In the absence of any progress at the federal level, states have taken action on their own with the introduction of proposed consumer privacy legislation geared toward placing greater protections over consumers’ sensitive personal data. As discussed in the March/April 2022 CBA Report, 2021 brought several notable developments in the area of consumer privacy that significantly impacted how businesses collect and use personal data as part of their operations, including the enactment of two new consumer privacy statutes by Virginia and Colorado. As we entered 2022, the question on everyone’s minds was: Will we see more changes to the privacy legal landscape in 2022?
We now know the clear answer to that question is a resounding yes. State legislatures did not disappoint in their level of activity this year, with Utah and Connecticut both enacting comprehensive consumer privacy laws during the 2022 legislative cycle—bringing the total number of states with consumer privacy statutes on the books to five. In so doing, these additional laws not only enhance the level of control consumers now possess over their sensitive personal data, they also significantly raise the level of complexity in terms of the challenge presented to businesses needing to comply with a quickly-proliferating patchwork of laws, each slightly different than the next.
Ultimately, with 2022’s second wave of new consumer privacy laws—and with additional states likely to pass similar legislation of their own in the near future—companies should immediately begin making preparations to ensure compliance with the range of new privacy requirements and restrictions that will take effect starting at the beginning of 2023. At the same time, companies should build out their compliance programs with flexibility and adaptability in mind, such that only minimal program modifications will be needed when additional laws are inevitably enacted in other parts of the country—sooner than later.
In 2016, lawmakers in California enacted the game-changing California Consumer Privacy Act of 2018 (“CCPA”), which fundamentally altered the way companies across the country conduct business as a result of the expansive set of new privacy rights afforded to consumers under the law, as well as the corresponding set of new, stringent obligations imposed on businesses that collect and process their personal data.
At the end of 2020, California scrapped the CCPA and replaced it with its “CCPA 2.0”— the California Privacy Rights Act of 2020 (“CPRA”)—which significantly amends and supplements the CCPA by both strengthening consumers’ rights and increasing businesses’ compliance obligations. In March 2021, Virginia became the second state to put in place a robust consumer privacy law, with its enactment of the Virginia Consumer Data Protection Act (“VCDPA”). Shortly thereafter, Colorado followed up with the enactment of its Colorado Privacy Act (“CPA”).
2022 was no different in terms of the level of activity on the consumer privacy legislative front. In April, Utah added another wrinkle in the consumer privacy legal landscape with the enactment of its Utah Consumer Privacy Act (“UCPA”). A month later, Connecticut lawmakers enacted Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”—more commonly referred to as the Connecticut Privacy Act (“CTPA”)—making Connecticut the fifth state to enact a comprehensive consumer privacy statute modeled after the CCPA and the second in 2022.
Ohio also re-introduced a consumer privacy bill of its own in 2022—the Ohio Personal Privacy Act (“OPPA”)—which remains pending at this time. While it is unlikely that the OPPA will become law this year, it is anticipated that a similar bill will be considered by Ohio lawmakers during the 2023 legislative cycle. With the momentum of other states having recently passed similar laws of their own, as well as the Ohio governor’s strong support for passage of the OPPA, Ohio may soon join the ranks of the growing number of states with consumer privacy statutes on the books. If successful, a law akin to the OPPA would provide Ohio consumers with an expansive set of new rights regarding their personal data, while at the same time imposing a corresponding set of stringent obligations on Buckeye State businesses that collect and handle their data.
Washington D.C. lawmakers also made significant headway in enacting a comprehensive federal privacy law in 2022 with its introduction of the American Data Privacy and Protection Act (“ADPPA”)—which would establish a comprehensive federal privacy framework—in the U.S. House of Representatives on June 21, 2022.
Although bipartisan consensus on federal privacy legislation has shown itself to be quite elusive in prior years, the ADPPA represents the first comprehensive federal privacy bill to garner bipartisan, bicameral support. Of note, at a recent legislative hearing held by a U.S. House Committee on Energy and Commerce Subcommittee, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” lawmakers from both sides of the aisle praised the bill and pushed for its passage.
However, as with prior attempts to enact federal privacy legislation, the ADPPA must overcome disagreements among lawmakers on two key issues concerning preemption and enforcement. With that said, if federal lawmakers succeed in bringing the bill to fruition, its enactment would undoubtedly be a landmark moment for privacy law in the country.
With 10% of U.S. states now having their own comprehensive consumer privacy laws on the books—each with their own unique requirements and restrictions—the task of compliance for companies with operations around the country (or the globe) is becoming increasingly complex. In particular, the now-sizeable web of state laws leaves companies in a precarious position and with a difficult issue to tackle—how to best approach compliance in an efficient and cost-effective manner.
Until recently, most organizations favored either a state-by-state approach to compliance or, alternatively, a “highest common denominator” approach whereby the strictest state standard for each discrete compliance requirement is implemented across all jurisdictions where consumer privacy statutes now exist.
Following the addition of a fifth state to the compliance equation, a third approach has emerged—with companies choosing to offer consumers the same rights and control over their personal information regardless of where they are located. Not only does this approach simplify and streamline organizational compliance burdens, but it also provides the additional benefit of providing consumers in many states with greater control and protection over their personal information than what is required by law. This offering can be used as a substantial competitive advantage in today’s highly competitive marketplace, especially as consumers demand greater transparency and control when it comes to how their sensitive personal information is collected, used, and protected by the companies they give their hard-earned money to and trust with their sensitive data.
With consumer privacy laws in California, Virginia, Colorado, Utah, and Connecticut all set to go into effect next year—as well as the significantly increased likelihood of a comprehensive federal privacy regulatory regime being enacted in the immediate future—now is the time for companies to consult with experienced privacy and data strategy counsel to begin the task of determining which approach to utilize and then build out their compliance programs to ensure compliance can be achieved in a timely fashion by the beginning of 2023.
Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. He can be reached at david.oberly@squirepb.com.