The State of State Privacy Legislation
It’s old news that states have been proposing and passing privacy laws. Let’s take a moment to figure out the landscape.
It’s old news that the U.S. has been holding its breath for a comprehensive federal privacy law and its old news that in the meantime the states have been active in proposing and passing privacy laws. But the sheer number of bills keeps a lot of us from actually understanding the current state of privacy in the U.S.
Let’s take a moment to figure out the landscape.
What’s Passed: CCPA, CPRA, CPA, VCDPA, and now UCPA
We’ll briefly begin with the laws that have been passed. I won’t go into the specifics of each law, but I recommend the IAPP’s comparison of CCPA, CPRA, VCDPA, and CPA. It’s too early for a good resource comparing these laws against UCPA, but I’m sure it won’t be long.
- California Consumer Privacy Act (CCPA): You already know, it’s in effect.
- California Privacy Rights Act (CPRA): The CPRA becomes effective January 1, 2023, but we still don’t know exactly what the law requires because we’re still awaiting final regulations by the California Privacy Protection Agency (CPPA). The final regulations were originally meant to be finalized by July 1, 2022, but the CPRA announced last month that the final regulations are delayed and likely won’t be issued until the third or fourth quarter of 2022. This doesn’t give Businesses a lot of time to get into compliance before the law comes into effect.
- Virginia Consumer Data Protection Act (VCDPA): The next law to be enacted was the VCDPA. This legislative year, seven amendments to VCDPA were proposed and two sets were passed. The first set (SB 393 and HB 381) provide an exception to the right to deletion. Specifically, data may be considered ‘deleted’ where a minimal record of the deletion request is retained for the exclusive purpose of ensuring the consumer’s data is/remains erased (i.e., keeping suppression records is compatible with deletion. The second set of amendments (SB 534 and HB714), among other things, redefines ‘nonprofit organizations’ to include tax exempt political organizations. This mean that tax exempt political organizations are not subject to VCDPA. Lastly, the second set of amendments eliminates the VCDPA’s ‘Consumer Privacy Fund.’ Essentially, the original text required fines to be paid to the Consumer Privacy Fund established in the VCDPA. Now, however, any fines paid by violators of the VCDPA goes to the state’s treasury and not to a specific privacy fund.
- Colorado Privacy Act (CPA): The CPA is effective July 1, 2023. Currently, the Colorado Attorney General is taking rulemaking input. You can provide comments here. When rulemaking begins, the Colorado AG will post notice of the rules here, at which time you can provide input on the proposed rules. The final rules must be adopted by the effective date of the law. The privacy community is particularly interested to see the proposed rules for the vague universal opt out mechanism.
- Utah Consumer Privacy Act: On March 24, 2022 Utah joined the privacy law club and passed the Utah Consumer Privacy Act (UCPA). The law is effective December 31, 2023. We’ll learn more about any working groups or proposed rulemaking in the coming months.
Since UCPA is still breaking news, let’s dive in.
UCPA applies to controllers or processors that (1) conduct business in Utah or produce a product or service targeted to Utah residents; (2) have annual revenue of $25,000,000 or more; and (3) satisfy at least one of the following thresholds: (a) during a calendar year, control or process the personal data of 100,000 or more Utah residents, or (b) derive over 50% of their gross revenue from the sale of personal data, and control or process the personal data of 25,000 or more consumers.
The law provides Utah residents with the following rights: access, deletion, portability, to opt out of the“sale” of their personal data, and to opt out of “targeted advertising.” Like the VCDPA, the UCPA limits “sale” to the exchange of personal data for monetary consideration.
In a deviation from all other enacted comprehensive state privacy laws, the UCPA doesn’t require controllers obtain prior opt-in consent to process “sensitive data,” but instead requires controllers to provide prior notice and an opportunity to opt out.
And don’t worry businesses, there isn’t a private right of action.
What’s Failed: Laws That Didn’t Pass Before The Legislative Sessions Ended
- Florida: After nearly passing in 2021, we all thought it probable this bill would pass. The final version of the Florida privacy bill was unique in that it included a tiered approach to a private right of action. It passed the House, but stalled in the Senate Judiciary Committee and was ‘indefinitely postponed and withdrawn from consideration.’
- Indiana: Early versions had a private right of action, but the final version didn’t. Passed in the Senate, never made it to vote in the House.
- Mississippi: Died in committee.
- Washington: We thought a law was likely to pass given the legislature has been trying to pass a privacy bill since 2020. Two bills were introduced, one to the House and one to the Senate. Neither made it to the other floor.
- West Virginia: Never saw the Senate and couldn’t make it out of the House.
- Wisconsin: Passed in the House, stalled in the Senate.
What’s still Uncertain: Laws Still on Legislature Floors
The laws listed below are still on state legislature floors, meaning they still have the potential to be passed in 2022.
- Alaska
- Arizona
- Connecticut
- D.C.
- Georgia
- Hawaii
- Iowa
- Kentucky
- Maine
- Maryland
- Massachusetts
- Nebraska
- New Jersey
- New York
- North Carolina
- Ohio
- Oklahoma
- Pennsylvania
- Rhode Island
- South Carolina
- Tennessee
- Vermont
Conclusion: More states have yet to wrap up their 2022 legislative sessions, perhaps we’ll see more laws passed before the end of the year. Either way, there’s a lot to watch and a lot to learn, so stay tuned and remember to thank your privacy professional.