Keypoint: Lawmakers introduced new bills in Florida, Washington, Indiana and the District of Columbia.

The list of jurisdictions considering consumer data privacy bills in 2022 continues to grow with lawmakers introducing new bills in Florida, Washington, Indiana, and the District of Columbia.

In Florida, Senator Jennifer Bradley filed the Florida Privacy Protection Act (SB 1864) on January 7, 2022. Senator Bradley sponsored SB 1734 last year. It is expected that Representative McFarland will introduce a bill in the Florida House in the coming days.

Which States Will Consider CCPA-Like Consumer Privacy Bills in 2022?Keypoint: At least fifteen state legislatures are poised to consider CCPA-like consumer privacy legislation in 2022 with lawmakers in Arizona, Connecticut, Florida, Minnesota, Mississippi, and Washington confirming they will be introducing bills, a bill already being pre-filed in Maryland, and eight states with bills that will carry over from the 2021 session.

The continuing emergence of proposed state privacy laws will be a dominant story for privacy professionals in 2022.

In 2021, lawmakers in twenty-seven states proposed CCPA-like privacy legislation. We tracked these bills through our weekly updates, State Privacy Law Tracker, and Legislating Data Privacy podcast series.

This year, we contacted lawmakers who proposed bills in 2021 and asked them to share their plans for 2022. We received many responses, which we chronicle below along with updates on bills that we have been tracking over the summer and fall. Of particular note, Representatives Shelley Kloba (Washington), Steve Elkins (Minnesota), and Collin Walke (Oklahoma) provided extensive comments on their 2022 proposals.

Keypoint: As we break for the holidays, we wanted to wish you and your families happiness and health, and leave you with an attempt at some privacy holiday humor. We look forward to bringing you more privacy news and analysis in 2022.

A Privacy Christmas Story

‘Twas the night before Christmas as I toiled away,

Counting the minutes until Christmas day,

When all of a sudden from out of the blue,

I received a meeting invite from Santa that’s who,

You see Santa’s been watching as all over the globe,

Countries (except the US) have enacted privacy codes,

Santa, he said, would like to comply,

So he asked if I could give it a try,

[After clearing conflicts, receiving a retainer and entering into an engagement letter …..]

Keypoint: Advertising platform settles with the FTC over allegations that it collected location data without consent and collected information from child-directed apps without notice or parental consent in violation of the FTC Act and COPPA.

Online advertising exchange platform, OpenX Technologies, Inc., has been ordered to pay $2 million of a $7.5 million judgment to settle Federal Trade Commission allegations that it misrepresented its data collection, use, and disclosure practices as it concerns personal information collected from children and location information collected from consumers who had not granted or had denied requisite location permissions.

Keypoint: The EDPB takes the position that geographical boundaries – and not GDPR’s jurisdictional reach – govern the restricted transfer determination.

On November 19, 2021, the European Data Protection Board (EDPB) published draft guidelines on the interplay between the application of GDPR Article 3 and its provisions on international transfers in Chapter V.

The draft guidelines answer the question of whether a transfer of personal data occurs when the data leaves GDPR’s jurisdictional scope or when it leaves the European Union’s geographic scope. The draft guidelines also provide three criteria and a number of illustrative examples to guide controllers and processors to identify restricted transfers.

Restricted transfers are of heightened focus in light of the Court of Justice of the European Union’s decision in Schrems II, the European Commission’s issuance of new standard contractual clauses, and the EDPB’s recommendations on supplementary measures for cross-border data transfers. The guidelines – once finalized – will provide entities with further guidance on how to navigate this complex legal issue.

The draft guidelines will be open to public comment until the end of January.

Below is a summary.

In the ninth episode of our Legislating Data Privacy series, we continue our conversation with Colorado Senator Robert Rodriguez.

In July 2021, Colorado became the third state to pass broad consumer privacy legislation – the Colorado Privacy Act. Senator Rodriguez was the primary architect of the bill and spearheaded its passage.

In this two-part

In the eighth episode of our Legislating Data Privacy series, we talk with Colorado Senator Robert Rodriguez.

In July 2021, Colorado became the third state to pass broad consumer privacy legislation – the Colorado Privacy Act. Senator Rodriguez was the primary architect of the bill and spearheaded its passage.

In this two-part conversation, Senator

Keypoint: The VCDPA Work Group’s final report contains 17 “points of emphasis” derived from six Work Group meetings; however, the Work Group’s recommendations for modifying the VCDPA will not be presented until the legislature opens in January 2022.

On November 1, 2021, the Virginia Consumer Data Protection Work Group issued its 2021 Final Report. By way of background, § 59.1-581.2 of the Virginia Consumer Data Protection Act (VCDPA) required the Chairman of the Joint Commission on Technology and Science to create a work group to “review the provisions of [the VCDPA] and issues related to its implementation.” The Chairman was required to “submit the work group’s findings, best practices, and recommendations regarding the implementation of [the VCDPA] to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.”

The Work Group met six times from June to August 2021. A summary of those meetings is contained in the Final Report and copies of materials relating to those meetings are available on the Joint Commission’s webpage.

Ultimately, the Work Group identified 17 “points of emphasis” from its six meetings but stated that the Work Group’s “recommendations based on these points of emphasis” would be presented by Delegate Hayes and Senator Marsden (the VCDPA’s sponsors) during the upcoming legislative session.

Below is a summary of the points of emphasis along with some analysis. For ease of reference, we have grouped the points of emphasis into seven categories.

What U.S. Companies Need to Know about China’s New Privacy LawKeypoint: China’s Personal Information Protection Law is a complicated regulatory regime that will require U.S. entities subject to its requirements to undertake substantial compliance efforts.

Effective November 1, 2021, China will become the latest country to enact a national data privacy law akin to Europe’s General Data Protection Regulation (GDPR). The new law – entitled the Personal Information Protection Law of the People’s Republic of China or “PIPL” – will require foreign companies, including U.S. companies, operating in China (and in some cases, operating purely outside of China) to undertake new compliance efforts.

To facilitate that process, below is a general discussion of PIPL and some of its more notable provisions. For reference, PIPL has been translated into English by DigiChina, which has a wealth of resources available on its website for those interested in further reading on this new law.

CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).