Despite the national and global events that took center stage in 2021, the upward trend in data privacy legislation at the state level continued and with the addition of the amendments to the Safeguards Rule, 2022 brings new compliance challenges for many businesses and financial institutions.
According to the National Conference of State Legislatures, “[a]t least 38 states introduced more than 160 consumer privacy-related bills in 2021 (compared to 30 states in 2020 and 25 in 2019).”
Many of these bills were limited in scope, relating to, for example, biometric, genetic and geolocation data, data brokers, internet service providers, and more.
Comprehensive Consumer Data Privacy Legislation – By the Numbers
The following chart shows 23 states that introduced a total of 34 comprehensive consumer data privacy bills in 2021. This is legislation that restricts the use of personal information and conveys certain rights to consumers, similar to what is found in the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation.
Some of the key provisions that are commonly tracked include consumer rights, exemptions and exclusions from coverage, contractual and security standards, and whether there is a private right of action. The following chart shows the prevalence of those provisions in the 2021 legislation.
A detailed spreadsheet showing the provisions that were included in specific bills can be found here.
New State Privacy Laws – Virginia and Colorado
The Virginia Consumer Data Protection Act was signed into law on March 2, 2021, and not long after, on July 6, the Colorado Privacy Act became law. They become effective Jan. 1, 2023, and July 1, 2023, respectively.
Although there are some differences worth attention, these laws are strikingly similar and include:
- Right to access
- Right to correct
- Right to delete
- Right to obtain
- Right to opt-out of processing
- Right to appeal a refused request
- Opt-in requirement for processing sensitive data
- Requirements for contracts between controllers and processors
- Risk assessments for processing certain data
- Entity-level Gramm-Leach-Bliley Act exemption
- No private right of action
There are limitations that apply to consumers’ rights as well as exceptions to complying with their requests, and these laws are generally perceived as industry friendly.
Gramm-Leach-Bliley Act Safeguards Rule
The Federal Trade Commission issued a final rule that amends the Safeguards Rule (the “Rule”), effective Jan. 10, 2022.
The Rule places requirements on “financial institutions” regarding information security programs and the use of customer information and is applicable to debt collectors and certain debt buyers, among others. The amended rule notably expands the “financial institution” definition and many businesses will now find themselves subject to it.
The amendments include:
- Detailed requirements for an information security program;
- New requirements for accountability, such as designation of a single “Qualified Individual”;
- An exemption from written risk assessments, incident response plans and annual reporting for certain small businesses;
- An expansion of the definition of “financial institution”; and
- New definitions and examples.
The existing rule requires covered entities to perform a risk assessment and then develop and implement safeguards to address identified risks. The amended rule adds that risk assessments 1) must include specific criteria and 2) that the risk assessment must be in writing. As for safeguards, the amended rule will require the safeguards “address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.”
While employee training and vendor oversight is part of the existing rule, the amended rule takes these to the next level. Covered entities are now required to have “mechanisms designed to ensure that such training and oversight are effective.”
Full compliance is required by Jan. 10, 2022.
What’s In Store for 2022?
- Federal legislation continues to be in play, but there are no frontrunners among the various bills introduced thus far.
- Numerous states have legislation that did not pass this year but will carry over to 2022, and some of the bills are a significant departure from what currently exists and would not be considered “industry friendly.”
- In the absence of a federal law that preempts state privacy laws, it is likely some of those state measures will be enacted.
- The newly established California Privacy Protection Agency will engage in rulemaking related to the California Privacy Rights Act of 2020, which amends the CCPA.