"What are the states going to do on privacy this legislative session?!" said my panicked inside voice.
If I had my druthers, I'd have already been able to tell you what to expect in 2022's legislative sessions. For that, I turned to Keir Lamont, senior policy counsel at the Future of Privacy Forum. He tracks state privacy bills, and he said: Buckle up.
Last year, we saw Virginia and Colorado successfully pass laws, but 27 others had introduced legislation. Lamont expects things only to intensify this year.
"Given that the U.S. is in peril of emerging as the only major economic power in the world without a comprehensive privacy law, state lawmakers have sought to secure privacy rights and protections for their constituents by filling that legislative vacuum."
There are currently 15 states planning to consider legislation in 2022, Husch Blackwell attorneys write in a blog for JD Supra. Lawmakers in Arizona, Connecticut, Florida, Mississippi, Minnesota and Washington told the team they're planning to introduce bills. Plus, eight bills lawmakers introduced last year will carry over to this next legislative session. Those states are Alaska, Massachusetts, New York, North Carolina, Ohio, Oklahoma, South Carolina and Vermont.
(By the way, the group at Husch Blackwell is excellent at tracking state privacy legislation. You may have seen David Stauss on a recent Osano webinar, and I highly recommend following him on Twitter for updates. But I digress.)
While more than a dozen states are planning to consider privacy legislation this year, fewer have introduced "comprehensive" privacy bills, ones like California, Colorado and Virginia passed last year. In some states, privacy provisions slipped into bills that aim to regulate other spaces.
But it's not just the states that have introduced bills that we should watch.
"You have to consider the whole field of states taking up privacy issues for the first time," Lamont said. "It may be these states that end up enacting privacy legislation this year because of unique political circumstances and a desire to push something across the finish line, whereas the states we've seen tackle these bills over the past one, two or three years may be facing political realities on the ground that makes putting it across the finish line very difficult."
It's sage advice, given that last year, Colorado and Virginia surprised all of us. We were so focused on why Washington State couldn't pass a bill (despite trying thrice) that we weren't paying attention. That, plus Virginia and Colorado pushed their bills through quickly, compared to most legislative lifecycles.
Lamont said to expect that the new bills introduced this year may try to regulate some specific behaviors and present additional types of consumer controls.
"That includes when affirmative consent must be obtained from the user to process special categories of data, and the scope and mechanisms for how users can exercise opt-out rights for practices like targeted advertising, high-risk profiling and data sales."
In addition, different states may be more or less likely to charge state attorneys general with much of the responsibility for writing and enforcing any given law's specifics. For example, in California, the state attorney general was charged with effectively filling in the blanks on the California Consumer Privacy Act (and there were many blanks at the time, don't get me started). Lawmakers didn't want to take on the responsibility of the law's details, so the attorney general had wide latitude in determining the actual verbiage through rulemaking. It remains to be seen which states may want to follow a similar route.
Lastly, in states where attorneys general are endorsing a bill, there's a likelihood that bill will pass.
"I would encourage privacy watchers to be on the lookout for support from a state AG." He said it's been helpful to advancing bills in the past, such as in Colorado, where the attorney general supported the privacy legislation put forward. "So I would look for similar dynamics," he said of states that might see success this year.
The states to put on your shortlist, barring a surprise come-from-behind, are: Oklahoma, Washington, Connecticut, New Jersey, Massachusetts, Arizona, Maryland, Mississippi, Minnesota and Florida. We'll keep you posted.
For now, enjoy a round-up of this week's major privacy news, and I'll see you next week! Happy Holidays! I missed ya.
This week's top privacy newsFrench data protection authority fines Google and Facebook
EU laws to watch in 2022
There's no shortage of legal proposals hitting the EU this year. The bills to watch in the upcoming months would impose significant obligations on the organizations they cover. They aim to modernize EU law with technologies that have exploded in the last couple of decades. Here are the ones you should be aware of if your company does business in Europe.
EU official defends Irish data protection commissioner's work
Amid mounting criticism of the Irish data protection commissioner, a top EU official has come to her defense, Politico reports. There have been calls to penalize Commissioner Helen Dixon's office; critics say it has "failed to uphold Europeans' privacy rights," and four members of parliament have written to Commissioner Didier Reynders calling for disciplinary proceedings. But this week, Reynders dismissed the lawmakers' complaints, saying Dixon's office has been correct to move slowly on such complex matters.
New UK privacy commissioner officially takes office
Former New Zealand Privacy Commissioner John Edwards began his term as the U.K.'s new privacy authority this week. Edwards was appointed in August, and he takes over just as former U.K. Information Commissioner Elizabeth Denham was putting some pressure on the adtech industry over its privacy practices on issues like data protection and user consent. Edwards also comes to the position as the U.K. works on proposed reforms such as the Data Protection Act and its Age Appropriate Design Code.
On Jan. 6 anniversary, Wyden joins advocates in calling for federal privacy law
This week, Sen. Ron Wyden, D-Ore., joined thousands of privacy advocates in calling for a federal privacy law, NextGov reports. The advocates marked the first anniversary of the U.S. Capitol attack by sending Congress a petition, signed by 24,000 people, saying Facebook (now called Meta) played a significant role in the attack. "The whole reason it's profitable for Facebook to ignore the blight on its site is because it can harvest vast amounts of personal information without any limits on how it uses or shares that data," Wyden said.
Amazon loses bid to get biometric privacy lawsuit dismissed
Amazon has lost its case to persuade an Illinois federal judge to throw out a lawsuit accusing the company of unlawfully collecting face scans, Reuters reports. Amazon used the scans to conduct COVID-19 "wellness checks" at its fulfillment warehouses, but an Illinois law prevents companies from collecting facial data without consent. The judge says the allegations that Amazon violated the Biometric Information Privacy Act are strong enough for the suit to proceed.
Upcoming webinar: How to build a privacy program
It can be a daunting task to be assigned "privacy" at your organization. Depending on the resources and budget your company is willing to spend, there's not a one-size-fits-all checklist to follow. But there are steps you can take – whether you're an office of one or at a later stage on the privacy maturity spectrum – toward building a sophisticated and agile privacy program. This free webinar features three privacy experts who've built their own programs to give you some concrete strategies and actions items you can take whether you're a beginner or advanced.
Register for Webinar