Today (January 28, 2022), is National Data Privacy Day.  While not a day of celebration with cards or gifts, the day does provide an opportunity to check in on the developments in consumer data privacy across the United States.  What can we safely expect to see by the time National Data Privacy Day rolls around in 2023? The short answer is, “plenty.”

Companies that do business in or -collect data from residents of Colorado and Virginia- should spend 2022 ensuring that their data privacy internal controls comply with those states’ new data privacy laws.  

The Virginia Consumer Data Protection Act ("VDCPA”), which passed in March 2021, will go into effect on January 1, 2023.  Colorado’s Privacy Act (the “CPA”) will take effect on July 1, 2023.  Both the VDCPA and the CPA, like the California Consumer Privacy Act and Europe’s General Data Protection Regulation, afford consumers substantial protection and control over their data.  Companies subject to the VDCPA and CPA must provide consumers with the right to submit requests to access, correct, or delete data and personal information.  Both the VDCPA and CPA also permit consumers to opt out of targeted advertising, sale of personal data and “profiling” that would enable businesses to determine whether to provide or deny consumers financial, education, housing, insurance, health care, or access to basic necessities.  

Neither the VDCPA nor the CPA affords consumers with a private right of action. Enforcement of these statutes falls directly under the purview of states’ Attorneys General or District Attorneys.
Speaking of private rights of action, all eyes are on Florida’s legislature as dueling data privacy bills make their way through Florida House and Senate committees (House Bill 9 and Senate Bill 1864, respectively).  Like California, Virginia and Colorado, each proposed Florida law would afford consumers the right to access, correct and delete data.  Florida House Bill 9 would also require companies to delete any personal information three years after the consumer’s last interaction with the company, or after the company fulfilled the initial purpose for which it collected the consumer’s data.  House Bill 9 is arguably the more aggressive of the two proposed bills, and includes a private right of action against businesses for violations.  If passed, it would be the first data privacy law in the United States to create a private right of action for violation of the law’s privacy provisions. 

Finally, 2022 could be eventful for federal data privacy.  

Effective January 10, 2022, the FTC’s final rule amending the Graham-Leach-Blilely Act’s (“GLBA”) “Safeguard Rule” went into effect.  Financial institutions subject to the GLBA must perform risk assessments, in writing, and then develop safeguards to address identified risks.  Those safeguards must address “access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.” 

Additionally, in a recent poll from Morning Consult and Politico, 56 percent of registered voters polled said they support federal data privacy legislation. In 2021, Senator Ron Wyden (Oregon-D), introduced the “Mind Your Own Business Act,” Senate Bill 1444, which would require specified commercial entities that operate “high-risk information systems” or “automated-decision systems” to develop opt-out processes for consumers. “High risk” systems are those that raise security or privacy concerns, involve the personal information of a significant number of people, or systematically monitor a large, publicly accessible physical location.  Companies that use those high-risk systems must evaluate the extent to which they protect against the risk of exposing personal information.  Certain companies would have to submit annual reports to the government and their corporate officers would have to certify compliance with FTC regulations. Senator Wyden’s bill has yet to make it out of the Senate Finance Committee, but given the growing public interest in data privacy, 2022 may be the year that federal privacy legislation finally gains traction.