The time has come for another review of U.S. data privacy updates, as this landscape is growing and dynamic. Keeping informed ensures organizations know what is on the horizon and how new or amended legislation may affect business operations and compliance obligations. The absence of federal legislation elevates this task, as many organizations conduct business in several states with differing directives.

Back in January when the Epiq Angle last issued an update, the three states with enacted data privacy laws were California, Virginia, and Colorado. Other states had pending bills or were regulating via less comprehensive laws, such as Nevada’s law pertaining to data broker sales. Below is a recap of what has happened in 2022 thus far and what may follow.

Utah Consumer Privacy Act

This March, Utah became the fourth state to pass comprehensive data privacy legislation. The Utah Consumer Privacy Act (UCPA) will become effective on Dec. 31, 2023. The law categorizes both personal and sensitive data. Following suit with the other three laws, the UCPA can apply across state borders and grants similar rights to consumers regarding personal data such as the right to access, delete, and opt-out of sales. It also places controls on organizations’ processing activities such as notice and security obligations.

No private right of action exists, leaving California as the only state currently extending that right. Instead, the Division of Consumer Protection has investigatory powers, and the Attorney General (AG) has enforcement powers. Allotted penalties are $7,500 or the measure of actual damages. The UCPA provides a 30-day right to cure period before enforcement. Any enforcement-related funds go into an account the AG can use for enforcement and consumer education. The AG does not have rulemaking powers.

The UCPA overall has a more relaxed and business-friendly feel. Organizations falling under the law’s reach should take note of provisions that make it less restrictive:

• Consumers do not have the right to correct erroneous personal information, which the Virginia and Colorado laws allow. The broader California Privacy Rights Act (CPRA) that will expand current protections also allows correction starting Jan. 1, 2023.
   
• Organizations are not required to perform data protection assessments, cyber audits, or risk assessments before engaging in riskier processing activities.
   
• The scope of when organizations can issue fees upon responding to consumer requests is broader.
   
• There is no requirement for organizations to establish a way for consumers to appeal decisions.
   
• Organizations must provide opt-out notices to consumers regarding sensitive data collection. Conversely, in Virginia and Colorado, this type of information cannot be processed unless a consumer opts in for collection.

This list is not by any means exhaustive, so as always, affected organizations should thoroughly review the law to inform proper compliance strategies. It will be interesting to see if other states follow Utah’s approach and if the inclusion of fewer restrictions will lead to quicker legislation passage.

Pending State Bills

The majority of states continue to introduce data privacy legislation in each new session. As of May 23, there were 12 active privacy bills. Earlier in the year, almost 20 other states had proposed bills that did not pass. Some even have multiple on the table, such as Pennsylvania where three competing bills offer different restrictions. Some differences between the Pennsylvania bills include penalty allowances, limitations on consumer rights, definition for personal information, and authorizing a private right of action.

Connecticut is the state to watch right now, as the state’s bill passed in both the Senate and House in late April. The governor recently signed the bill on May 10. Key features include no private right of action, sunset date on the right to cure, unique definition of biometric data, and broad consumer opt-out allowances. Watch out for any amendments or guidance before the law becomes enforceable.

The Virginia law was amended this April, even though it does not become effective until next year. The changes create a new exemption pertaining to a consumer’s right to delete; replace the fund for penalties, expenses, and fees; and change the definition of “nonprofit” to include political organizations and any tax-exempt organization.

While not relating to comprehensive privacy protections, an emerging trend is the introduction of bills similar to the Illinois Biometric Privacy Act, which regulates how organizations collect, use, safeguard, handle, store, retain, and destroy biometric data. Some have already failed, but the California biometric bill is looking like the most promising one still pending to pass in the near future. Delaware and Massachusetts also introduced bills to specifically regulate data brokers, which is another specialized area gaining momentum.

Uniform Personal Data Protection Act

Last July, the final text of the Uniform Personal Data Protection Act (UPDPA) was approved. This is a flexible model law that states can adopt privacy legislation after. The UPDPA’s approach is based on tort instead of looking at data as consumer property. The UPDPA views the consumer-business relationship as an exchange that benefits both parties. The goal is to still address consumer privacy concerns while significantly reducing burdens placed on organizations, which encompasses both costs and the ability to remain operational while still complying with the law. Major differences include the absence of consumer deletion and portability rights; varying privacy levels and consent requirements dependent on data compatibility categorization framework; and substituted compliance allowing implemented controls relating to another state’s law to satisfy compliance in a state following UPDPA rules.

Nebraska, Oklahoma, and Washington D.C. legislatures have introduced UPDPA-modeled bills, but none have passed. Additionally, many states have incorporated provisions from the Washington state bill that did not pass. Virginia has a lot of the Washington bill’s features that make compliance easier by taking a less onerous and mandated approach. It is crucial to watch whether more states propose and/or adopt legislation pursuant to the UPDPA framework or the Washington-Virginia model, and whether either option helps lessen the load of compliance or even spark creation of a federal standard.

Final Thoughts

Next year will absolutely be a major year for compliance program updates – especially considering the fact that other pending bills could advance and swing late 2023 effective dates. The Virginia law and CRPA both become effective in January 2023. The Colorado and Utah laws are not far behind with effective dates in July and December 2023, respectively. The Connecticut law is also slated to be effective next July. The patchwork approach to data privacy regulation in the U.S. renders it challenging to meet competing obligations when organizations operate in multiple jurisdictions, but it is necessary to avoid fines and reputational harm. Being proactive and implementing changes now better positions organizations to avoid violations and operational interruptions. Be sure to prioritize legislative monitoring in compliance initiatives, as things are evolving quickly and bills that appear promising today could prove invalid tomorrow.