Will the U.S. ever pass a comprehensive data privacy law? This question has long gone unanswered. With more states passing and considering legislation, the nation is left with a patchwork approach to privacy regulation.

This creates gaps and uncertainty regarding how to handle personal data, as many business activities cross borders. Add global obligations on top of this and it becomes very difficult to effectively manage compliance obligations. Data privacy is dynamic and will continue to be one of the most important areas to monitor, so it is important to grasp what happened last year and anticipate what is on the horizon.

New State Laws

In 2022, two more states passed data privacy legislation with Utah and Connecticut joining the ranks of California, Colorado, and Virginia. With how long the legislative process generally takes, it is impressive that five robust laws passed in the short time span of four years. This illustrates just how important privacy protection is in the digital age as there is much more potential for threat actors to intercept sensitive information. Here are some key features of these laws:

• Utah Consumer Privacy Act: This law grants similar rights to consumers regarding personal data such as the right to access, delete, and opt-out of sales. It also delineates separate categories for personal and sensitive data, has no private right of action, provides a 30-day right to cure period before enforcement, and places controls on processing activities such as notice and security obligations.

What makes the Utah law unique is that it is the most business friendly amongst the five states. Provisions that make is less restrictive include the inability for consumers to correct erroneous information; no requirement for organizations to perform data protection assessments, cyber audits, or risk assessments before engaging in riskier processing activities; absence of consumer appeal process; and an opt-out process regarding sensitive data collection as opposed to the opt-in mandates in other states. 

• Connecticut Data Privacy Act: Many state bills incorporated provisions from the Washington state bill (that never passed), which make compliance easier by taking a less onerous and mandated approach. This has become known as the “Washington-Virginia model” as Virginia was the first state with these featured to successfully become law. Colorado and Connecticut have followed suit.

The Connecticut law also does not grant a private right of action and incorporates standard consumer rights such as accessing, deleting, and opting out of sales involving personal information. A unique feature of the Connecticut law is that while there is a right to cure, this sunsets on Jan. 1, 2025, and after that the attorney general has sole discretion to offer a cure period when a violation occurs. Other key components include strict limits on data collection/usage and the requirement that consumer consent be unambiguous.

So how do these two new laws stack up? There are several overlapping features in all five laws such as application across state borders and similar consumer rights. However, the departures make each unique and add another layer to compliance. A best practice is to understand how the laws diverge even when obligations appear to be similar. For example, although there is a right to cure in each state law the timeframe to do so differs. Compliance teams should also take note of how definitions vary and exemption language, as this will affect what data is covered. These are small considerations that could have detrimental consequences if left unaccounted.

The patchwork approach to data privacy regulation in the U.S. renders it challenging to meet competing obligations when organizations operate in multiple jurisdictions, but it is necessary to avoid fines and reputational harm. If and until a federal standard emerges, organizations must have personnel dedicated to privacy compliance and alter approaches based on which law applies. The Virginia law and California’s Privacy Rights Act (which supplements the current California law) both became effective on Jan. 1, 2023. The Colorado and Connecticut laws are effective this July, and Utah this December.

Status of Federal Legislation

The federal government has been regulating data privacy in a piecemeal fashion through established legal frameworks like healthcare and credit reporting laws or Federal Trade Commission enforcement. A prediction from early last year was that more privacy laws and reliance on digital platforms may accelerate the creation of a new federal privacy framework. Some progress has been made on this front, but whether a comprehensive federal standard will materialize still remains unclear.

In July 2022, the American Data Privacy and Protection Act went to the House of Representatives. However, two clauses have been highly debated – one granting a private right of action and another allowing preemption of existing state privacy laws. For preemption purposes, there are current exemptions for sixteen state law categories including general consumer protection and data breach notification laws. While movement has been slow, many view this bill as non-partisan so lawmakers may continue to work through these issues and find a solution. In the interim, there are several ways this could play out in the states. More states may work vigorously to pass their own laws while others may be more apprehensive due to the possibility of a unified standard. A very real trend this year could be new bills containing provisions included in the proposed federal law, as this would lessen the effects of preemption in the future.

Additional 2022 Updates

Although only two new data privacy laws passed in 2022, legislators in nearly 30 other states considered bills that offered varying degrees of consumer protection. Some may be reintroduced during the 2023 session in addition to any new bills in the works. This sets the stage for even more state laws to pass this year. It will be interesting to see how they compare to the five currently on the books. Will any other states allow for a private right of action? Will future bills take Utah’s more business-friendly approach or follow the Washington-Virginia model? Or adopt the Uniform Personal Data Protection Act? This is flexible model law based on tort instead of looking at data as consumer property. These are a few developments to watch.

Privacy was also a trending concern in other areas last year, which illustrates just how important this topic is to the nation. First, there was a wave of state bills similar to the Illinois Biometric Privacy Act. They aimed to regulate how organizations collect, use, safeguard, handle, store, retain, and destroy biometric data. While none passed, some are still pending this year. Also, monitor whether states with biometric laws that lack a private right of action decide to amend their laws if more BIPA-like ones begin to pass.

Second, in June, the New York Supreme Court adopted CLE requirements mandating attorneys to obtain one hour of credit every two years on the ethical obligations, technology, or practice considerations relating to cybersecurity and privacy topics. Including privacy emphasizes just how important protecting personal and sensitive information is in today’s world. Incorporating education on these topics is meant to help attorneys understand not only their obligations, but also the proper safeguarding of sensitive data and incident response best practices.

Conclusion

What happens on the federal front these next few months will set the stage for the rest of the year. Regardless, organizations subject to any state laws becoming effective this year need to implement the appropriate changes to avoid violations and operational interruptions. Keep monitoring all data privacy activity in the U.S. and abroad, as anything is possible with such a dynamic landscape.

If you enjoyed this blog, consider reading our blog book which covers all our privacy based blogs from 2022 plus more!