Keypoint: At least fifteen state legislatures are poised to consider CCPA-like consumer privacy legislation in 2022 with lawmakers in Arizona, Connecticut, Florida, Minnesota, Mississippi, and Washington confirming they will be introducing bills, a bill already being pre-filed in Maryland, and eight states with bills that will carry over from the 2021 session.
The continuing emergence of proposed state privacy laws will be a dominant story for privacy professionals in 2022.
In 2021, lawmakers in twenty-seven states proposed CCPA-like privacy legislation. We tracked these bills through our weekly updates, State Privacy Law Tracker, and Legislating Data Privacy podcast series.
This year, we contacted lawmakers who proposed bills in 2021 and asked them to share their plans for 2022. We received many responses, which we chronicle below along with updates on bills that we have been tracking over the summer and fall. Of particular note, Representatives Shelley Kloba (Washington), Steve Elkins (Minnesota), and Collin Walke (Oklahoma) provided extensive comments on their 2022 proposals.
In summary, currently fifteen states are poised to consider legislation in 2022. Lawmakers in Arizona, Connecticut, Florida, Mississippi, Minnesota, and Washington confirmed they are preparing bills to introduce, and in Maryland Senator Lee already pre-filed a bill. Bills introduced last year in Alaska, Massachusetts, New York, North Carolina, Ohio, Oklahoma, South Carolina, and Vermont will carry over to the 2022 session. More states are sure to follow.
On the other hand, lawmakers in Illinois and Utah would not commit to supporting legislation in 2022.
In the coming weeks, we will be releasing our 2022 State Privacy Law Tracker and resuming our weekly updates. Subscribe to our blog to stay updated.
Below is an analysis of the states we have identified to date.
Last year, the Alaska legislature considered HB 159 / SB 116, which will carry over into the 2022 session. On December 6, 2021, the House Labor and Commerce Committee held a hearing to discuss changes made to the House bill between sessions. Alaska’s legislative session opens January 19, 2022.
In 2021, Representative Domingo DeGrazia introduced HB 2865. Representative DeGrazia confirmed he will be filing at least one privacy bill in 2022. Arizona’s legislature opens January 10, 2022.
In 2021, the Connecticut legislature considered SB 893, a bill modeled on the Washington Privacy Act. After the bill did not pass, the bill’s sponsor, Senator James Maroney, convened a privacy working group comprised of various stakeholders to prepare the bill for the 2022 legislative session.
The working group has met monthly since September and considered various topics, including exceptions, Attorney General rulemaking authority, a right to cure and whether it should sunset, and whether to add a global privacy control (GPC) signal requirement.
The working group heard from many individuals, including Stacey Schesser of the California Attorney General’s office, Minnesota Representative Steve Elkins, Colorado Senator Robert Rodriguez (author of the Colorado Privacy Act), Professor Sebastian Zimmeck of Wesleyan University (who spoke on the GPC signal), Maureen Mahoney from Consumer Reports, Michele Lucan from the Connecticut Attorney General’s office, Paul Martino of the National Retail Federation, Susan Grant of Consumer Federation of America, and Alexandra McLeod of the Internet Association. The working group also considered the Virginia Consumer Data Protection Act Work Group Final Report.
The Connecticut legislature opens February 9, 2022.
Florida was on the cusp of passing legislation last year but could not reach agreement on all issues before the session closed. Al Saikali’s blog, Privacy & Data Security Law Journal, was a great resource for tracking the Florida legislation.
Over the summer, we spoke with Representative Fiona McFarland on our podcast, and she indicated that Florida would pick up the legislation in 2022. Florida allows for pre-filing of bills but Representative McFarland has yet to file a privacy bill as of the date of this article.
The Florida legislature opens January 11, 2022.
Senator Susan Lee pre-filed the Maryland Online Consumer Protection and Child Safety Act (SB 11) in October. The Maryland legislature opens January 12, 2022.
In March 2021, companion bills were introduced in the House (H.136) and Senate (S.46). The Massachusetts Information Privacy Act is generally modeled off legislation Representative Shelley Kloba proposed, and the ACLU supported, in Washington.
In March, both bills were referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity. The Committee held a hearing on the bills on October 13, 2021, but has not scheduled any additional hearings to date.
The Massachusetts legislature is open year-round, and the bills will carry over into 2022.
Last year, the Minnesota legislature considered HF 1492, the Minnesota Consumer Data Privacy Act, sponsored by Representative Steve Elkins. Representative Elkins’ office provided us with the following update on the status of the bill for the 2022 session:
This bill, as introduced, is a veritable clone of the original 2021 version of the Washington Privacy Act (SB5062). It was first heard in a between-sessions “informational hearing” in the House Commerce Committee on Sept 27, 2021. Maintaining a basic level of consistency with the WA/VA/CO framework is one of the author’s priorities; however, Rep Elkins has been actively soliciting feedback from a broad array of stakeholders which will be reflected in amendments which are currently being drafted.
Rep Elkins is an IT Information Architect with 25 years of experience in data management, so look for new language incorporating “Privacy by Design” principles (e.g., data minimization, retention, encryption, de-identification/pseudonymization, etc.) into the section on Data Protection Assessments. Additional FCRA-like rights related to “decisions that produce legal effects” from profiling may be added. Data “ownership” may be explicitly addressed. The re-identification of de-identified/anonymized data by parties other than the controller may be expressly prohibited. The need for law enforcement to obtain warrants to procure data may be expressly stated.
As in other states, vigorous discussion on issues such as “private right of action”, definition of “sale”, “global opt out”, “right/ability to cure”, and integration with existing federal and state laws should be expected as the bill goes through the committee process. The bill must be heard in the Commerce and Judiciary and Civil Law committees in both chambers. The Minnesota legislature re-convenes on January 31, 2022 and must adjourn by May 23, 2022.
