Last year we wrote an analysis on updates to data privacy legislation. Last year, Mississippi has not passed its privacy bill and more than a dozen states had bills that are still pending. Iowa, Indiana, and Oklahoma are all pushing various privacy bills through their legislatures, and several other states have begun considering new laws. In addition, seven states are considering biometric privacy legislation.
The most complete source remains a annotated map of Husch Blackwell, which will allow you to access the legislation of each State. If you are looking for more analytics, this page from the National Conference of State Legislatures has more contextual explanations.
There have been additional developments and improvements on the three states that have passed privacy legislation:
- California Privacy Rights Act (CPRA)
- California Consumer Privacy Act (CCPA)
- Colorado Privacy Law
- Virginia Consumer Data Protection Act
There are two news from California. First, on January 28, 2022, the California Attorney General’s Office sent Notice to Companies Operating Loyalty Programs in California which offer financial incentives in exchange for consumers disclosing various personal data. Under the CCPA they have to tell you what the payment will be before it’s up to you to join the program. The second element is that the California Privacy Agency, the agency responsible for enforcing their privacy laws, will not be fully operational before the end of the year, miss their prescribed deadlines. However, some of the laws have already gone into effect, which means you should have some knowledge of what is required, even if there is no one knocking on your legal door with a potential violation yet.
The Colorado and Virginia laws don’t go into effect until 2023 (July 1 and January 1, respectively), so there’s still time to formulate a plan of action. But as you dive deeper into the three states, you’ll see there’s little agreement on how they define various elements of privacy and what the requirements are for companies that run data. private data. As an example, see this comparison of how the three define consumer rights:
Image credit: WireWheel
The laws of the three states also differ on how biometric privacy will be regulated. The CPRA creates new requirements for sensitive personal information and allows consumers to limit certain data by companies. Virginia law has a more restrictive definition of biometric data and more limits on how it can be processed. Colorado does not explicitly define biometric data, but has provisions like California laws. All of this means that it will be complicated for companies doing business in these three states, as they will have to audit their data protection procedures and understand how they obtain consumer consent or allow consumers to restrict the use of this data and ensure that they correspond to the various intricacies of the regulations.
Performing data protection assessments
Each state also differs in what will be required for these assessments. Virginia law requires the reporting of “aany processing activity involving personal data that presents an increased risk of harm to consumers” without defining precisely what this harm could be. Colorado law does better in stating its definition of harm, but has a different scope of what constitutes a valid assessment.
California law leaves the actual rules for these assessments to the not-yet-operational agency mentioned above, so we’ll have to see how that plays out later this year. Due to different definitions between laws, it is possible that in some circumstances Colorado may require an appraisal but Virginia may not, or vice versa.
What is clear from the events of the past year is that privacy regulations will continue to be somewhat disparate. Sorting out the various state efforts — and there are other states likely to enact their own regulations in 2022 — will be difficult. Add to that that there are subtle differences between the EU GDPR and what China has enacted, and it will compound the problems for international businesses.