Across the United States (U.S.), 2021 was a busy year for legislative and regulatory-related consumer privacy developments. Our roundup captures some of the major updates that occurred in states throughout the year. We will continue our coverage of the state, federal and international consumer privacy landscape in 2022.
Our CPRA on the Way FAQ Guide breaks down how businesses can comply with the CPRA. We cover how the CPRA changed California privacy law and how it will impact your business, how the CPRA changed the CCPA’s applicability to businesses processing the personal information of California residents and how the CPRA defines sensitive personal information. We also clarify what consumer rights are expanded and introduced, how the personal information of children is treated and much more.
How can your business prepare for its CPRA ramp-up in 2021? The CPRA is scheduled to become effective in January 2023. With an impact on most medium to large businesses located in California or doing business in California, even companies that have already taken steps to comply with the CCPA will need to plan carefully for successful CPRA compliance. Preparations will occur over the next two years but see our 10 essential steps that companies can consider now to prepare for the CPRA. Stay tuned for our top 10 action items for 2022.
Colorado is the third U.S. state to enact comprehensive consumer data privacy legislation with the passage of the Colorado Privacy Act (CPA) on July 7, 2021. The CPA will go into effect July 1, 2023, joining the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) in the steadily growing patchwork of state-enacted consumer data privacy legislation. The CPA’s key provisions are summarized below. However, we can expect the law may undergo further change before the effective date. In the signing statement, Colorado Governor Jared Polis noted the hastily drafted bill will require clean-up legislation to “strike the appropriate balance between consumer protection and not stifling innovation” and acknowledged that the bill’s sponsors are already working with key stakeholders to draft the updated bill.
Nevada enacted an amendment that will significantly expand the scope of its existing online privacy law, SB260. Effective October 1, 2021, the amended law will impose additional obligations on qualifying “data brokers” and will permit consumers to opt-out of a broader range of sales of their personal information. The Amendment’s highlights include:
This spring, the New York City Council enacted a Tenant Data Privacy Act that enhances privacy protections in multifamily buildings in the city. Motivated by the large amounts of data that the Internet of Things (IoT) can generate in residential settings, the Act regulates the use of “smart access systems” such as smart locks and other keyless technologies to unlock entrances to common areas or individual apartments. The Act also regulates the use of utilities data such as gas, electricity, and Internet service. Key terms include notice and consent requirements, collection limits, use restrictions and minimum security obligations.
Following in the footsteps of the California Consumer Privacy Act (CCPA), the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation. The Virginia Consumer Data Protection Act (VCDPA) was signed into law by Governor Ralph Northam yesterday on March 2, 2021. The VCDPA will become effective on January 1, 2023, right alongside the recently enacted California Privacy Rights Act (CPRA), which significantly amended the CCPA. The following is a brief description of the VCDPA’s key components. Keep an eye out for a forthcoming article outlining the most important differences between the VCDPA and the CPRA.