Representative Angela Turner-Ford confirmed she intends to re-introduce the Mississippi Consumer Data Privacy Act (SB 2612) in 2022. The Mississippi legislature opens January 4, 2022.
Lawmakers introduced a number of privacy-related bills in 2021, perhaps most notably Senator Kevin Thomas’ New York Privacy Act. The Senate Consumer Protection Committee voted out the bill in May. It was eventually referred to the Rules Committee in June. The bill will carry over into 2022.
The New York legislature opens January 5, 2022.
In 2021, Senator Joyce Waddell and others introduced the North Carolina Consumer Privacy Act. The bill was referred to the Committee on Rules and Operations of the Senate, where it has remained idle. The bill will carry over into 2022.
The North Carolina legislature opens January 19, 2022.
The Ohio Personal Privacy Act was introduced on July 13, 2021 and referred to the House Government Oversight Committee. From September to December, the Committee held four hearings on the bill but has yet to vote on it. In December, it was reported that the bill had been held back from a Committee vote to allow for further consideration. The bill will carry over into 2022.
In 2021, the Oklahoma legislature considered HB 1602 – the Oklahoma Computer Data Privacy Act – sponsored by Representative Collin Walke. The bill passed the House but did not see movement in the Senate. It will carry over to the 2022 legislative session.
Representative Walke provided us with the following status report on HB 1602:
The Oklahoma Computer Data Privacy Act, HB1602, passed the House 85-11 last session and is awaiting a hearing in the Senate Judiciary Committee. The former Chair of the Judiciary Committee would not hear the bill last session, but we are optimistic the new Chair will. If it passes committee, it would then be voted on by the entire Senate. Upon passing the Senate, it would come back to the House for final approval (which should not be an issue).
As it stands, there are no notable changes to HB1602; however, I do anticipate it being amended to accommodate certain exemptions that were not adequately covered in the original draft.
The proposed amendments will help to pass the bill because it will clean up exemption language that exists in other states.
This bill is unique because it is opt-in, not opt-out. Additionally, it includes a “right to be forgotten.”
In September, Representative Walke pre-filed a second bill – HB 2968.
The Oklahoma legislature will convene on February 7, 2022.
Pennsylvania lawmakers considered HB 1126 in 2021. Lawmakers introduced the bill in April and referred it to the Consumer Affairs Committee where it remained idle. The bill will carry over to 2022.
The Pennsylvania legislature is open year-round with recesses. It is set to reconvene on April 1, 2022.
Last year, the Utah legislature considered SB 200, sponsored by Senator Kirk Cullimore and Representative Brady Brammer. Asked to comment on his plans for 2022, Senator Cullimore stated that “we haven’t decided whether to open the bill yet. We are still meeting with stakeholders to see if it is something we will tackle this year.”
The Utah legislature opens January 18, 2022.
Lawmakers introduced the South Carolina Biometric Data Privacy Act (H3063) in 2021. The bill was referred to the House Committee on Labor, Commerce, and Industry where it remained. The bill will carry over to the 2022 session, which begins on January 11, 2022.
Representative Maida Townsend sponsored H.160 in 2021. Representative Townsend confirmed that the bill will carry over to the 2022 session, which opens on January 4, 2022.
Washington has been at the center of proposed state privacy legislation for the past few years with Senator Reuven Carlyle’s Washington Privacy Act. We reached out to Senator Carlyle and asked for the status of the 2022 Washington Privacy Act but did not receive a response. As of the time of this article, the Washington Privacy Act is not listed among pre-filed bills.
In 2021, Representative Shelley Kloba introduced a competing bill in the House – the People’s Privacy Act. Representative Kloba provided us with the following update on her bill:
My bill HB 1433, the People’s Privacy Act, is undergoing amendment and will be available to be heard in committee once session starts on January 10, 2022.
I have made a few changes to the bill this year, some of which are inspired by Brazil’s LGPD, which took effect in May 2021. I added 2 new rights to those previously granted by my bill:
-the right to refuse consent for any processing of an individual’s data that is not central to the primary transaction, including transfers of personal information to third parties who are not part of the primary transaction
-the right to revoke consent
I model the scope of the bill after the LGPD. The covered entities include all companies anywhere that collect or process data about residents of WA. Generally speaking, companies should respect your rights uniformly and without respect to company size or location.
I change the effective date and give additional time after that for companies to come into compliance. Further changes expand the definition of PII to include location and biometric data.
Previous bills have not been able to get enough votes to get out of the House, so we must consider other approaches. My bill differs from the industry-written bills brought forward in WA and around the country. The standard these bills are setting is low and only provides the barest privacy basics for consumers. For too long, the American people have accepted that the information about their every action on every connected device will be collected, packaged, analyzed, and turned into a product that is then monetized for corporate gain. Consumers and legislators are realizing that it does not have to be this way. Instead, my bill moves toward privacy by design and responds to the need for more robust protections and appropriate avenues for recourse when the consumer’s rights have been violated.
No 2022 Sessions in Montana, Nevada, North Dakota, and Texas
The legislatures in these states meet every other year and will not be in session in 2022.
Alabama, Illinois, Kentucky, Rhode Island, Tennessee, and West Virginia
Illinois lawmakers proposed two bills in 2021 – HB 3910 (Consumer Privacy Act) and HB 2404 (Right to Know Act). Representative Michelle Mussman – the sponsor of the Consumer Privacy Act – reported that she does not plan to move the legislation forward this session.
Finally, we contacted lawmakers in Alabama, Kentucky, Rhode Island, Tennessee, and West Virginia but did not hear back at the time of publication of this article.
In the coming weeks, we will be releasing our 2022 State Privacy Law Tracker and resuming our weekly updates.