Data privacy laws: What you need to know in 2022

  • by Osano Staff
  • · posted on July 4, 2022
  • · 17 min read
Data privacy laws: What you need to know in 2022


Virtually every country has enacted some sort of data privacy laws to regulate how information is collected, how data subjects are informed, and what control a data subject has over his information once it is transferred. Failure to follow applicable data privacy may lead to fines, lawsuits, and even prohibition of a site's use in certain jurisdictions. Navigating these laws and regulations can be daunting, but all website operators should be familiar with data privacy laws that affect their users. 

Here are the laws and regulations you should be aware of for 2022. We'll update this list as new laws pass. 

U.S. data privacy laws

Despite numerous proposals over the years, there is no one comprehensive federal law that governs data privacy in the U.S., yet — we have a new proposed federal privacy law, the American Data Privacy Protection Act (ADPPA), that has made it further than any of its predecessors.

Until it passes, however, there's a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing. 

An important enforcement agency in the U.S. is the Federal Trade Commission (FTC). Its authority to regulate on behalf of consumer protections comes from The Federal Trade Commission Act (FTC Act), which has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." In 2021, a proposal that would grant the FTC an additional $500 million got shelved, but there's talk that the FTC may finally get the budget, resources, and personnel it needs to perform as the country's de-facto privacy regulator. 

Regardless, while the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforce privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take impose action against organizations that:

  • Fail to implement and maintain reasonable data security measures.
  • Fail to abide by any applicable self-regulatory principles of the organization's industry.
  • Fail to follow a published privacy policy. 
  • Transfer personal information in a manner not disclosed on the privacy policy.
  • Make inaccurate privacy and security representations (lying) to consumers and in privacy policies. 
  • Fail to provide sufficient security for personal data.
  • Violate consumer data privacy rights by collecting, processing or sharing consumer information.
  • Engage in misleading advertising practices.

Other federal laws that govern the collection of information online include:

State data privacy laws

The U.S. has hundreds of sectoral data privacy and data security laws among its states. U.S. state attorneys general oversee data privacy laws governing the collection, storage, safeguarding, disposal and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, while others apply only to private entities, and some apply to both. 

In addition to sectoral privacy laws, the U.S. is experiencing a massive drive toward pushing privacy legislation at the state level. That’s because the federal government hasn’t been able to find consensus on how to legislate broadly. Rather than wait, state lawmakers have felt nudges from consumers, consumer advocates, and even companies to set their own rules. Of course, companies would rather comply with one single federal standard than hire an attorney to look at every single statewide statute with which they must comply. But state pushes are a stopgap. But if that’s what the states must do, then that’s what they have to do.

California started the domino effect. While it’s true that only five states (California, Colorado, Connecticut, Utah, and Virginia) have been able to pass a comprehensive law to date, many states are trying. Even if their early bills have failed in previous legislative sessions, they serve as a reference point for Republicans and Democrats to begin their amendment work before any deal can reach its final destination: the governor’s desk.

Here’s a breakdown of where things stand.

California Consumer Privacy Act (CCPA)

The most comprehensive state data privacy legislation to date is the California Consumer Privacy Act (CCPA). Signed into law on June 28, 2018, it went into effect on January 1, 2020. The CCPA is cross-sector legislation that introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected and giving them the ability to access, correct and delete such information. This notice must be disclosed in a privacy policy displayed on the entity's website that collects the data.

California Privacy Rights Act (CPRA)

Companies were not thrilled when a real estate agent in California got a question on the ballot in the form of the California Consumer Privacy Act. But nevertheless, Alastair Mactaggart collected enough signatures to put forward a citizen’s initiative, meaning it didn’t need to pass through the normal legislative process requiring votes from the California Assembly and Senate. And once it passed, it was clear the people had spoken. Companies were then forced to swallow a hard pill: It was time to change processes to comply with the nation’s first comprehensive privacy law. 

Then, just two years later, Mactaggart was back with what was nicknamed "CCPA 2.0." The California Privacy Rights Act passed the ballot in November 2020 and builds on the CCPA, amending provisions Mactaggart and his team wanted to be included in the CCPA but couldn’t push across the finish line at the time. 

The CPRA added the following to the CCPA: 

  • Right to rectification: This updates and adds to a consumer’s right to correct inaccurate personal information. 
  • Right to restriction: This grants consumers the right to limit the use and disclosure of their sensitive personal information. 
  • Sensitive personally identifiable information: This updates the definition of personal information. Certain types of information, like a consumers’ Social Security number, must be treated with special protections. 

