The upward trend in data privacy legislation continued in 2022. According to the National Conference of State Legislatures, “[a]t least 35 states and the District of Columbia in 2022 introduced or considered almost 200 consumer privacy bills,” which is a significant increase from 160 bills in 2021.
Many of these bills were limited in scope, relating to, for example, biometric, genetic and geolocation data, data brokers, and internet service providers.
State Comprehensive Consumer Data Privacy Legislation – By The Numbers
Twenty-eight states introduced a total of 54 comprehensive consumer data privacy bills in 2022. This is legislation that restricts the use of personal information and conveys certain rights to consumers, similar to the California Consumer Privacy Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act and Connecticut Data Privacy Act.
Some of the key provisions that are commonly tracked include consumer rights, exemptions and exclusions from coverage, contractual and security standards, and whether there is a private right of action. The following chart shows the prevalence of those provisions in the 2022 legislation.
Federal Comprehensive Consumer
Data Privacy Legislation
The American Data Privacy and Protection Act, H.R.8152, was introduced on June 21, 2022. Similar to the state laws, the ADPPA gives consumers the right to access, correct, delete, and export covered data, and to opt out of certain transfers of covered data. The legislation reflects bipartisan compromise, generally preempting state laws that are covered by provisions of the ADPPA and providing a private right of action beginning four years after enactment. It appears doubtful this legislation will move during the remainder of the current Congress, but it is likely this, or similar legislation will be considered in the upcoming session.
New State Comprehensive Consumer Data Privacy Laws
The Utah Consumer Privacy Act was signed into law on March 24, 2022, and not long after, on May 10, the Connecticut Data Privacy Act became law. They become effective Dec. 31, 2023, and July 1, 2023, respectively.
Although there are some differences worthy of attention, these laws are very similar to those enacted in Virginia and Colorado and include:
- Right to access
- Right to correct (Connecticut only)
- Right to delete
- Right to obtain
- Right to opt out of processing
- Right to appeal a refused request
- Data and Entity-level Gramm-Leach-Bliley Act exemptions
- Requirements for contracts between controllers and processors
- Risk assessments for processing certain data (Connecticut only)
- No private right of action
There are limitations that apply to consumers’ rights as well as exceptions to complying with their requests, and these laws are generally perceived as industry friendly.
Amended State Data Breach Notification Laws
Indiana H.B. 1351 went into effect July 1, 2022, and now specifies a timeframe of 45 days from the discovery of a breach to make the required disclosure.
Arizona H.B. 2146 went into effect July 22, 2022, and now requires a notification to the Arizona Department of Homeland Security in the event of a breach that affects more than 1,000 individuals, in addition to the current requirement to notify the attorney general.
Maryland H.B. 962 became effective Oct. 1, 2022, and, in part, provides a more detailed definition of “genetic information, expands the “reasonable security” requirement beyond those who own or license personal information to those who maintain it, and specifies the content of a breach notification.
Pennsylvania S.B. 696 becomes effective May 2, 2023, and, among other things, expands the definition of “personal information” to include medical and health information, and a user name or e-mail address in combination login credentials.
California – The California Privacy Protection Agency continues its rulemaking focused primarily on the amendments to the CCPA by the California Consumer Privacy Rights Act. The most recent activity was a 15-day comment period on the modified text of the proposed regulations, which closed on Nov. 21, 2022
Colorado – The Colorado Department of Law issued proposed rules regarding the Colorado Privacy Act with a comment period open through Feb. 1, 2023.
New York – The New York Department of Financial Services issued proposed amendments to its Cybersecurity Regulations with a comment period open through Jan. 9, 2023.
FTC Advance Notice of Proposed Rulemaking – The FTC issued this ANPR on Commercial Surveillance and Data Security seeking input to shape potential rules that will “crack down on harmful commercial surveillance and lax data security.” The focus of the ANPR overlaps in part with recent state consumer data privacy laws and federal regulation, but the definition of “commercial surveillance” is broad, referring to “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.” The ANPR includes 95 questions spread out among numerous topics. The comment period closed Oct. 21, 2022.
CFPB SBREFA Outline – The CFPB issued a Small Business Regulatory Enforcement Fairness Act Outline “to assess the impact on small entities that would be directly affected by the proposals under consideration prior to issuing a proposed rule regarding section 1033.” Section 1033 (12 U.S.C. § 5333) of the Consumer Financial Protection Act, a/k/a, the Dodd-Frank Act, generally allows a consumer access to transactional information that a business holds related to products or services that were provided to the consumer. The comment period is open through Jan. 25, 2023.
CFPB Circular – The CFPB issued Circular 2022-04 to address this question: “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?” Unsurprisingly, the answer was “yes.” The CFPB provided three examples of conduct that could “increase the likelihood that an entity’s conduct triggers liability under the CFPA’s prohibition of unfair practices.”
- The failure of a covered person or service provider to require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts.
- The failure of a covered person or service provider to have adequate password management policies and practices.
- The failure of a covered person or service provider to routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability.
Important Dates in 2023
-January 1, 2023
California Consumer Privacy Act Amendments go into effect. The changes include, among many others:
- Sensitive Personal Information – This new subcategory of personal information includes, in part, social security numbers, driver’s license and other identification numbers, account or debit/credit card numbers in combination with login credentials, geolocation, racial or ethnic origins, religious or philosophical beliefs, etc. Consumers have enhanced rights with regard to sensitive personal information.
- New Consumer Rights – Consumers will now have the right to request correction of inaccurate information, and the right to opt out of the “sharing” of personal information. “Sharing” is limited to providing personal information “to a third party for cross-context behavioral advertising.”
- Notice at Collection – In addition to the current requirement to inform consumers “at or before the time of collection” of the categories of personal information to be collected and the purposes for which it will be used, the notice must also state whether the personal information is sold or shared, provide the same information for sensitive personal information, and state the length of time the categories of personal information and sensitive personal information will be retained, or the criteria that will be used to determine the period.
- Privacy Notice – Privacy notices will need to be updated to reflect, among other things, the new rights afforded consumers.
Virginia Consumer Data Protection Act goes into effect.
- May 2, 2023
Pennsylvania Data Breach Notification Law amendments go into effect.
- June 9, 2023
Gramm-Leach-Bliley Act Safeguards Rule – The Federal Trade Commission issued a final rule amending the Safeguards Rule on Dec. 9, 2021. Many of the changes became effective Jan. 10, 2022, but the effective date of some of the most important changes go into effect June 9, 2023, including:
- Designating a Qualified Individual to oversee the information security program
- Implementing specific risk assessment requirements
- Implementing specific safeguards to control risks
- Implementing continuous monitoring or periodic penetration testing and vulnerability assessments
- Implementing policies and procedures to ensure personnel are able to enact the information security program
- Performing periodic risk assessments of service providers
- Establishing a written incident response plan
- Preparing written reports, at least annually, by the Qualified Individual to the board of directors or equivalent governing body
- July 1, 2023
Colorado Privacy Act goes into effect.
Connecticut Data Privacy Act goes into effect.
- December 31, 2023
Utah Consumer Privacy Actgoes into effect.
With the prospect of a federal consumer data privacy law lagging, we expect that 2023 will continue to bring increased effort in this area by state legislatures and state and federal regulators.