In the United States, January 28 is National Data Privacy Day, making it an ideal time to review 2021’s state of privacy and look ahead to what we can expect throughout the remainder of 2022.
Where Data Privacy in the United States Stands Today
The United States currently does not have a national data privacy law. With legislators facing other major priorities, this is unlikely to change in 2022. As a result, data privacy in the US will likely continue to be governed by a patchwork of laws. At the federal level, these include industry-specific regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accessibility Act (HIPAA). More general data privacy laws have also been passed at the state level as well.
At this state level, 2021 saw a few new privacy laws. California updated the California Consumer Privacy Act (CCPA) with the California Privacy Rights Act (CPRA). Other states joined it in passing broad privacy protections, including Colorado with the Colorado Privacy Act (CPA) and Virginia with the Virginia Consumer Data Privacy Act (VCDPA).
Outside of the US, legislative and regulatory action has and will continue to have significant impacts on U.S. multinational businesses. GDPR regulators continue to take action, and the 2020 Schrems II ruling led to the creation of new Standard Contractual Clauses governing EU-US data transfers. In August 2021, Brazil’s Lei Geral de Proteção de Dados (LGPD) went into effect as part of its phased rollout. Also, China’s Personal Information Protection Law (PIPL) regulation went into effect in November 2021, providing additional privacy protections for Chinese citizens. In September 2021, lawmakers enacted Bill 64, which aims to modernize crucial aspects of the various laws governing individuals’ privacy in Quebec, amending provisions involving consent, data protection officers, notice, individuals’ rights, and more.
What To Expect Throughout 2022
We’re nearly a month into 2022, and there have already been signs of significant activity on the data privacy front.
California, Colorado, and Virginia passed data privacy laws in 2021 that go into effect in 2023. In 2022, these states are expected to pass regulations implementing the requirements outlined by their new privacy laws.
New State-Level Regulations
Many state-level privacy laws failed to pass in 2021. A common sticking point is the private right of action, which is being pushed by privacy advocates against stiff opposition.
However, some of these bills carried over to 2022, and state legislatures have reintroduced old bills or filed new ones for consideration during 2022 legislative sessions. To date, sixteen states are currently considering state-level privacy laws, and it is likely that at least some of these efforts will succeed. In some cases, state legislators are considering multiple competing bills, adding to the complexity and uncertainty of US privacy regulation.
The Executive Branch Takes Action
While the legislative branch of the U.S. government is unlikely to act on data privacy in 2022, the same cannot be said of the executive branch. President Biden has picked strong privacy advocates for leadership of the FTC and CFPB, and other federal agencies have demonstrated a focus on data security and privacy. The FTC has enforcement authority over many data privacy laws, and it and the CFPB can use their authority to act against unfair and deceptive business practices to pursue privacy goals.
Technological Evolution Influences the Privacy Landscape
The tech sector is the primary reason why data privacy laws are needed but can also be one of its biggest proponents. As technology evolves, it creates new data privacy challenges but also offers potential solutions.
In 2022, technologies like artificial intelligence and the metaverse will continue to grow and evolve, creating new data privacy questions and challenges. However, other technological advances are also working to improve data privacy. For example, the emergence of Web3 and blockchain technology are offering decentralized alternatives to the traditional systems whose centralization enables the widespread collection of personal data.
How MorganFranklin Can Help
The data privacy landscape is constantly evolving. New laws are being proposed and passed in various jurisdictions, and, in some cases, action is being taken to expand and update laws that were deemed inadequate, such as the replacement of CCPA by CPRA. As a result, consumer rights and permissions expand, and businesses must evolve to maintain compliance with applicable regulations.
The complexity of the data privacy regulatory landscape can make it difficult to ensure that an organization’s business practices comply with relevant regulations. MorganFranklin’s experts have a deep understanding of the regulatory landscape and can help businesses to develop sustainable and scalable strategies to properly protect and secure customer data while aligning with business needs.