Land of the Free: The 2022 Guide for US Data Privacy Regulations

Batja Huisman
Batja Huisman
Mar 29, 2022
min read
Land of the Free: The 2022 Guide for US Data Privacy Regulations

Data privacy is on a roll and continues to evolve regularly, with new laws coming into play and existing ones getting amended. Blink, and you’ll miss the latest updates. We’re here to make it a little easier to keep track of the latest data privacy regulations. Check out this summary of notable data privacy developments across the US. 

CCPA, CRPA, and Everything in Between 

An upcoming law in sunny California called the California Privacy Rights and Enforcement Act (CPRA) is set to replace and amend some of CCPA, which we’ve all grown to know and appreciate. CPRA passed in late 2020 and will come into effect in early 2023. The new law extends the protected privacy rights and offers clear and strict demands to businesses, such as: 

  • Establishing the California Privacy Protection Agency (CPPA), a new data enforcement organization. The CPPA will be responsible for rule-making instead of the California Attorney General’s office, with authority to initiate investigations. 
  • Adding a Sensitive Personal Information category covering specific data.
  • Adding two new privacy rights that aren’t included under the CCPA: The right to correct inaccurate information and limit the use and disclosure of sensitive information. 
  • Holding businesses that didn’t collect or process information but merely shared it responsible for their treatment of data. 
  • Adding a mandatory annual security audit that covers all cybersecurity measures taken to prevent data breaches. 
  • Creating new and strict penalties.  

While the new law will only be entirely relevant in 2023, it already applies to data that is collected today. Businesses must study it as soon as possible and be more cautious with users’ personal information. We can expect new security and processing methodologies to be implemented in companies across the US and beyond very soon. 

Colorado Joins The Data Party With The CPA

In July, the Colorado Privacy Act (CPA) was signed into law and is scheduled to come into effect two years later, in July 2023. CPA was created with earlier data privacy laws like the GDPR, CCPA, and VCDPA in mind, taking clear inspiration from these regulations as many other new laws have. 

Here are some of the main sections:  

  • In addition to the right to delete and correct data, CPA gives customers the right to opt-out of data processing activities that include online ads and profiling, trading their personal information, and more. This can be considered part of the right to be forgotten. 
  • The applicability of the CPA is a bit different from other laws like the CCPA. Colorado doesn’t set an annual revenue threshold or demands any percentage of revenue to stem from data trading, but the law applies to businesses processing the data of at least 25,000 consumers. 
  • The CPA grants consumers the right of access, meaning that businesses must gain consent to access their personal data. The law clearly states that a general, broad request does not constitute consent, and consumers must be given a transparent explanation of the company’s data use. 
  • The CPA does not set a specific fine, but violations could be considered deceptive trade practices under the Colorado Consumer Protection Act, reaching penalties of up to $20,000 per violation. 
  • While federal agencies are likely to be exempt, the law does apply to non-profit organizations, which were used to flying under the data privacy radar up until now. 

Companies looking to do business in Colorado should pay close attention and adjust their data compliance guidelines accordingly. Those organizations with vague data privacy policies and consent documents should amend them to meet the new standards. 

Virginia Gets Practical With The VCDPA

After signing the Virginia Consumer Data Protection Act (VCDPA) into law in 2021 and before it goes into effect in January 2023, Virginia dives deep into the implementation process. A working group gathered for several meetings focused on advising companies regarding the new law. The critical message to companies is that VCDPA will be strict, and businesses should prepare themselves. The right to cure, which gives companies time to correct their data privacy mistakes before facing any legal consequences, is scheduled to remain for the first couple of years, but violations will be treated harshly after that. 

The State is already discussing amendments to the law, including the founding of a state agency with rule-making authorities, increasing the enforcement budget, and more. It’s impressive to see how quickly laws learn from one another and adapt to new standards. 

Utah shows they’re serious with the UCPA

This March, the Utah House of Representatives unanimously passed a consumer privacy bill- the Utah Consumer Privacy Act - which has officially been signed into law by their governor. The UCPA is planned to go into effect on December 31, 2023, making Utah the fourth State to pass comprehensive data privacy regulations. As with other privacy regulations, it includes consumer rights such as the right to access, copy, and delete information, something that businesses should prepare themselves for to make sure their policies and workflow are ready to handle.

More States to Watch

The race to privacy takes place in dozens of states, but certain advancements are moving a little faster: 

  • Illinois: The state introduced a new data protection and privacy bill, the Consumer Privacy Act (ICPA). The law is meant to offer extended privacy protection, thus creating new consumer rights that allow the public to request a data report, have personal information deleted, and more. 
  • New York: The Big Apple is big on data privacy, with four different law proposals that follow other states like California and Illinois. One of these suggested laws is the New York Privacy Act (NYPA), which proceeds to additional readings and, if passed, will require organizations to disclose their mechanisms of de-identifying personal information. 
  • Massachusetts: The state is considering the Massachusetts Information Privacy Act (MIPA), which will hold companies responsible for the care and safeguarding of user data, treating it with loyalty and confidentiality. If passed, the law will prevent companies from processing or sharing personal information with other parties by placing high importance on user consent. 

An Interesting Take on the Federal Option

The notion of a federal privacy law was never off the table, but recent news from the Federal Trade Commission (FTC) is particularly worth noting. In December, the FTC officially filed an Advanced Notice of Proposed Rulemaking, asking to consider giving the agency rule-making authority regarding data privacy and security rights. Even if such rights are never granted, this could be another meaningful step towards a comprehensive federal law protecting US citizens and changing the data privacy game. While some public representatives have been pushing for a federal law for the past few years, there are heated debates around the scope of such law, the cost of compliance, and other critical details. 

Businesses everywhere should pay close attention to the above, but not just because of the steps taken by any specific state. Growing awareness around the topic has made data privacy an integral part of companies’ user experience and customer service standards in the eyes of consumers. The overarching conclusion is that data privacy waits for no one, and no matter where you conduct business, it will become a relevant issue for all businesses sooner or later. Establishing the proper guidelines and embracing technologies like Mine PrivacyOps will help companies avoid the surprise factor and make meeting law requirements easier when and where they become relevant.