January 11th, 2022 | Mark Sward, Vice President and Global Head of Privacy
Trends in US Privacy Laws: What Will 2022 Bring?
There has been no shortage of talk and action on the privacy front in legislatures around the United States in recent years, keeping businesses across the country on their toes watching state after state seriously consider — and in some cases pass — comprehensive privacy rules that put significantly more control over personal information in the hands of consumers. It’s anyone’s guess what will happen next, but we know for sure there are a few areas to watch and a lot of work we need to do in 2022.
Laws Taking Effect Soon
The California Consumer Privacy Act (CCPA) has been in effect since early 2020 and was a game-changer when it was hurriedly passed by the state legislature in 2018 under threat of a ballot initiative. Its sponsor went ahead with a successful ballot initiative anyway in 2020, significantly amending the law and changing its name to the California Privacy Rights Act (CPRA). Most of the changes take effect on January 1, 2023, so businesses will be busy preparing throughout 2022. While the CCPA’s primary focus was to grant rights to consumers, including the right to be notified of collection of personal information, the right to opt out of the sale of personal information, and the right to access and delete personal information, the CPRA adds some new rights for consumers and obligations on businesses. These additions include protections for sensitive types of personal information, requirements to minimize data collection, use and retention, a duty to properly secure data against data breaches, and more complex rules around data sharing and outsourcing of data processing. The CPRA also toughens enforcement and creates a new standalone privacy regulator for California. Both the CCPA and the CPRA have significant exemptions for employee data, business-to-business customer data, and data which is already regulated by other state and federal privacy laws like the Gramm-Leach-Bliley Act (GLBA), the Health Information Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act (FCRA), which will be of particular interest to users and providers of employment background check reports, which are regulated by the FCRA.
In the 2021 legislative session, two states enacted comprehensive privacy laws: the Virginia Consumer Data Protection Act and the Colorado Privacy Act, which will both take effect in 2023. These laws share many similar concepts with the CCPA and CPRA, including consumer rights to be informed of how data will be processed and to access and delete their data, obligations on businesses to put in place certain privacy management and governance activities, and delineation of the roles and responsibilities of accountable “businesses” or “controllers” as well as the “service providers” or “processors” handling data on their behalf. The Virginia and Colorado laws also maintain broadly similar exemptions to the California law, including those for employees and data covered by federal privacy laws like the FCRA. While the nuts and bolts of these laws all differ, the result for businesses handling personal information in the United States is the same: new attention to compliance, including robust privacy management programs and mechanisms to inform consumers about their personal information and allow them to exercise their rights, are no longer “nice-to-have”, but are now “must-have” functions.
In 2022, I expect to see three areas of focus in the privacy arena in the US: first, additional states will almost inevitably pass their own privacy laws: Ohio, New York, Washington, and Oklahoma — just to name a few — have all made strides in this direction. While some new laws may hew close to their predecessors, others may break new ground and create novel challenges for US businesses. Second, at the federal level, while comprehensive privacy legislation seems unlikely in a midterm election year, we may see some rulemaking activity from the Federal Trade Commission on privacy, security, and artificial intelligence. And while comprehensive federal legislation may feel distant now, the more states that pass different privacy laws, the more pressure there will be on Congress to unify the national landscape through a federal law that preempts state laws and eliminates the compliance quagmire of a patchwork of 50 sets of rules. Finally, we may see action on a new Privacy Shield framework to legitimize transfers of personal information from the European Union (and Switzerland and the United Kingdom) to the United States to replace the one that was struck down by European courts in the summer of 2020.
While there is still plenty of uncertainty about what is coming in the field of privacy in the US in 2022, one thing is clear: businesses that handle any serious quantity of consumer personal information in the US (and particularly those that exchange it with other companies) need to get their privacy houses in order. This means hiring staff who can track, understand, and apply these new privacy rules; giving them the resources to develop privacy management programs that include privacy assessment processes, reporting, and mechanisms for consumers to exercise their rights; and modifying business practices — particularly around profiling and tracking consumers and exchanging their data with other businesses — to comply with increasingly technical demands of privacy regulators, to reduce the risks of expensive regulatory fines and consumer lawsuits, and most importantly, to build trust. Privacy professionals will need to react quickly to new rules and adjust their programs accordingly, as we likely have years of shifting landscape ahead of us.
This blog post is part of a Compliance blog series, diving into compliance trends, best practices, and updates.
Sterling is not a law firm. This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.