The CPRA also:

  • Increases fines for breaches of children’s data threefold.
  • Expands breach liability beyond breaches of unencrypted data to disclosures of credentials (like an email address or password) that could lead to access to a consumer’s account. 
  • Limits the duration of time a company may retain a consumer’s information to only what’s necessary and “proportionate” to the reason it was collected in the first place. 
  • Requires companies using third-party vendors to mandate contractually that those third parties exercise the same level of privacy protection to data shared with them as the first party. 

One of the more progressive changes within the CPRA is how it will be enforced. While state attorneys general typically handle privacy cases — unless the Federal Trade Commission is involved, and even then, it’s often a partnership — the CPRA establishes a new privacy regulator. 

The California Privacy Protection Agency will be empowered to fine transgressors, hold hearings about privacy violations and clarify privacy guidelines. It’s a five-member board, and it starts enforcing six months after the CPRA goes into effect on July 1, 2023.

Download the Guide - Break down the major tasks you need to complete for CPRA  compliance.

Virginia's Consumer Data Protection Act (CDPA) 

Virginia's Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers certain rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared.

The law contains some similarities to the EU General Data Protection Regulation's provisions and the California Consumer Privacy Act. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:

  • Control or process the personal data of 100,000 or more.
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 

The CDPA requires companies covered by the law to assist consumers in exercising their data rights by obtaining opt-in consent before processing their sensitive data, disclosing when their data will be sold and allowing them to opt out. It also requires companies to provide users with a clear privacy notice that includes a way for consumers to opt out of targeted advertising. 

The CDPA becomes effective the same day as California's latest privacy law, the CPRA, which replaces its former iteration, the CCPA, on Jan. 1, 2023. It's likely lawmakers will amend the law before then, so it's a good idea to keep an eye on this law as it evolves. 

Colorado Privacy Act (CPA)

In June 2020, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California's two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as well as Virginia's recently passed Consumer Data Protection Act (CDPA). It even borrows some terms and ideas from the EU's General Data Protection Regulation (GDPR).

While there are similarities, such as some form of a right to opt-out, special protections for sensitive data and the adoption of some privacy-by-design principles, the significant differences are in the details.

The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

Try Osano Free!

The law lists five rights granted to Colorado residents once the law becomes effective. They are: 

  • The right to opt-out of targeted ads, the sale of their personal data or being profiled. 
  • The right to access the data a company has collected about them. 
  • The right to correct data that's been collected about them. 
  • The right to request the data collected about them is deleted. 
  • The right to data portability (that is, the right to take your data and move it to another company). 
There are 17 blanket exemptions within the law. Data exemptions include: 
  • If the data was collected for Colorado health insurance law purposes. 
  • If the entity collecting the data or the data collected is already covered by certain sectoral laws, including COPPA or the Family Educational Rights and Privacy Act (FERPA). 
  • If the data has been de-identified or pseudonymized. 
  • If the data is being maintained and used by a consumer reporting agency. 
  • If the data is being used for employment records purposes. 

New York SHIELD Act

In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable.

This law broadened the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information. It requires employers in possession of the New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”

The state Attorney General has already settled with an organization $600,000 for failing to meet minimum standards that led to a breach in security and leak in personal information.

Utah Consumer Privacy Act

In March 2022, Utah became the fourth state to enact a comprehensive consumer privacy law, which will take effect December 31, 2023. The Utah Consumer Privacy Act (UCPA) draws from both the the Virginia Consumer Data Protection Act and Colorado Privacy Act, and their California predecessors.

The law applies to both data controllers and processors, and applies to those to generate over $25 million in annual revenue and either:

  • Control or process personal data for over 100,000 consumers yearly, or
  • Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers
Similarly, to the statutes in Colorado and Virginia, there are exemptions for personal data collected, however; they’re broader and at both at the entity and data level.

The law does not apply to a governmental entity or third party acting on behalf of a governmental entity, tribes, institutions of higher education, nonprofit corporations, a covered entity, a business associate, information that meets the definition of protected health information for purposes of HIPAA and related regulations, and Protection of Human Subjects laws.

Financial institutions governed by the Gramm-Leach-Bliley Act and information in the Fair Credit Reporting Act also aren’t subject to the UCPA. Data processed or maintained in the course of employment also is exempt.

Consumers have the right to:

  • Confirm whether a controller is processing their personal data and access or delete personal data provided.
  • Obtain a copy of their personal data.
  • Opt-out of processing of personal data for the purpose of targeted advertising or for sale.
In contrast to the VCDPA and CPA, the UCPA does not include the right to opt out of profiling, nor does it codify the right to correct inaccuracies in their data.

