We expected 2022 to be a busy year on the U.S. privacy front, and the first couple of months did not disappoint!
The current headliner is the Utah Consumer Privacy Act, which the state legislature passed unanimously and should hit the governor’s desk before the legislature adjourns on March 4th. Utah modeled its law after the Virginia Consumer Data Protection Act (set to take effect on January 1, 2023); however, notable differences exist. Key details:
- Takes effect December 31, 2023
- No private right of action; 30-day right to cure period
- Applies only to controllers that meet revenue ($25 million) and data volume thresholds
- Provides GLBA, HIPAA, FCRA, and other relevant exemptions
- Consumer rights largely align with other states except for no “profiling” rules or appeal rights
- Controller-processor contract requirements mirror other states
- Must provide conspicuous notice of right to opt-out of targeted advertising and sales
- Cannot collect sensitive personal data without first providing clear notice and chance to opt-out
- Imposes reasonable data security requirements
- Includes antidiscrimination provisions but exempts loyalty/rewards programs
- AG must issue a report on enforcement and related issues before July 1, 2025
Other states are also actively considering privacy legislation and regulations. Notable developments:
- California – the Privacy Protection Agency may miss its July 1, 2022 deadline for CPRA regulations, indicating that a Q3 or Q4 release date is more likely. The state is also considering two bills that would extend existing exemptions for data collected in an employment or business-to-business context. AB 2891 proposes to extend the exemption until 2026 and AB 2871 proposes to extend the exemption indefinitely. Critics argue that the legislature cannot lawfully extend the exemption; however, optimism exists that the legislature will do so anyway.
- Florida – a privacy bill (HB 9) with a limited private right of action passed 103-8 in the House and awaits consideration in the Senate. The private right of action only covers violations related to consumers’ right to know, deletion, or sales opt-out requests. The bill contemplates statutory damages between $100 and $750 per consumer, per incident. Plaintiffs may not bring a private right of action against companies with less than $50 million in annual gross revenue and may recover costs and attorneys’ fees only if the defendant has annual gross revenue of more than $500 million. This bill is a significant departure from existing state privacy laws, which do not permit private lawsuits except for data breach claims.
- Indiana – a privacy bill (SB 358) that closely mirrors Virginia’s law passed overwhelmingly in the Senate and advanced through the House Committee on Commerce, Small Business and Economic Development.
- Wisconsin – a privacy bill (AB 957) that similarly mirrors Virginia’s law passed 59-37 in the Assembly and awaits consideration in the Senate.
Businesses working to comply with adopted privacy laws in California, Colorado, and Virginia should keep an eye on these and other privacy developments and consider ways to extend current compliance efforts to cover emerging laws.
Nick is a Partner at M&S where he leads the firm’s Compliance practice areas. He brings more than a decade of experience helping clients understand and comply with federal and state privacy, advertising, and telemarketing laws and regulations.