Skip to main content

Celebrating National Data Privacy Day by Noting Recent Developments in the Law

Kelly Ruane Melchiondo
Blog ImageToday (January 28, 2022), is National Data Privacy Day.  While not a day of celebration with cards or gifts, the day does provide an opportunity to check in on the developments in consumer data privacy across the United States.  What can we safely expect to see by the time National Data Privacy Day rolls around in 2023? The short answer is, “plenty.”

Companies that do business in or -collect data from residents of Colorado and Virginia- should spend 2022 ensuring that their data privacy internal controls comply with those states’ new data privacy laws.  

The Virginia Consumer Data Protection Act ("VDCPA”), which passed in March 2021, will go into effect on January 1, 2023.  Colorado’s Privacy Act (the “CPA”) will take effect on July 1, 2023.  Both the VDCPA and the CPA, like the California Consumer Privacy Act and Europe’s General Data Protection Regulation, afford consumers substantial protection and control over their data.  Companies subject to the VDCPA and CPA must provide consumers with the right to submit requests to access, correct, or delete data and personal information.  Both the VDCPA and CPA also permit consumers to opt out of targeted advertising, sale of personal data and “profiling” that would enable businesses to determine whether to provide or deny consumers financial, education, housing, insurance, health care, or access to basic necessities.  

Neither the VDCPA nor the CPA affords consumers with a private right of action. Enforcement of these statutes falls directly under the purview of states’ Attorneys General or District Attorneys.
Speaking of private rights of action, all eyes are on Florida’s legislature as dueling data privacy bills make their way through Florida House and Senate committees (House Bill 9 and Senate Bill 1864, respectively).  Like California, Virginia and Colorado, each proposed Florida law would afford consumers the right to access, correct and delete data.  Florida House Bill 9 would also require companies to delete any personal information three years after the consumer’s last interaction with the company, or after the company fulfilled the initial purpose for which it collected the consumer’s data.  House Bill 9 is arguably the more aggressive of the two proposed bills, and includes a private right of action against businesses for violations.  If passed, it would be the first data privacy law in the United States to create a private right of action for violation of the law’s privacy provisions. 

Finally, 2022 could be eventful for federal data privacy.  

Effective January 10, 2022, the FTC’s final rule amending the Graham-Leach-Blilely Act’s (“GLBA”) “Safeguard Rule” went into effect.  Financial institutions subject to the GLBA must perform risk assessments, in writing, and then develop safeguards to address identified risks.  Those safeguards must address “access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.” 

Additionally, in a recent poll from Morning Consult and Politico, 56 percent of registered voters polled said they support federal data privacy legislation. In 2021, Senator Ron Wyden (Oregon-D), introduced the “Mind Your Own Business Act,” Senate Bill 1444, which would require specified commercial entities that operate “high-risk information systems” or “automated-decision systems” to develop opt-out processes for consumers. “High risk” systems are those that raise security or privacy concerns, involve the personal information of a significant number of people, or systematically monitor a large, publicly accessible physical location.  Companies that use those high-risk systems must evaluate the extent to which they protect against the risk of exposing personal information.  Certain companies would have to submit annual reports to the government and their corporate officers would have to certify compliance with FTC regulations. Senator Wyden’s bill has yet to make it out of the Senate Finance Committee, but given the growing public interest in data privacy, 2022 may be the year that federal privacy legislation finally gains traction. 
  
YOU MIGHT ALSO LIKE
Privacy Portal Blog April 30, 2021
The Florida Privacy Protection Act (HB 969) failed to pass in the Florida Legislature earlier today, prior to the adjournment of the legislature for the year. If it had passed, it would have had major implications for Florida's business community. Kelly Ruane Melchiondo explains what was in the fail...
Privacy Portal Blog March 4, 2021
In light of recently proposed legislation, companies doing business in Florida should begin carefully reviewing and, if necessary, revising their policies and procedures regarding the handling and protection of consumer data, including biometric information.
New Miami Blog August 31, 2018
We have previously blogged about the many recent legislative developments in Florida and the Miami area, with a focus on legislation that is designed to facilitate public/private development projects (P3).  Although an increasing number of P3 projects are now in various stages of development, the su...
VIEW MORE