Connecticut’s Data Privacy Law

The fifth and most recent state to adopt a comprehensive consumer privacy law is Connecticut. Senate Bill 6, or “An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA) goes into effect July 1, 2023.

The law also draws from Virginia and Colorado’s statutes, with few departures. It applies to those who control or process personal data of and during the preceding calendar year:

  • Controlled or processed personal data of not less than 100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or
  • Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
The law is the first to specify that payment transaction data is not subject to the law, which is for small businesses that process information for completing a transaction, such as restaurants. Consumers can opt out of processing their data for targeted ads and for sale, as well as profiling.

The state allows a 60-day period to remedy violations through December 31, 2024.

Other state-level data privacy laws

California, New York, Virginia and Colorado are the first states to enact broad legislation that create national impact, but many other U.S. states are also considering data privacy laws.

As of May 2022, legislation is in committee in Alaska, Louisiana, Massachusetts, Michigan, North Carolina, New Jersey, New York, Ohio, Pennsylvania, Rhode Island and Vermont.


The EU General Data Protection Regulation remains the law of the land. But there are a number of proposals to be aware of in 2022. Here's a refresher on the GDPR and a list of the other proposals you should track to keep your organization cares about data privacy. 

The General Data Protection Regulation (GDPR)

The most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity's location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some important requirements of the GDPR include:


Data subjects must be allowed to give explicit, unambiguous consent before the collection of personal data. Personal data includes information collected through the use of cookies. Some information not usually considered "personal information" in the United States, such as the user's computer IP address, is considered to be "personal data" according to the GDPR.

Data Breach Notification

Organizations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users' personal information in most cases.

Data Subjects' Rights

Data subjects (people whose data is collected and processed) have certain rights regarding their personal information. These rights should be communicated to data subjects in a clear, easy-to-access privacy policy on the organization's website.

  1. The right to be informed. Data subjects must be informed about the collection and use of their personal data when the data is obtained. 
  2. The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what's being processed, and with whom it is shared.
  3. The right of rectification. If a data subject's data is inaccurate or incomplete, they have the right to ask you to rectify it. 
  4. The right of erasure. Data subjects have the right to request the erasure of personal data related to them on certain grounds within 30 days. 
  5. The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
  6. The right to data portability. Data subjects can have their data transferred from one electronic system to another at any time safely and securely without disrupting its usability. 
  7. The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply where legal or official authority is carried out, a task is carried out for public interest, or when the organization needs to process data to provide you with a service for which you signed up.

    If you're not prepared, complying with DSARs can be difficult and complicated.  Download our guide to ensure you’re on the right path.

EU proposals to watch in 2022

Digital Services Act (DSA) 

The European Commission aims to upgrade its rules on digital services in the EU. Using two proposed laws to form a single set of rules across the EU is doing this. They’re called the Digital Services Act and the Digital Markets Act. Together, they aim to protect users and establish a “level playing field to foster innovation, growth and competitiveness.” The new regulation addresses illegal and harmful content by getting platforms such as Google and Meta to rapidly remove such content. The primary principle is “what is illegal offline must be illegal online,” the Council of the EU notes.

It applies to very large online platforms (VLOPs) and very large online search engines (VLOSEs). Services with more than 45 million monthly active users in the EU fall into this category.

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Think of anything delivered via the internet when you think of digital services. That could be a music streaming service or an e-book or a website. 

The Digital Services Act would cover:  

  • Intermediary services (Internet access providers, etc.) 
  • Hosting services 
  • Online platforms 

Its obligations vary depending on an organization’s size, but they can include monitoring of third-party vendors, external risk auditing and codes of conduct. 

A provisional political agreement was reached between the Council of the EU and the European Parliament in March 2022. In terms of next steps, the act now subject to approval by the Permanent Representatives Committee. If approved, it will go through the adoption procedure.

The Digital Markets Act 

The Digital Markets Act (DMA) would cover the largest digital platforms, known as “gatekeepers,” under the proposal. Think companies like Facebook, Apple, Microsoft and Google. It aims to level the playing field for digital companies of all sizes. It would create rules for major internet platforms that would prevent them from imposing “unfair conditions on businesses and consumers.” For example, a company like Amazon wouldn’t be allowed to rank products on its site in a way that gives Amazon’s own products and services an advantage. 

It would also give the European Commissioner the power to carry out investigations and sanction bad behavior and update the law’s obligations as needed. 

