2022: U.S. Privacy Chaos, Continued?

Marisa Polowitz

Associate Editor

Loyola University Chicago School of Law, JD 2023

Conversation surrounding the hodgepodge of state data privacy legislation in the U.S. has long been a subject of frustration within the U.S. and abroad. 2021 saw a drastic uptick in awareness and a need for meaningful comprehensive consumer privacy laws. With both data privacy and cybersecurity repeatedly making front page news over the last year, and even becoming high priority within the Biden Administration, it has become one of the few issues on which people across the political spectrum can agree. But will 2022 be the year that comprehensive federal privacy legislation becomes a reality? Don’t count on it.

Global, but not national, privacy activity in 2021

Internationally, 2021 was a banner year for privacy laws. Multiple countries passed new privacy laws, including major global players China and Brazil, whose newly minted laws were modeled closely after the EU’s General Data Protection Regulation (GDPR). Meanwhile, updates to GDPR placed more stringent regulations over the transfer of personal information from within the EU to external countries. As more privacy laws come into effect, global organizations face increasingly complex compliance requirements.

Despite wide-spread agreement on the importance of, and need for, national consumer data privacy protections, along with urging from major organizations, Congress is not fully in agreement on how to move forward. Although there has been an increase in the prevalence of conversations surrounding privacy concerns even at the federal level, the U.S. remains a vacuum for comprehensive privacy legislation and states are rushing to fill the void. With attention expended on mid-term elections and COVID-19, the space left for additional considerations within the arena of technological regulations is predominantly reserved for the enhancement of cybersecurity-related regulations and initiatives. The unprecedented level of ransomware attacks in 2021 pushed security breaches front and center in the news last year, in turn gaining much-needed attention amongst federal lawmakers. That trend seems to be continuing into 2022, as the Biden Administration continues to focus on bolstering cybersecurity infrastructure for both the public and private sectors.

The state-by-state legislative landscape continues its descent into a chaotic and complicated privacy obstacle course, with over a dozen states proposing new consumer privacy legislation since January 1, 2022. The difference amongst these privacy laws has created a complex and confusing landscape for businesses, consumers, and attorneys alike.

While many other states are working to get their first consumer privacy legislation passed, Indiana became the first state to pass a consumer privacy bill in 2022. Of those with pre-existing legislation, California and Virginia are already in the process of refining and expanding the laws on their books, even if those aren’t slated to go into effect within this year. California, the first U.S. state to pass comprehensive consumer privacy protections, has added to the California Consumer Privacy Act (CCPA). The California Privacy Rights Act (CPRA), while not enforceable until 2023, requires final regulations be completed by later this year. Virginia, which passed the Virginia Consumer Data Protection Act (VCDPA) in 2021, already has eight amending bills under consideration. The VCDPA isn’t even slated for implementation until January of 2023.

What might 2022 hold?

The likelihood is that privacy in 2022 looks a lot like a more robust 2021, with more states (but not the federal government) proposing and passing consumer privacy legislation. At the federal level, more specialized bills have been proposed in specific arenas – targeted advertising, biometric privacy, and children’s online privacy are a few of the areas that seem to be gaining Congressional attention. The Federal Trade Commission (FTC) announced the initiation of its rulemaking process pertaining to privacy and artificial intelligence in December of 2021, expected in February of this year. The FTC may be able to deliver some meaningful federal privacy rules, but that won’t necessarily sate the demands on Congress to enact unified, transparent, and bipartisan privacy legislation for consumers and businesses nation-wide.

Concerns that the FTC may create more restrictive privacy regulations than what would be seen coming out of Congress have been voiced throughout this process. While the rulemaking process moves slowly, Congress may still have time to act. Questions remain as to whether federal agencies are the right outlets to lead this charge, or if a future administration’s policy priorities could create chaos anew by withdrawing or revising whatever rule results from this current process. Furthermore, it remains to be seen if FTC rules will serve to ameliorate the disjointed privacy landscape, or if they will add more confusion to existing complexities.

Halfway into the second month of the new year, it appears that 2022 may not be “the one” for those desperately hoping for more cohesion across the privacy landscape — maybe 2023 will be their year?