It's clear that privacy regulations will continue to be somewhat of a patchwork quilt.
Last year, we wrote an analysis on data privacy legislation updates. Last year, Mississippi didn’t pass its privacy bill and more than a dozen states had bills that are still under consideration. Iowa, Indiana, and Oklahoma are all in the process of moving various privacy bills through their legislatures, and several other states have begun to consider new laws. Also, seven states are considering biometric information privacy legislation.
The most comprehensive source remains anannotated map from Husch Blackwell, which will link you to each state’s legislation. If you are looking for more analysis,this page from the National Conference of State Legislatures has more contextual explanations.
There have been some developments and further refinements on the three states that have enacted privacy legislation:
California Privacy Rights Act (CPRA)
California Consumer Privacy Act (CCPA)
Colorado Privacy Act
Virginia Consumer Data Protection Act
There are two news items from California. First, on January 28, 2022, the California Attorney General’s office sent notices to businesses operating loyalty programs in California that provide financial incentives in exchange for consumers to divulge various personal data.Under CCPA, they must tell you what the payment will be prior to you opting onto the program. The second item is that the California Privacy Protection Agency, the agency charged with enforcing their privacy laws,won’t be fully up and running until later this year, missing their mandated deadlines. However, some of the laws have already gone into effect, which means you should have some knowledge of what is required, even if there isn’t yet anyone knocking on your legal doorstep with a potential violation.
Colorado's and Virginia's laws don’t take effect until 2023 (July 1 and January 1, respectively), so there is still time to formulate an action plan. But as you take a deeper dive into the three states, you’ll see that there is little agreement about how they define various elements of privacy and what are requirements for businesses that handle private data. As an example, see this comparison of how the three define the rights of consumers:
Image credit: WireWheel
The three states’ laws also differ on how biometric privacy will be regulated. CPRA creates new requirements for sensitive personal information and allows consumers to limit certain data by businesses. Virginia’s law has a more restrictive definition of biometric data and more limits on how it can be processed. Colorado doesn’t explicitly define biometric data but has provisions like California’s laws. What this all means is that it will be complicated for companies doing business in these three states, because they will have to audit their data protection procedures and understand how they obtain consumer consent or allow consumers to restrict the use of such data and make sure they match the different subtleties in the regulations.
Conducting data protection assessments
Each state also differs in what will be required for these assessments. Virginia’s law requires reporting of “any processing activities involving personal data that present a heightened risk of harm to consumers” without specifically defining what that harm might be. Colorado’s law does better in laying out its harm definition but has a different scope of what constitutes a valid assessment.
California’s laws leave the actual rules for these assessments with the yet-to-be-operational agency mentioned above, so we’ll have to see how that shakes out later this year. Because of the different definitions between the laws, it's possible that under some circumstances, Colorado could require an assessment but not Virginia, or vice-versa.
What's clear from the events of the past year is that privacy regulations will continue to be somewhat of a patchwork quilt. Sorting out the various state efforts — and there are other states that will probably enact their own regulations in 2022 — will be difficult. Add in that there are subtle differences with the EU’s GDPR and what China has enacted, and these will compound issues for international businesses.