the controller or conduct such assessments independently.  The VCDPA mandated a working group of the General Assembly’s Joint Commission on Technology and Science to consider public recommendations, by November 1, 2021, which the state legislature can consider if it amends the VCDPA before it goes into effect on January 1, 2023.  One point the working group raised in its Final Report is whether the law should direct an agency to promulgate regulations.  See our posts on the passage and enactment of the VCDPA and the working group’s Final Report.
  • Colorado enacts the Colorado Privacy Act. In July, Colorado enacted the Colorado Privacy Act (CPA), a comprehensive data privacy law.  The CPA provides consumers the rights of access, correction, deletion, and to opt-out of processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling.  It also imposes a duty of care to secure personal data and requires affirmative consent prior to processing sensitive data about the customer.  The CPA, discussed further here, will go into effect on January 1, 2023.
  • Uniform Law Commission finalizes a model state privacy bill. In July, the Uniform Law Commission voted to approve its Uniform Personal Data Protection Act (UPDPA) as a model template for uniform state privacy legislation.  The UPDPA departs from previously enacted state privacy frameworks with the intent of “provid[ing] a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with the California and Virginia regimes.”

Looking forward to 2022, we anticipate continued progress on privacy rulemakings prompted by the CPRA and CPA and interest in comprehensive privacy legislation by state legislatures.  The rulemaking underway with California’s CPPA will continue, and the Colorado Attorney General may begin the process of promulgating rules for carrying out the CPA (it must adopt rules creating specifications for the universal opt-out mechanism by July 1, 2023).

Several states are already considering comprehensive privacy bills that will carry into 2022, including Oklahoma, Minnesota, North Carolina, Ohio, Pennsylvania, Alaska, D.C., Illinois, Massachusetts, and New York.  We expect additional states to introduce comprehensive data privacy bills in 2022, including Tennessee.  Several states are also considering legislation on more narrow issues concerning consumer data, such as commercial facial recognition.

We will continue to monitor these developments and keep you apprised here on Inside Privacy.

Tags: California Privacy Rights Act, Data, Privacy & Data Security, State Legislatures
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Madeline Salinas Madeline Salinas

Madeline Salinas is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups.

Email
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Read more about Libbie CanterEmail
Show more Show less