2021 was a big year in data privacy, and 2022 is expected to be even bigger. In 2021, lawmakers in twenty-seven states proposed privacy legislation, and two states—Colorado and Virginia—actually passed such legislation. 2022 is here, and lawmakers have shown they have no intention of slowing down on protecting the data privacy rights of consumers. As of early January 2022, data privacy bills have been introduced in fifteen states and the District of Columbia.1 Five more states are expected to consider data privacy bills.2 Additionally, committee hearings already have been scheduled in several states for this month. Below is a brief summary of some of these new data privacy bills.
NEW PRIVACY BILLS IN 2022
All of these proposed bills have exemptions similar to those that exist under California,3 Colorado,4 and Virginia5 law (e.g., HIPAA, Gramm-Leach-Bliley, Fair Credit Reporting Act). Additionally, all of these proposed bills—with the exception of Indiana's—also include requirements for privacy notices to be displayed by businesses.
ALASKA
HB 222 was proposed on January 1, 2022. HB 222 applies to businesses that meet one or more of the following criteria: (1) as of January 1 of the applicable calendar year, had annual gross revenue in excess of $25 million in the preceding calendar year; (2) by itself, or jointly with other persons, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; (3) derives 50 % or more of its annual revenue from selling or sharing personal information about consumers.6 The inclusion of a revenue threshold makes this bill similar to the CCPA. The bill defines personal information by identifying categories of personal information and sensitive personal information. Consumers have the right to access, correct, and delete their personal information, as well as the right to opt out of selling or sharing of personal information. The bill does not provide for a private right of action.
FLORIDA
SB 1864, or the Florida Privacy Protection Act ("FPPA"), was proposed on January 7, 2022.7 Similarly to Colorado and Virginia's privacy laws, the FPPA does not include a revenue threshold but applies if a business meets one of the following criteria: (1) control the processing of personal information of 100,000 or more consumers; or (2) control or process personal information of at least 25,000 consumers and derive 50% or more of their global annual revenue from selling personal information. The bill broadly defines personal information8 similarly to other privacy laws and excludes publicly available and de-identified or aggregate information. The bill also offers consumer rights, including the right to opt out of the sale of personal information and the use of such data for targeted advertising as well as the right to opt in to the collection of sensitive information. Consumers also can ask controllers to delete or correct their personal information. Although the bill was introduced by Senator Bradley, who also introduced the 2021 version, there are some key differences between the FPPA and earlier bill. First, the 2022 bill does not include a private right of action. Second, the 2022 bill calls for the creation of the Consumer Data Privacy Unit within the Attorney General's office, which would be responsible for enforcing the bill.
On January 11, 2022, HB 9 was filed in the House of Representatives. Although it is similar to the FPPA, there are differences. One key difference is that HB 9 includes different criteria for application, requiring a business to meet two of the following: (1) global revenue threshold of more than $50 million; (2) buys, receives, sells, or shared personal information of 50,000 or more consumers, households, or devices for targeted advertising; and (3) derives 50% or more of its revenue from selling or sharing personal information. Another key difference is that HB 9 would create a private right of action. Lastly, HB 9 excludes consumer employment contact information that is used solely in an employment context from the definition of personal information.
INDIANA
HB 1261 was pre-filed ahead of the legislature opening on January 12, 2022. Like Colorado and Virginia's privacy laws, it does not include a revenue threshold. It provides a more detailed definition of personal information than some other data privacy laws by including examples, but it also excludes publicly available and de-identified or aggregate information like all other privacy bills. Consumer rights include the right to access, right to deletion, right to correct, the right to opt out of sale or sharing, and the right to restrict, which allows a consumer to limit a business's use of sensitive data. It does not include a private right of action.
SB 358 was introduced on January 12, 2022. Businesses meeting one or more of the following criteria will be subject to SB 358: (1) as annual gross revenues in excess of $25 million; (2) alone, or jointly with others, annually: (i) buys; (ii) receives for the business's commercial purposes; (iii) sells; or (iv) shares for commercial purposes; the personal information of at least 50,000 consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers' personal information. The consumer rights are the same as under HB 1261, except for the right to restrict. There is no private right of action.
MARYLAND
SB 11, the Maryland Online Consumer Protection and Child Safety Act, was pre-filed in October 2021. Businesses meeting one or more of the following criteria will be subject to SB 11: (1) has annual gross revenues in excess of $25 million (similarly to the CCPA); (2) annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers, households, or devices; or (3) derives at least 50% of its annual revenues from selling consumers' personal information.9 The Act includes a broad definition of personal information, excluding publicly available, de-identified, and aggregated consumer information, yet it also includes a definition for "unique identifiers" that can be used to recognize a consumer or a device linked to a consumer or household, including a device number, IP address, etc. Consumers have the right to a copy of their personal information, deletion of that information, and to opt out of disclosure to a third party. The Attorney General is responsible for enforcement.