In March 2022, the European Parliament and Council agreed to new rules in the DMA. According to the European Parliament, “after the legal text is finalized at technical level and checked by lawyer-linguists, it will need to be approved by both Parliament and Council. Once this process is completed, it will come into force 20 days after its publication in the EU Official Journal and the rules will apply six months after.”

E-Privacy Regulation 

The e-Privacy Regulation (ePR) has been a long time coming. It aimed to come into force alongside the EU’s General Data Protection Regulation in 2018 but has stalled for years. In March 2022, the EU Council agreed on a draft, but regulation isn’t expected until at least 2023.

The e-Privacy Regulation, if passed, would create privacy rules for traditional electronic communications services and entities that weren’t covered by the former law, the e-Privacy Directive, such as WhatsApp, Facebook Messenger, and Skype. 

It would create stronger rules on electronic communication’s privacy, and it would apply to not only communications content but “metadata,” that is, data that describes other data. Under ePrivacy, service providers and electronic communications networks have to get prior consent from the user before processing their electronic communications metadata. 

It would also, importantly, create simpler rules on cookies. It would allow users to consent or deny tracking cookies at the browser level, and it would also clarify that websites do not need to get consent for what is called “non-privacy intrusive cookies.” Those cookies allow website features like “shopping carts” to keep track of what a user has ordered. It would also require that organizations allow end-users to withdraw their previously-granted consent at least once per year. 

AI Act

The EU’s Artificial Intelligence Act would apply to any company doing business in the EU that develops or adopts machine-learning-based software. The Act was introduced last year and is moving through the review process. It would apply extraterritorially, meaning the law will cover companies based elsewhere if they have customers or users inside the EU and effectively making it a global regulation. 

The AI Act would ban the following: 

  • Techniques used to manipulate a person’s behavior in a manner that could cause mental or physical harm. 
  • AI systems that could exploit vulnerable groups based on age, physical or mental disability. 
  • AI systems that provide real-time remote biometric data in publicly accessible spaces by law enforcement. 

Brazil's General Law for the Protection of Personal Data (LGPD)

Brazil's data protection law (Lei Geral de Proteção de Dados Pessoais in Portuguese, or LGPD) came into effect in 2020. It contains provisions similar to the GDPR and aims to regulate the treatment of personal data of all individuals or natural persons in Brazil. That means, like the GDPR, even if your company isn't based in Brazil, if you process the data of Brazilian residents, it applies to you. 

Companies and groups that do not follow the law’s terms and directives may receive a fine such as 2% of their sales revenue, or even up to $50 million Brazilian Real (approximately $12 million USD).


Under the LGPD, personal data can be processed either with a data subject's consent or when: 

  • It must be processed to comply with a legal obligation. 
  • It's necessary for the public administration to execute public policies. 
  • For research purposes. 
  • To protect the life or physical safety of the data subject.

Data breach notification

In the case of a data breach, data controllers must notify the National Data Protection Authority within a "reasonable time" from when the breach occurs if there's a potential for risk or damage to the data subjects involved. 

Data subjects' rights

Rights granted to Brazilian subjects allow them to: 

  • Confirm the existence of treatment. 
  • Access their data.
  • Correct incomplete, inaccurate or outdated data. 
  • Take their data to another service provider or product (data portability).
  • Delete their data. 
  • Have knowledge of any public and private entities with whom the controller has shared their data.
  • Receive information on what happens if they do not provide consent to the processing of their data. 
  • Revoke consent to the processing of their data. 

These rights are similar to those granted under the GDPR. 

Importance of data privacy policies 

No matter their size, all companies with an online presence should have a privacy policy that explains to its users what information is collected, how it is used, how it may be shared, and how it is secured. In order to be fully compliant with U.S. and EU data protection laws, all data subjects should have the opportunity to consent to the collection of personal information.

While much information about users is voluntarily provided when they sign up for newsletters, complete forms, or send email requests, information gathered from third parties and through the use of cookies should also be disclosed, and users should be given the opportunity to consent to, block, or disable cookies.

In the modern age, where people are required to provide personal information for everything from making an online purchase to receiving healthcare, businesses and entities are obligated to protect the information with which they’ve been trusted and to use it only for the purpose specified.

If you need help wading through data privacy laws and maintaining compliance — even as laws rapidly change — Osano can help. We know actively managing data privacy can be a burden, but we aim to take the stress out of the process with tools to instantly make your website compliant, intelligently block unsanctioned third-party cookies and monitor risks.

corporate data policy guide

About The Author · Osano Staff

The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”