Lawmakers in Alaska, Arizona, Connecticut, the District of Columbia, Florida, Indiana, Kentucky, Maryland, Mississippi, New Jersey, Pennsylvania, Vermont, and Washington have introduced new bills or confirmed that they will be doing so.

In Arizona, Representative Domingo DeGrazia — author of HB 2865¹ in 2021 — reported that he will be filing at least one privacy bill in 2022.

Connecticut Senator James Maroney introduced SB 893² in 2021. After the bill did not pass, Senator Maroney convened a privacy working group comprised of various stakeholders to prepare the bill for the 2022 legislative session.

The working group has met monthly since September and considered various topics, including exceptions, Attorney General rulemaking authority, a right to cure and whether it should sunset, and whether to add a global privacy control (GPC) signal requirement. It is expected that an updated bill will be introduced when Connecticut's legislature opens in February.

In the District of Columbia, Council Chairman Phil Mendelson introduced B24-0451³ in October at the request of the Uniform Law Commission (ULC). The bill is based on the Uniform Personal Data Protection Act drafted by the ULC.

Florida was on the cusp of passing legislation last year but could not reach agreement on all issues before the session closed. Senator Jennifer Bradley pre-filed the Florida Privacy Protection Act (SB 1864)⁴ in early January, and Representative Fiona McFarland filed HB 9⁵ on January 11, 2022.

In Indiana, Representative Carey Hamilton pre-filed HB 1261.⁶ The bill appears to borrow concepts from both the California Privacy Rights Act and Colorado/Virginia models. Meanwhile, Senator Liz Brown introduced SB 358⁷ on January 12, 2022.

In Kentucky, Senator Whitney Westerfield introduced SB 15⁸ on January 13, 2022.

In Maryland, Senator Susan Lee — sponsor of SB 930⁹ in 2021 — pre-filed the Maryland Online Consumer Protection and Child Safety Act (SB 11)¹⁰ in October.

Last year, the Minnesota legislature considered HF 1492,¹¹ sponsored by Representative Steve Elkins. Representative Elkins' office provided us with the following update on the status of the bill for the 2022 session:

This bill, as introduced, is a veritable clone of the original 2021 version of the Washington Privacy Act (SB5062). It was first heard in a between-sessions "informational hearing" in the House Commerce Committee on Sept 27, 2021. Maintaining a basic level of consistency with the WA/VA/CO framework is one of the author's priorities; however, Rep Elkins has been actively soliciting feedback from a broad array of stakeholders which will be reflected in amendments which are currently being drafted.

Rep. Elkins is an IT Information Architect with 25 years of experience in data management, so look for new language incorporating "Privacy by Design" principles (e.g., data minimization, retention, encryption, de-identification/pseudonymization, etc.) into the section on Data Protection Assessments. Additional FCRA-like rights related to "decisions that produce legal effects" from profiling may be added. Data "ownership" may be explicitly addressed. The re-identification of de-identified/anonymized data by parties other than the controller may be expressly prohibited. The need for law enforcement to obtain warrants to procure data may be expressly stated.

As in other states, vigorous discussion on issues such as "private right of action", definition of "sale", "global opt out", "right/ability to cure", and integration with existing federal and state laws should be expected as the bill goes through the committee process. The bill must be heard in the Commerce and Judiciary and Civil Law committees in both chambers. The Minnesota legislature re-convenes on January 31, 2022 and must adjourn by May 23, 2022.

Mississippi Representative Angela Turner-Ford confirmed she intends to re-introduce the Mississippi Consumer Data Privacy Act (SB 2612)¹² in 2022.

New Jersey lawmakers filed three bills in January: S332,¹³ A505,¹⁴ and A1971.¹⁵

Finally, lawmakers in Alaska (HB 222),¹⁶ Pennsylvania (HB 2202),¹⁷ and Vermont (H.570),¹⁸ introduced new bills in addition to the carry over bills discussed below. The status in Washington is discussed below.

The following states saw bills proposed in 2021 that will carry over to the 2022 legislative session: Alaska (HB 159¹⁹ / SB 116²⁰), Massachusetts (H.136,²¹ H.142²² and S.46²³), New York (S 6701²⁴ / A 680²⁵), North Carolina (SB 569),²⁶ Ohio (HB 376),²⁷ Oklahoma (HB 1602),²⁸ Pennsylvania (HB 1126),²⁹ South Carolina (H3063),³⁰ Tennessee (HB 1197),³¹ Vermont (H.160),³² and Washington (HB 1433³³ and SB 5062³⁴).

Oklahoma Representative Collin Walke provided us with the following update on HB 1602:

The Oklahoma Computer Data Privacy Act, HB1602, passed the House 85-11 last session and is awaiting a hearing in the Senate Judiciary Committee. The former Chair of the Judiciary Committee would not hear the bill last session, but we are optimistic the new Chair will. If it passes committee, it would then be voted on by the entire Senate. Upon passing the Senate, it would come back to the House for final approval (which should not be an issue).

As it stands, there are no notable changes to HB1602; however, I do anticipate it being amended to accommodate certain exemptions that were not adequately covered in the original draft.

The proposed amendments will help to pass the bill because it will clean up exemption language that exists in other states.

This bill is unique because it is opt-in, not opt-out. Additionally, it includes a "right to be forgotten."

