2022 State Privacy Roundup: Momentum Builds, States Define Their Own Paths

2022 marked the year state privacy laws gained unstoppable momentum. This roundup examines new comprehensive privacy statutes, the CPPA's groundbreaking rulemaking, and the expanding patchwork of state laws reshaping privacy compliance across the United States.

Share
2022 State Privacy Roundup: Momentum Builds, States Define Their Own Paths
ChatGPT modified from - Happy New Year, 1856 To all at home / Repository: California Historical Society

Key Takeaway: 2022 demonstrated that privacy was no longer a niche concern — it had become a core element of consumer protection policy. The proliferation of comprehensive and sector-specific privacy laws signaled a maturing ecosystem in which states, not Congress, defined the rules of engagement for the digital economy. The result was a complex but creative patchwork — one that reflected both innovation and fragmentation.

The Year States Took the Lead

By 2022, state privacy lawmaking had shifted from cautious exploration to steady acceleration. Privacy ceased to be an abstract policy concept and became a practical compliance mandate. According to the National Conference of State Legislatures (NCSL), at least 29 states and Puerto Rico introduced or considered more than 200 consumer privacy bills, expanding the reach and complexity of U.S. data protection frameworks.

With the federal government still unable to pass a comprehensive privacy statute, the states continued to define the nation’s evolving privacy patchwork — each reflecting distinct legislative priorities and approaches to consumer protection.

California continued to serve as the driving force behind state-level privacy developments. Although the California Privacy Rights Act (CPRA) was enacted in 2020, its operational rollout in 2022 proved transformative. That year, the newly created California Privacy Protection Agency (CPPA) — the first agency in the United States dedicated solely to privacy regulation — initiated formal rulemaking to expand consumer protections around automated decision-making, manipulative interface design (“dark patterns”), and workplace and applicant data.

California’s proactive stance not only influenced other states’ privacy efforts but also effectively set a de facto national benchmark for compliance frameworks across industries.

Despite differing legislative frameworks, several unifying principles emerged by 2022:.

Common Elements

  • Consumer Rights: Access, deletion, correction, and portability.
  • Transparency: Clear notices describing data collection, use, and sharing.
  • Opt-Outs: For targeted advertising and the sale of personal data.
  • Data Protection Assessments: Required for high-risk processing in multiple states.

Key Divergences

  • Applicability: Connecticut’s law applied to entities processing data from more than 100,000 consumers, while Utah’s applied to businesses generating over $25 million in annual revenue.
  • Enforcement: All 2022 state laws relied exclusively on Attorney General enforcement; none permitted private lawsuits.
  • Exemptions: Financial, health, and employment data largely remained outside these frameworks, perpetuating fragmented coverage and compliance complexity.

New Comprehensive and Sectoral Privacy Laws: Connecticut and Utah Join the Club

2022 marked a significant year in the expansion of comprehensive consumer data privacy frameworks, with Connecticut and Utah joining California, Colorado, and Virginia as states with full-spectrum privacy laws.

Connecticut’s Data Privacy Act (SB 6) closely mirrored the Colorado and Virginia models, granting consumers the right to access, delete, correct, and port their personal data. It required opt-out options for targeted advertising and profiling and vested exclusive enforcement authority in the state Attorney General.

Utah’s Consumer Privacy Act (SB 227) became the fourth U.S. comprehensive privacy statute, notable for its narrower scope and higher applicability thresholds — applying only to businesses that controlled or processed data from more than 100,000 consumers or derived at least 50% of their revenue from data sales. It provided consumers with core rights — access, deletion, and portability — but did not include a private right of action.

Both laws took effect in 2023, underscoring states’ growing appetite for independent, full-spectrum data protection frameworks.

Beyond these comprehensive statutes, dozens of states debated or enacted sector-specific privacy measures addressing emerging risks and technologies:

  • Biometric Data: Illinois’ Biometric Information Privacy Act (BIPA) continued to inspire similar proposals in Maryland, New York, and Kentucky.
  • Children’s Online Privacy: California advanced new protections through the Age-Appropriate Design Code Act (AB 2273), requiring online services to design products with minors’ best interests in mind.
  • Genetic and Health Data: Washington, Oregon, and California considered bills restricting the collection and retention of health-related and genetic information by private entities.

Together, these developments demonstrated that 2022 was not only a year of broader legislative momentum but also one in which states increasingly addressed privacy challenges through both comprehensive and targeted regulatory approaches.

Other Notable Developments

  • Maine strengthened its broadband privacy law for internet service providers, reinforcing a consent-based approach to consumer data use.
  • New York reintroduced the Digital Fairness Act, focusing on transparency and accountability in algorithmic decision-making.
  • Virginia amended its Consumer Data Protection Act (CDPA) to clarify exemptions and refine enforcement procedures.
  • Washington’s My Health My Data Act gained momentum as a potential template for future health and biometric privacy legislation.

Together, these targeted updates illustrated the continued evolution of state privacy regimes — an expanding web of overlapping yet distinct protections that reflect both experimentation and divergence across jurisdictions.

The 2022 enactments are:

  • Connecticut’s SB 6 establishes a framework for controlling and processing personal data, provides responsibilities and privacy protection standards for data controllers and processors, grants consumers the right to access, correct, delete and obtain a copy of personal data, and opt out of the processing of personal data for the purposes of targeted advertising, certain sales of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
  • Kentucky HB 502 regulates the collection, use, and disclosure of genetic data, creates a civil cause of action for violations of the prohibitions, to be brought by the Attorney General, states that the Act shall be known as the Genetic Information Privacy Act.
  • Maine HB 669 enacts the Data Collection Protection Act, creates the Maine Data Collection Protection Act, which prohibits data collectors from collecting and aggregating, selling or using specific types of public documents or information from those documents for the purpose of determining a consumer’s eligibility for consumer credit, employment or residential housing.
  • Maryland HB 866 alters the direct-to-consumer or publicly available open-data personal genomics databases that may be used to conduct forensic genetic genealogical DNA analysis and search to require that the databases seek express consent from their service users regarding the substance of a certain notice.
  • Utah’s SB 227 enacts the Utah Consumer Privacy Act, provides consumers the right to access and delete certain personal data maintained by certain businesses and opt out of the collection and use of personal data for certain purposes, requires certain businesses that control and process consumers personal data to take specified actions, including safeguarding consumers personal data and providing clear information to consumers regarding how the consumers personal data are used.
  • Virginia HB 381 expands the Virginia Consumer Data Protection Act (VCDPA) by clarifying consumers’ right to request deletion of their personal data and specifying how controllers must comply with such deletion requests.
  • Virginia HB 714 strengthens the enforcement framework of the VCDPA by establishing a Consumer Privacy Fund to receive civil penalties and settlement proceeds from enforcement actions, supporting ongoing privacy protection efforts.
  • Virginia SB 534 enhances the VCDPA’s enforcement provisions, creating the Consumer Privacy Fund, and detailing how funds collected through enforcement will be used to administer and promote consumer data protection.
  • Wyoming HB 86 prohibits the collection, retention, or disclosure of genetic data without proper consent, establishes exceptions for certain uses, defines key terms, and authorizes the Attorney General to pursue civil actions for violations.

Resources

NCSL Consumer Privacy Legislation 2022 Report

-Draft CPPA Regulations Puts Some Heat on Data Brokers