Despite the national and global events that took center stage in 2021, the upward trend in data privacy legislation at the state level continued and with the addition of the amendments to the Safeguards Rule, 2022 brings new compliance challenges for many businesses and financial institutions.
Many of these bills were limited in scope, relating to, for example, biometric, genetic and geolocation data, data brokers, internet service providers, and more.
Comprehensive Consumer Data Privacy Legislation – By the Numbers
The following chart shows 23 states that introduced a total of 34 comprehensive consumer data privacy bills in 2021. This is legislation that restricts the use of personal information and conveys certain rights to consumers, similar to what is found in the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation.
Some of the key provisions that are commonly tracked include consumer rights, exemptions and exclusions from coverage, contractual and security standards, and whether there is a private right of action. The following chart shows the prevalence of those provisions in the 2021 legislation.
A detailed spreadsheet showing the provisions that were included in specific bills can be found here.
New State Privacy Laws - Virginia and Colorado.
- Right to access
- Right to correct
- Right to delete
- Right to obtain
- Right to opt-out of processing
- Right to appeal a refused request
- Opt-in requirement for processing sensitive data
- Requirements for contracts between controllers and processors
- Risk assessments for processing certain data
- Entity-level Gramm-Leach-Bliley Act exemption
- No private right of action
- Detailed requirements for an information security program;
- New requirements for accountability, such as designation of a single “Qualified Individual”;
- An exemption from written risk assessments, incident response plans and annual reporting for certain small businesses;
- An expansion of the definition of “financial institution”; and
- New definitions and examples.
- Federal legislation continues to be in play, but there are no frontrunners among the various bills introduced thus far.
- Numerous states have legislation that did not pass this year but will carry over to 2022, and some of the bills are a significant departure from what currently exists and would not be considered “industry friendly.”
- In the absence of a federal law that preempts state privacy laws, it is likely some of those state measures will be enacted.
- The newly established California Privacy Protection Agency will engage in rulemaking related to the California Privacy Rights Act of 2020, which amends the CCPA.