With 2023 quickly approaching, many are spending this final quarter preparing for the five US state “comprehensive” privacy laws. Some of these contemplate clarifying regulations with technical and operational requirements. Requirements that will impact preparation activities.
Earlier this year we provided steps companies can take to get prepared in the absence of full clarity. The hope was that regulatory clarity would have been issued by now. Since it has not, many find themselves needing to prioritize or reshuffle their plans. As we get closer to January 1, keeping track of status can help. Below we thus summarize the current status of regulations (if any) across the states:
- California. California released a first draft of regulations in June of this year (along with an Initial Statement of Reasons). Over 1,000 pages of written comments were submitted during the comment period. On October 17, 2022 the CPPA issued modified proposed regulations and explanations for the changes. The timeline for finalizing these regulations remains unclear. It is important to note that these are still draft and partial regulations. That said, given the complexity of these regulations, companies will need to use them in their evaluation of what steps to take in the coming weeks. This is particularly true for those with “do not sell or share” obligations.
- Colorado. Colorado recently published its first draft of proposed regulations. The Office of the Attorney General will hold a public hearing on February 1, 2023. Once the hearing ends, the public can no longer offer comments on the proposed rules unless they are altered in a way that requires the process to begin again. Following the hearing on the proposed rules, the Office has 180 days to file adopted rules with the Secretary of State for publication in the Colorado Register. Adopted rules go into effect twenty days after publication or on such later date as is stated in the rules.
- Connecticut. The statute does not appear to confer any express rulemaking authority. However, it does contemplate that a joint standing committee of the General Assembly be convened by September 1, 2022 to study certain matters and issue a report on its finding and recommendations by January 1, 2023. Currently, there is no publicly available update on the status of this committee’s efforts.
- Utah. While by statute the Attorney General and Consumer Protection Division are to report on the effectiveness of the enforcement provisions and data protected and not protected by the law, the statute does not appear to confer express rulemaking authority.
- Virginia. The statute does not appear to expressly confer any rulemaking authority and non are anticipated to be promulgated. In April 2022, Virginia passed three fairly minor amendments to the law (change on rights to delete, added political organizations to the definition of excluded nonprofits, and repealed the VCDPA consumer privacy fund, remitting payments instead to a preexisting state fund).
Putting it into practice. The time frame and status above should help as companies continue to work on their compliance activities with these US state “comprehensive” laws. The California regulations can be used now, keeping in mind that they are not yet final. Companies striving towards a singular approach and date for compliance will also want to keep in mind Colorado’s draft regulations.