Since the passing of the California Consumer Privacy Act in 2018 and the California Privacy Rights Act (CPRA), lawmakers across the United States have rushed to introduce comprehensive privacy laws in their own states. And while just two states--Colorado and Virginia-- have signed such acts into law, the pendulum has been put in motion, and as of March 2022, almost every state in the union has a privacy bill on the docket for the 2022 session. And while most of those laws likely won't make it to the governor's desk, it's a fair assumption that a few will, and that could mean major changes in the US privacy and compliance landscape.
In this blog, we'll cover a few of the most important bills currently working their way through the legislative system, including those that go into effect next year and those that would have the largest effect on businesses should they pass.
For a more in-depth view of the emerging US privacy landscape, check out our State Privacy Law Tracker, where we break down every proposed US privacy law and how they affect businesses.
If you have any questions about the compliance or security of your website, contact our team of experts for a compliance and security evaluation.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) may have passed in 2020, but it goes into effect on January 1st, 2023, and there are still bills in legislation that could amend the law. The CPRA expands upon the California Consumer Privacy Act (CCPA) of 2018 with new rights (the right to rectification and the right to limit the use and disclosure of sensitive personal information), increased enforcement via a new enforcement agency, and the additional requirement of a 'Do Not Share' button.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) became law on July 8th, 2021, and takes effect on July 1st, 2023. The CPA applies to companies that conduct business in Colorado and controls or processes the personal data of 100,000 or more Colorado residents in a year or both derive revenue from the sale of personal data and processes or controls the personal data of 25,000 or more consumers. The law introduces the rights of access, deletion, correction, and data portability for Colorado citizens. Two further changes take effect in 2025: the removal of a grace period for fixing violations and the introduction of a “universal opt-out” mechanism for data sales.
Florida Consumer Data Privacy Act
Florida lawmakers made headlines last week when the Florida House of Representatives the Florida Consumer Data Privacy Act by a vote of 103 to 8. This is the second time the bill has been passed by the house. The bill would be Florida’s first comprehensive data privacy law, and enshrines the rights of access, deletion, correction, and data portability into state law. Then law does not require opt-in consent but does mandate the right to opt-out of data processing.
Massachusetts Information and Privacy and Security Act
Massachusetts lawmakers have tried--and failed--to push several privacy laws through in recent years, but this most recent version has made more headway than most, and if passed, it would surpass even California's CPRA as one of the strictest privacy laws in the United States. Under the proposed law, individuals in Massachusetts would have the right to access, deletion, correction, data portability, and consent, meaning they have the right to consent before their personal information is collected and processed, and that consent must be informed, unambiguous, and freely given. In practice, compliance with the law would closely mirror GPDR compliance.
Additionally, The bill would form an enforcement agency and a private right of action would be put in place.
New Jersey Data Accountability Transparency Act
The New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) has been reintroduced for the 2022-23 session and would provide the rights of access, correction, deletion, and data portability for NJ residents. Like Massachusett's proposed law, NJ DaTA would also require affirmative, opt-in consent for the collection and processing of personal data, and would establish an enforcement agency, though there is no private right of action proposed in the current language of the act.
Utah Consumer Privacy Act
Utah's CPA has cleared both houses of the Utah legislature as of March 4th, 2022, putting Utah on track to become the fourth state to pass a comprehensive privacy law. The law closely resembles Virginia's Consumer Data Privacy Act. Utah consumers would be granted the rights of access, correction, deletion, and portability, as well as the right to opt-out of data processing If signed, the law will go into effect December 31, 2023.
Virginia Consumer Data Protection Act
Virginia’s Consumer Data Protection Act (CDPA) goes into effect on January 1st, 2023. The CDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents, and that control or process the personal data of at least 100,000 Virginia consumers or just 25,000 consumers if over 50% of the business’s gross revenue derives from selling personal data. The CDPA will give consumers the right to access, correction, deletion, and data portability, and requires an opt-out mechanism.
How Ensighten Can Help
These state laws would not only bring new rights to consumers-- they're also pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the CCPA, CPA. CDPA, GDPR, and any future privacy laws.
Request a demo to see how Ensighten can help your organization meet its compliance and client-side security needs.