As of March 22, 11 states have wrapped up their 2022 legislative sessions. In these early sessions, privacy legislation was considered in seven of the 11 states that have completed their 2022 sessions, namely Florida, Washington, Indiana, Virginia (amendments to enacted regime), West Virginia, Wisconsin, and Utah. Privacy bills passed out of at least one house in Utah, Florida, Indiana, and Wisconsin. While these signs of potential momentum are noteworthy, the final outcome of these early sessions has largely mirrored the results of last year’s legislative session.

In 2022, we already have seen legislative efforts fail in states that many believed were poised to adopt privacy legislation in the near term. This includes Florida and Washington where privacy legislation failed once again. Furthermore, as was the case in 2021, somewhat business-friendly privacy legislation advanced in unexpected jurisdictions. The most noteworthy example of this is Utah where both houses passed the Utah Consumer Privacy Act (UCPA) earlier this month. This article provides a brief overview of these efforts.

Passed Legislation

Utah Consumer Privacy Act (UCPA) – SB 227

On March 2, the Utah House of Representatives passed the UCPA with a 71-4 vote. The following day the Senate adopted the House version of this legislation with a 25-4 vote. Governor Cox has a 20-day period (which ends on March 24) during which he can sign this legislation, and the general consensus is that he will. Troutman will keep you updated on this front.

UCPA is set to go into effect December 31, 2023, and its substantive requirements closely mirror those found in the Virginia Consumer Data Protection Act (VCDPA). As a general matter, the UCPA’s unique provisions make this law less stringent than the VCDPA. For instance, unlike the VCDPA, the UCPA does not provide consumers the right to correction, and consumers do not have the right to appeal in instances where a data subject request is denied. For more information about this law, click here.

Amendments to VCDPA

Multiple sets of amendments to the VCDPA were passed during this year’s legislative session. The first set of amendments (SB 393 and HB 381) establishes a new exception to the VCDPA’s right to delete, which applies in instances where personal data is collected from a source other than the consumer. Under this new exception, data may be considered deleted in instances where (1) a minimal record of the deletion request is retained for the exclusive purpose of ensuring the consumer’s data is/remains erased, or (2) the consumer is opted out of all nonexempt data processing activities (e.g., targeted advertising and sales).

The second set of amendments (SB 534 and HB 714) eliminates the VCDPA’s “Consumer Privacy Fund” and diverts all funds collected under this law to the state treasury’s Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. These amendments also redefine “nonprofit organizations” to include tax exempt political organizations. All of the aforementioned VCDPA amendments are currently awaiting Governor Youngkin’s signature.

Failed Legislation

Florida – HB 9

After nearly passing a privacy law in 2021, many speculated that Florida would pass privacy legislation in 2022. This year, most of the momentum related to HB 9, which included many concepts from other state laws, but also differed in numerous important ways. Notably, HB 9 included a private right of action, which over the course of the legislative session was amended to be less burdensome. The last version of this bill applied this private right of action using a tiered approach under which only companies with more than $50 million in annual revenue could be sued. This bill passed the Florida House of Representatives by a 103-8 vote on March 2, but subsequently stalled out in the Senate Judiciary Committee. HB 9 was officially “indefinitely postponed and withdrawn from consideration” on March 12.

Washington – SB 5062 and HB 1850

After failed attempts in 2020 and 2021, Washington was viewed as another state where the adoption of privacy legislation was thought to be probable. On February 24, the Washington Privacy Act (WPA) was moved to the Rules White Sheet. There was no movement on the bill since February 24, and on March 10, the regular Washington legislative session ended. The WPA would have established data subject rights, such as the right to access, correct, delete, transfer, and certain opt-out rights. Notably, this legislation would not have provided for a private right of action or a commission to enforce the WPA. Penalties for violations included fines of up to $7,500 per violation.

During this year’s session, Washington HB 1850 was the main privacy bill under consideration in Washington’s House of Representatives. This legislation also included a private right of action and was known as the Foundational Data Privacy Act (WFDPA). While this bill successfully passed the House Appropriations Committee on February 28, the legislation did not advance any further, ultimately meeting the same fate as the WPA on March 10.

Wisconsin – AB 957

On February 23, the Wisconsin House passed Assembly Bill 957 (AB 957), This legislation was virtually identical to the VCDPA, and included a January 1, 2024 effective date. The House vote on this legislation followed party lines, with Republicans voting in the affirmative. AB 957 stalled in the Senate, and officially failed on March 10 when the 2022 legislative session ended. For more information on this bill, click here.

Indiana – SB 358

On February 1, Indiana’s State Senate voted unanimously in favor of Senate Bill 358. This legislation closely mirrored the Virginia Consumer Data Protection Act and would have taken effect on January 1, 2025. While early versions of this legislation included a private right of action, the final version adopted by the Senate did not. On February 17, this legislation advanced out of the House committee, but was not considered by the full House before the Indiana’s legislative session ended on March 8.

West Virginia – HB 4454

West Virginia’s bill was focused solely on creating limited data subject rights and was not closely based on any existing state law. Specifically, this legislation would have provided consumers with the right to limit the sale and sharing of their personal information, as well as the right to not be retaliated against for exercising this right. This legislation remained stalled in the House Judiciary Committee for the duration of the legislation session, which ended on March 12.

Looking Forward

While the final results of this year’s session remain unclear, last year’s trends of (1) bills failing due to private rights of action and (2) less stringent legislation passing quickly in states that have not previously focused on privacy legislation seem to have carried over into the 2022 session. Currently privacy laws are being considered in a significant majority of the states with active sessions. This includes Iowa’s HF 2506, which is based on the UCPA and has already passed through Iowa’s House of Representatives. We will continue to monitor these laws and will provide further updates on major developments.