In September, Representative Walke pre-filed a second bill — HB 2969.³⁵

Lawmakers in Washington state will once again have the opportunity to consider privacy legislation. Washington's legislature has considered privacy legislation for a number of years in the form of Senator Reuven Carlyle's Washington Privacy Act (SB 5062),³⁶ which failed to pass for the third time last year. It will carry over to the 2022 session. Senator Carlyle also introduced SB 5813,³⁷ which is narrower in scope and addresses children and adolescent information, data brokers, and opt out signals.

In 2021, Representative Shelley Kloba introduced a competing bill in the House — the People's Privacy Act.³⁸ Representative Kloba provided us with the following update on her bill:

My bill HB 1433, the People's Privacy Act, is undergoing amendment and will be available to be heard in committee once session starts on January 10, 2022.

I have made a few changes to the bill this year, some of which are inspired by Brazil's LGPD, which took effect in May 2021. I added 2 new rights to those previously granted by my bill:

-the right to refuse consent for any processing of an individual's data that is not central to the primary transaction, including transfers of personal information to third parties who are not part of the primary transaction

-the right to revoke consent

I model the scope of the bill after the LGPD. The covered entities include all companies anywhere that collect or process data about residents of WA. Generally speaking, companies should respect your rights uniformly and without respect to company size or location.

Change the effective date and give additional time after that for companies to come into compliance. Further changes expand the definition of PII to include location and biometric data.

Previous bills have not been able to get enough votes to get out of the House, so we must consider other approaches. My bill differs from the industry-written bills brought forward in WA and around the country. The standard these bills are setting is low and only provides the barest privacy basics for consumers. For too long, the American people have accepted that the information about their every action on every connected device will be collected, packaged, analyzed, and turned into a product that is then monetized for corporate gain. Consumers and legislators are realizing that it does not have to be this way. Instead, my bill moves toward privacy by design and responds to the need for more robust protections and appropriate avenues for recourse when the consumer's rights have been violated.

In addition, Washington Representatives Vandana Slatter and April Berg pre-filed the Washington Foundational Data Privacy Act (HB 1850)³⁹ on January 7, 2022. The bill is similar to the Colorado and Virginia laws, but it contains an annual registration requirement, creates the Washington State Consumer Data Privacy Commission (similar to the California Privacy Protection Agency), and contains a private right of action.

It should be noted that a number of these carry over bills saw movement over the past few months. In Massachusetts, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity held a hearing⁴⁰ on October 13 regarding the Massachusetts bills.

The Alaska House Labor and Commerce Committee held a hearing⁴¹ on December 6 to discuss changes made to the House bill between sessions.

Beginning last September, the Ohio House Government Oversight Committee held four hearings⁴² on the Ohio Personal Privacy Act but has yet to vote on the bill.

Finally, lawmakers offered amended versions of the carry over New York Privacy Act in early January.

Illinois lawmakers proposed two bills in 2021 — HB 3910 (Consumer Privacy Act)⁴³ and HB 2404 (Right to Know Act)⁴⁴. Representative Michelle Mussman — the sponsor of the Consumer Privacy Act — reported that she does not plan to move the legislation forward this session.

Last year, the Utah legislature considered SB 200,⁴⁵ sponsored by Senator Kirk Cullimore and Representative Brady Brammer. Asked to comment on his plans for 2022, Senator Cullimore reported that he has not decided whether to open the bill. The legislative session opened January 18.

The legislatures in Montana, Nevada, North Dakota, and Texas meet every other year and will not be in session in 2022.

1 https://bit.ly/3rt90R9

2 https://bit.ly/3nC3Von

3 https://bit.ly/32b8n5X

4 https://bit.ly/3fCTf4l

5 https://bit.ly/3AcbsiP

6 https://bit.ly/3Ifq3Nk

7 https://bit.ly/3qCQciY

8 https://bit.ly/3AeaC51

9 https://bit.ly/34VwQNz

10 https://bit.ly/3KkrtYH

11 https://bit.ly/3KkrHz1

12 https://bit.ly/3FyrAME

13 https://bit.ly/32b9G4R

14 https://bit.ly/3ro2niS

15 https://bit.ly/3AjcbyQ

16 https://bit.ly/3qCAYdJ

17 https://bit.ly/3tHJRVp

18 https://bit.ly/3AcBXEA

19 https://bit.ly/3527gXr

20 https://bit.ly/3nx5xQj

21 https://bit.ly/3qDnnTs

22 https://bit.ly/3FE0Vy6

23 https://bit.ly/3Ac91g5

24 https://bit.ly/3tDyVIz

25 https://bit.ly/3FEoHdd

26 https://bit.ly/3nEhvrc

27 https://bit.ly/3nCRF78

28 https://bit.ly/3KmV7wd

29 https://bit.ly/3qNiWWB

30 https://bit.ly/3tLsAKS

31 https://bit.ly/3qCrOxU

32 https://bit.ly/3tEzHoI

33 https://bit.ly/3tA4lPW

34 https://bit.ly/3IhPg9G

35 https://bit.ly/3A8wMpv

36 https://bit.ly/3IhPg9G

37 https://bit.ly/3tDBoTl

38 https://bit.ly/3GFZL6t

39 https://bit.ly/3nE0Ns5

40 https://bit.ly/33LV9gk

41 https://bit.ly/3KmFPI1

42 https://bit.ly/3nBwnXB

43 https://bit.ly/3nAUVzM

44 https://bit.ly/3KmRtCH

45 https://bit.ly/3fyWLg3