The myriad of new and innovative ways personal data is being leveraged for commercial purposes continues to proliferate. The associated legal risks are also rising as lawmakers seek to strengthen requirements placed on businesses’ data collection and processing practices.
2021 brought with it many noteworthy developments in consumer privacy that significantly impacted businesses that collect and use personal data as part of their operations, including the enactment of two new consumer privacy statutes by Virginia and Colorado. In 2022, businesses should expect more of the same, with the passage of additional consumer privacy laws that will create significantly enhanced, more complex compliance obligations as compared to years past.
From a broader perspective, as the breadth of legal exposure stemming from the use of personal data continues to trend upward, Ohio businesses that utilize consumer data—even those that are not subject to any consumer privacy laws currently—are well-advised to ensure they have the proper policies, procedures, and practices in place to minimize the ever-increasing risk stemming from greater consumer privacy regulation.
2021 was a busy year on the consumer privacy front. Last March, Virginia became the second state to enact a comprehensive consumer privacy statute modeled after the California Consumer Privacy Act of 2018 (“CCPA”). Known as the Virginia Consumer Data Protection Act (“VCDPA”), the law will take effect at the start of 2023. Colorado also passed similar consumer privacy legislation, the Colorado Privacy Act (“CPA”), which will go into effect on July 1, 2023. In addition, California’s “CCPA 2.0,” the California Privacy Rights Act (“CPRA”)—which amends and supplements the CCPA, enhancing consumer rights and businesses’ compliance obligations—will also go into effect at the start of next year as well.
The VCDPA and CPA are similar in many respects to their California counterparts, providing a range of new rights to consumers while also imposing obligations on businesses that collect and use their personal data. Significantly, neither law includes a private right of action; instead, enforcement rests solely with those states’ attorneys general.
At the federal level—as has been the trend for years now—Congress failed to pass any meaningful consumer privacy regulatory framework that would apply uniformly across all 50 states.
In 2022, new state consumer privacy laws will likely be added to the mix, creating an even more complex patchwork of compliance requirements for businesses that collect and use consumers’ sensitive data.
Already this year, Florida, Hawaii, Indiana, Kentucky, Maryland, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, Oklahoma, Pennsylvania, Vermont, and Washington have introduced comprehensive consumer privacy legislation modeled after the CCPA, CPRA, VCDPA, and CPA.
Many other states, including Alaska, Massachusetts, Minnesota, New York, North Carolina, South Carolina, and Tennessee, also have consumer privacy bills currently pending in their state legislatures which carried over from the 2021 legislative cycle.
While Ohio introduced a consumer privacy bill of its own in mid-2021—known as the Ohio Personal Privacy Act (“OPPA”)—this legislation was pulled from committee consideration at the end of last year to allow lawmakers more time to digest the bill. Just recently, however, the Ohio House Government Oversight Committee voted the bill out of committee. It remains to be seen whether the legislation will successfull make its way through the rest of the legislative process and into law in 2022.
At the federal level, Congress’s lack of success in enacting a federal consumer privacy law in prior years will not deter lawmakers from continuing to push for a federal privacy regulatory framework in 2022. In prior years, attempts to enact a federal privacy law have died on the vine due to differences in opinion regarding preemption and whether a law of this nature should include a private right of action or, alternatively, place enforcement powers in the hands of federal administrative agencies.
In 2022, the likelihood of a federal consumer privacy law being enacted is significantly higher as compared to years past, with greater calls from both lawmakers and consumer privacy advocates for uniform, consistent federal privacy legislation that would apply across all 50 states. One indication that this year may, in fact, be the year that privacy regulation is implemented at the federal level pertains to the unlikely coalition that has formed between the U.S. Chamber of Congress and local businesses in 20 states, which issued a letter to Congress in January imploring the importance of enacting a federal consumer privacy law.
At the same time, there is also growing consumer awareness and concern regarding the need to protect the privacy and security of their personal data, as indicated by a January poll conducted by Politico and Morning Consult showing that over half of Americans support federal privacy legislation.
While the California, Virginia, and Colorado laws all share common privacy principles—including consumer rights relating to access, correction, deletion, and opt-outs—each also contains their own unique nuances, which poses significant challenges for broad, comprehensive compliance. In addition, the myriad of other states currently considering similar legislation will only add greater complexity to the growing patchwork of state compliance obligations in the event any of these bills make their way into law.
Businesses that fall under the scope of the CPRA, VCDPA, or CPA should monitor for developments relating to these new laws—especially as it pertains to draft implementation regulations—to ensure their compliance programs remain aligned with any future modifications made to these statutes prior to their respective effective dates.
At the same time, businesses should also track developments relating to pending legislation as well to ensure they stay abreast of any new compliance requirements that may arise during the 2022 legislative cycle.
Importantly, Ohio businesses—especially those that maintain operations both within and outside the borders of the Buckeye State—should not wait for new consumer privacy laws to be passed, but instead should take proactive steps to formalize and build out their consumer privacy compliance programs at this time. This can be achieved by implementing the overarching privacy principles that are common threads in today’s consumer privacy regulation, including privacy policies, notices, procedures for satisfying consumer rights requests, and “reasonable” data security measures.
Ultimately, for all organizations that currently utilize consumer data—or are considering doing so in the future—the best course of action is to speak with experienced counsel to determine the necessary policies, procedures, and practices that need to be in place to satisfy the full range of current and anticipated consumer privacy compliance obligations and to properly manage potential risk.
Oberly is a Senior Associate in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s Global Data Privacy, Cybersecurity & Digital Assets Practice. His practice focuses on counseling and advising clients on a wide range of data privacy and biometric privacy compliance and risk management matters. Contact him: david.oberly@squirepb.com, and follow him on Twitter at @DavidJOberly.