2022 is poised to be a busy year for privacy, as California begins rulemaking for its updated consumer privacy statute and dozens of states are expected to reintroduce legislation.
Colorado and Virginia both passed consumer privacy legislation in 2021, complicating the compliance patchwork for companies, attorneys say. And while those two states were the only ones to pass such laws in the last year, a handful of others came close to the finish line, making a whirlwind of activity likely for 2022, they say.
States ranging from Oklahoma to Connecticut are being bandied about as prospective states for 2022 laws by legislation watchers. Debates over whether to include private rights of action and proper enforcement mechanisms remain, but privacy is no longer a partisan issue, said Al Saikali, the Miami-based chair of Shook Hardy & Bacon LLP’s privacy and data security practice.
“It’s no longer a Democrat thing or a Republican thing, and you’re increasingly seeing calls for greater privacy from both,” Saikali said. “They see these laws as a way to dial back Big Tech.”
The Uniform Law Commission in July unveiled a standardized data protection bill, with the hopes of it being a model privacy bill for states to pick up. Some state legislators may curb that bill or adapt it in their own versions, said Karen Shin, an associate at Blank Rome LLP in Irvine, Calif.
“That proposal is something that hopefully will allow some states to have consistency in legislation,” Shin said.
And the passage of bills in Colorado and Virginia is likely to increase momentum in other states, as is the introduction and reintroduction of legislation across the U.S., said Molly Whitman, counsel at Akin Gump Strauss Hauer & Feld LLP in Los Angeles.
“We’re getting geographical diversity, political diversity,” Whitman said. “We’ve got all these bills that have been waiting in the wings, and 2022 could be their year.”
The Washington Privacy Act failed in 2021 for the third year in a row after lawmakers were hamstrung on whether to include a private right of action.
Private rights of action—which allow consumers to sue for alleged violations of the law—remain a sticking point for legislators, with some calling them too stringent on business and others calling them an important means of exercising privacy rights, said David Saunders, a partner at McDermott Will & Emery in Chicago.
Still, Washington is a state to watch in 2022, Saunders said.
Florida came close to passing legislation in 2021, as did Oklahoma, making them potential contenders in the new year, Saikali said. New York and Ohio are also worth monitoring, Saunders said.
Trends to Watch
A “big piece of the puzzle” is whether legislation is supported by a state’s attorney general, said Dave Stauss, the Denver-based co-chair of Husch Blackwell LLP’s data privacy and cybersecurity practice.
“Colorado really hit warp speed when Attorney General [Philip J.] Weiser said he supported the bill,” Stauss said. “Juxtapose that with Washington state where the AG’s office testified against the Washington Privacy Act.”
It will be interesting to see whether state bills include right-to-cure provisions for businesses, Stauss added.
Some privacy advocates have called these provisions a roadblock to meaningful enforcement, and they remain hotly contested in legislative talks.
Besides additional legislation, attorneys should watch Virginia, Colorado, and California to see if those laws are amended, and as implementing regulations are issued over the course of 2022, said Vivek Mohan, a cybersecurity and data security partner at Mayer Brown LLP in Palo Alto, Calif., and San Francisco.
The California Privacy Protection Agency is tasked with promulgating regulations in 2022 for the state’s new California Privacy Rights Act.
“We’re in uncharted territory in California in terms of the structure of rulemaking—the board and agency, that’s a new framework,” Mohan said. “It’ll be interesting to see whether regulations will add more color to existing requirements or impose even more obligations for businesses.”
The prospect for a comprehensive federal privacy law coming to the fore in 2022 is slim, attorneys say.
“The politics are so intense in a midterm year, and members of Congress are probably devoting more time toward their reelection campaigns and supporting their own parties,” said Mary Hildebrand, the Roseland, N.J.-based founder and chair of Lowenstein Sandler LLP’s privacy and cybersecurity group. “2023 may be more fruitful, and it would give us another year for states to adopt more laws.”
On top of that, the federal government may not view it as much of a priority—with the Covid-19 pandemic still raging and other legislative issues dominating—since Virginia, Colorado, and California, though different, are not wildly dissimilar, said Gretchen Ramos, the San Francisco-based global co-chair of Greenberg Traurig LLP’s data, privacy, and cybersecurity practice.
“Even though privacy legislation is something both sides of the aisle want to do something about, I don’t think it’s going to happen” in 2022, Ramos said.
That said, lawmakers at the state and federal level may have success with passing legislation that deals with related issues, such as biometric privacy, kids’ online safety, and automated decision-making, she said.
Which jurisdictions—if any—pass privacy legislation in 2022 is contingent on a host of factors including lawmaker preferences, other legislative priorities, session timing, and enforcement model discussions, said Saunders, the McDermott attorney.
That’s something that may be predicted, but the debate and circumstances are constantly shifting, he said.
“It’s going to be a bit of a Wild Wild West,” Saunders said.