NEW JERSEY
New Jersey lawmakers proposed one bill in the Senate and two bills in the House of Representatives. Both SB 332 and HB 1971 cover requirements for commercial Internet sites and online services, including the requirement to notify consumers of the collection and disclosure of personal information, as well as to provide consumers with the ability to opt out of the sale of personal information. The Attorney General has the sole authority to enforce the bills. HB 505, also known as the New Jersey Disclosure and Accountability Transparency Act, is more closely aligned with other data privacy laws. It creates the Office of Data Protection and Responsible Use within the Division of Consumer Affairs in the Department of Law and Public Safety. The bill provides consumer rights, such as the right to correct inaccurate personal information, right to delete, and the right to object to certain processing. The bill also covers a controller's responsibilities in the event of a data breach and its responsibility to conduct data protection impact assessments as outlined in the bill. Lastly, HB 505 provides that it is an "unlawful practice and violation of the consumer fraud act for a controller or processor to violate any provision of the bill, which includes $10,000 fine for the first offense and a $20,000 for each subsequent offense."10
WASHINGTON
HB 1850, the Washington Foundational Data Privacy Act, was pre-filed on January 7, 2022. It is similar to both Colorado and Virginia's privacy laws and does not include a revenue threshold. The Act will require subject entities to register annually and conduct data protection assessments. The Act also will create the Washington State Consumer Data Privacy Commission, which will have rulemaking authority similar to the agency created under California law,11 and the Act will include a private right of action. Under the Act, consumers will have the right to access, right to deletion, right to correct, right to obtain data in a portable format, and the right to opt out of or into the collection and use of personal data for certain purposes.
DISTRICT OF COLUMBIA
B24-0451, the Uniform Personal Data Protection Act of 2021 ("UPDPA"), was introduced as requested by the Uniform Law Commission and is based on its draft of the Uniform Personal Data Protection Act.12 Like Colorado and Virginia's privacy laws, there is no revenue threshold. The UPDPA applies to "the activities of a controller or processor that conducts business in the District" or provides services "purposefully directed to residents of the District" and (1) "maintains personal data about more than 50,000 data subjects who are residents of the District, excluding data subjects whose data is collected or maintained solely to complete a payment transaction;" or (2) earns more than 50% of its annual gross revenue by maintaining personal data. 13The UPDPA expands on these thresholds by explicitly applying to a processor "acting on behalf of a controller the processor knows or has reason to know" satisfies the requirements for application of the UPDPA.14 However, it appears to exclude from coverage an entity that "processes the personal data solely using compatible data practices."15 Consumers have the right to copy and correct data, but there is no right to deletion. The bill requires controllers to conduct data privacy and security risk assessments. The Attorney General is responsible for enforcement, and no private right of action exists.
Other states expected to introduce bills include Arizona, Connecticut, Mississippi, Tennessee and Minnesota.
POTENTIAL FOR FEDERAL LEGISLATION
Many have lobbied for federal data privacy legislation, including, most recently, the U.S. Chamber of Commerce and other business groups. Although lawmakers may agree that there needs to be privacy legislation, it is unclear if such legislation will be introduced in 2022. Without federal legislation, businesses will be expected to keep up with a patchwork of state privacy laws that likely will differ in application and obligation.
CONCLUSION
It remains to be seen what 2022 holds for data privacy, but with the proposal of new laws and enacted laws taking effect in early 2023, this will be a busy year for data privacy professionals and entities that will be expected to comply with such laws. We will continue to track new legislation as information becomes available, so please check back for updates on these privacy bills and others.
Footnotes
1 David Stauss, Proposed State Privacy Law Update: Jan. 18, 2022, Byte Back (Jan. 17, 2022) [hereinafter Stauss, Jan. 18, 2022], https://www.bytebacklaw.com/2022/01/proposed-state-privacy-laws-update-jan-18-2022/. Bills in the following nine states were carried over from 2021: Alaska, Massachusetts, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, and Vermont. See David Stauss, Malia Rogers, & Shelby Dolen, Which States Will Consider CCPA-Like Consumer Privacy Bills in 2022?, Byte Back (Jan. 3, 2022), https://www.bytebacklaw.com/2022/01/which-states-will-consider-ccpa-like-consumer-privacy-bills-in-2022/.
2 Stauss, Jan. 18, 2022, supra note 1.
3 California Consumer Privacy Act ("CCPA"), Cal. Civ. Code 1798.100 et seq.
4 Colorado Privacy Act, S.B. 190.
5 Virginia Consumer Data Protection Act, SB 1392 and HB 2307.
6 HB 222.
7 Kelly Melchiondo, New Year, New Florida Privacy Law?, JDSupra (Jan. 11, 2022), https://www.jdsupra.com/legalnews/new-year-new-florida-privacy-law-2557453/.
8 Personal information is defined as "information that identifies or is linked or reasonably linkable to an identified or identifiable consumer." SB 1864.
9 SB 11.
10 HB 505.
11 The California Privacy Rights Act created the California Privacy Protection Agency.
12 David Stauss, Four More Consumer Data Privacy Bills Introduced in US, Byte Back (Jan. 9, 2022), https://www.bytebacklaw.com/2022/01/four-more-consumer-data-privacy-bills-introduced-in-us/.
13 B24-0451.
14 Id.
15 Id. "Compatible data practice" is defined in the bill, which also includes factors that may be analyzed to determine whether processing is considered a "compatible data practice." See id. "Incompatible data practice" is also defined in the bill. See id.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
