For a while, privacy in Q2 was looking like it would follow the season’s idiomatic rule: in like a lion, out like a lamb. But it came roaring back in June with a new U.S. state law, EU adequacy decisions, a new EU data transfer mechanism, and more. As we look back over the second quarter of 2021, several important developments are worth noting.

U.S. State Privacy

Overall, the short legislative season proved to be as much an obstacle to passing comprehensive privacy laws as the private right of action has been. By the end of the second quarter, with a total of 26 states having introduced comprehensive privacy bills since the start of 2021, only Colorado and Virginia crossed the finish line by the end of their legislative calendar. Massachusetts, New Jersey, and Pennsylvania remained in session with privacy bills on the agenda.

Much as Virginia did last quarter, Colorado stole the show this quarter as legislators worked quietly and diligently to become the third state in the U.S. to pass comprehensive privacy legislation. Drawing from laws in California and Virginia, and generally seen as striking a balance between consumer privacy and enabling business, the Colorado Privacy Act positions itself as an example for other states to follow.

Signed into law by Gov. Jared Polis, the CPA provides consumers with what have come to be seen as the standard data subject rights in the U.S. — access, rectification, deletion, and portability. Similar to California and Nevada, it provides the ability for consumers to opt-out of the sale of personal information and, like Virginia, includes an opt-out option for targeted advertising and profiling.   

The CPA will take effect July 1, 2023. Enforcement of the CPA rests with the Attorney General’s Office, which has also been tasked with creating clarifying regulations. The bill does not include the private right of action (Read more...)