Press "Enter" to skip to content
state data privacy legislation

2021 Review of State and Federal Data Privacy Legislation

Published December 29, 2021 by Eric Rosenkoetter

state data privacy legislationDespite the national and global events that took center stage in 2021, the upward trend in data privacy legislation at the state level continued and with the addition of the amendments to the Safeguards Rule, 2022 brings new compliance challenges for many businesses and financial institutions.

According to the National Conference of State Legislatures, “[a]t least 38 states introduced more than 160 consumer privacy-related bills in 2021 (compared to 30 states in 2020 and 25 in 2019).”

Many of these bills were limited in scope, relating to, for example, biometric, genetic and geolocation data, data brokers, internet service providers, and more.

Comprehensive Consumer Data Privacy Legislation – By the Numbers

The following chart shows 23 states that introduced a total of 34 comprehensive consumer data privacy bills in 2021.  This is legislation that restricts the use of personal information and conveys certain rights to consumers, similar to what is found in the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation.

2021 Data Privacy Legislation

Some of the key provisions that are commonly tracked include consumer rights, exemptions and exclusions from coverage, contractual and security standards, and whether there is a private right of action.  The following chart shows the prevalence of those provisions in the 2021 legislation.

2021 Data Privacy Legislation

A detailed spreadsheet showing the provisions that were included in specific bills can be found here.

New State Privacy Laws – Virginia and Colorado

The Virginia Consumer Data Protection Act was signed into law on March 2, 2021, and not long after, on July 6, the Colorado Privacy Act became law.  They become effective Jan. 1, 2023, and July 1, 2023, respectively.

Although there are some differences worth attention, these laws are strikingly similar and include:

  • Right to access
  • Right to correct
  • Right to delete
  • Right to obtain
  • Right to opt-out of processing
  • Right to appeal a refused request
  • Opt-in requirement for processing sensitive data
  • Requirements for contracts between controllers and processors
  • Risk assessments for processing certain data
  • Entity-level Gramm-Leach-Bliley Act exemption
  • No private right of action

There are limitations that apply to consumers’ rights as well as exceptions to complying with their requests, and these laws are generally perceived as industry friendly.

Gramm-Leach-Bliley Act Safeguards Rule

The Federal Trade Commission issued a final rule that amends the Safeguards Rule (the “Rule”), effective Jan. 10, 2022. 

The Rule places requirements on “financial institutions” regarding information security programs and the use of customer information and is applicable to debt collectors and certain debt buyers, among others. The amended rule notably expands the “financial institution” definition and many businesses will now find themselves subject to it.

The amendments include:

  1. Detailed requirements for an information security program;
  2. New requirements for accountability, such as designation of a single “Qualified Individual”;
  3. An exemption from written risk assessments, incident response plans and annual reporting for certain small businesses;
  4. An expansion of the definition of “financial institution”; and
  5. New definitions and examples.

The existing rule requires covered entities to perform a risk assessment and then develop and implement safeguards to address identified risks. The amended rule adds that risk assessments 1) must include specific criteria and 2) that the risk assessment must be in writing. As for safeguards, the amended rule will require the safeguards “address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.”

While employee training and vendor oversight is part of the existing rule, the amended rule takes these to the next level. Covered entities are now required to have “mechanisms designed to ensure that such training and oversight are effective.”

Full compliance is required by Jan. 10, 2022. 

What’s In Store for 2022?
  • Federal legislation continues to be in play, but there are no frontrunners among the various bills introduced thus far.
  • Numerous states have legislation that did not pass this year but will carry over to 2022, and some of the bills are a significant departure from what currently exists and would not be considered “industry friendly.”
  • In the absence of a federal law that preempts state privacy laws, it is likely some of those state measures will be enacted.
  • The newly established California Privacy Protection Agency will engage in rulemaking related to the California Privacy Rights Act of 2020, which amends the CCPA.
Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Compliance Management, Data Privacy and Security, Federal Regulation, FTC and State & Local Regulation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.