2022 Outlook: Regulating Emerging Markets from Marijuana to Autonomous Vehicles

Cannabis, autonomous vehicles, the “gig economy,” and data privacy are among issues that state lawmakers will contend with in 2022 and state regulators will grapple with for decades.

While a quarter-century of marijuana legislation and a decade of autonomous vehicle laws have created extensive regulatory trails for these issues, concerns about data privacy and cybersecurity were exacerbated during the pandemic, which also fostered a national — if not global — awareness of the growing importance of the “gig economy.”

So, as lawmakers in 46 state legislatures enter their third sessions with a myriad of agenda items (all influenced by COVID-19), these are among the issues they will be dealing with, often in 46 different ways. Because if there’s one thing these issues have in common is little to no federal regulation and, for the most part, little to no federal appetite to take on a bigger regulatory role.

Dive in:

• Marijuana
• Autonomous Vehicles
• Gig Economy
• Data Privacy

Marijuana

Thirty-six states and the District of Columbia have legalized marijuana for medical purposes, including 18 that have legalized recreational use by adults. Four states legalized recreational marijuana in 2021. 

In South Dakota, where voters approved a law legalizing medical and recreational marijuana beginning in 2021, a lawsuit seeking to throw out the referendum is set to go before the state’s Supreme Court. Cannabis advocates in the state say if the previous voter referendum is rejected by the court, they’ll dust off another and get it approved on the 2022 ballot, joining Arkansas, Missouri, Oklahoma, Ohio, and Wyoming as states where voters could adopt new marijuana laws and regulations by referendum in 2022.

Dave Picar, owner of The Wyoming Group, a government and public affairs firm, said there are two separate citizen-filed initiatives in Wyoming. One seeks to decriminalize marijuana-related offenses and the other to legalize medical marijuana; and both “have a good chance of passing,” he says. “It’s the first time in two decades or so we are likely to see a successful signature-gathering effort.”

Among states that could pass legislation approving recreational marijuana for adult use in 2022 are Delaware, Maryland, Minnesota, and Ohio.

“The first [hot issue in 2022] is marijuana,” said Rhett Ruggerio of Ruggerio Willson & Associates in Dover, Del. “In Delaware, we are behind the times. We’ve gotten way behind Maryland and New Jersey, which sandwiched us from both directions.”

Tim Hill, executive director of US Client Group in St. Paul, Minn., said he expects Minnesota lawmakers to resubmit a 2021 legalization bill that was passed in the state’s House.

“In my conversations with folks outside of the Capitol, this is not really a partisan issue,” Hill said. “A broad array of Minnesotans see that our current laws are not working and that we are long overdue for a transition to a well-regulated legalization of adult-use cannabis for a variety of reasons. We passed this bill in the House with bipartisan support, but unfortunately, the Republican-led Senate refused to take action. I don’t see that going anywhere in the Senate [in 2022 either].”

Connecticut lawmakers legalized recreational marijuana by legislation in 2021 but Ryan Bingham, senior director of government affairs at Sullivan & LeShane in Torrington, Conn., said there will be much regulatory-related cobbling to do in 2022 and beyond.

“The legislature passed recreational cannabis and sports gaming in 2021,” he said. “The 2022 session could include modifications to both of those big pieces of policy. There already have been concerns about the haphazard way both of these bills were passed in ’21.”

But what is happening in the states to a great extent depends on Congress. With 91 percent of U.S. adults of the opinion that marijuana should be legal — 60 percent say for recreational use, 31 percent say for medical use only, according to a Pew Research Center survey — the time is long past for the federal government to address laws that have made marijuana illegal nationally since 1970. These laws have fostered numerous financial, regulatory, and legal challenges to a $14 billion industry that employs 400,000 Americans and is poised for dramatic growth by 2030.

Federal regulators are speaking with their state counterparts and planning for the day when marijuana is not federally prohibited and banking laws are loosened. There are four pending federal bills seeking to do that. They are:

• The Cannabis Administration & Opportunity Act: Introduced in July, the bill seeks to decriminalize marijuana, “deschedule” it as a federally prohibited controlled substance, and recognize state law as operative legislation in regulating.
• The Secure & Fair Enforcement (SAFE) Act of 2021: Passed by the House in April, the bill would protect financial institutions that work with marijuana businesses by prohibiting federal banking regulators from penalizing a depository institution for providing services for a legitimate cannabis-related business. The act would also classify proceeds from cannabis-related business as not being received from unlawful activity, thus removing these proceeds from the umbrella of anti-money laundering legislation. The SAFE Banking Act has been referred to the Senate Banking, Housing, and Urban Affairs Committee. 
• MORE Act of 2021: This bill would also remove cannabis from the 1970 Controlled Substances Act and expunge cannabis convictions from convicted person's records, but also impose an initial 5 percent tax on retail sales of cannabis, which would increase to 8 percent over three years. This tax revenue would be funneled to the federal Opportunity Trust Fund to be used for community reinvestment. The MORE Act was scheduled to be considered by the House Judiciary Committee this fall.
• The Veterans Medical Marijuana Safe Harbor Act: This bill would temporarily allow veterans to legally possess and use cannabis under federal law if recommended by a doctor in accordance with state law. In addition, physicians working for the U.S. Department of Veterans Affairs would be allowed to issue medical marijuana recommendations as treatment. This proposal has been forwarded to the House Health Subcommittee.

Whether these federal bills advance in Congress will have significant influence on how state lawmakers and agencies deal with the top five issues facing marijuana regulation. According to industry experts, those five issues are:

1. Protecting State Marijuana Regulatory Programs

What if Congress legalizes marijuana in one form or another? Will marijuana become totally federally regulated? State lawmakers nationwide almost universally say no, and there are several bills pending in Congress that would leave the industry near-exclusively regulated by the states.

All 36 states with a legal medical and/or recreational marijuana market have created applicable standards, although they vary considerably. Should Congressional action legalize marijuana at the federal level, there could be an effort to harmonize certain aspects of state regulations to better facilitate commerce.

Congress is likely to designate a federal agency to oversee harmonization, monitor state systems, and ensure transportation and supply chain security. Both the proposed Cannabis Administration & Opportunity Act and MORE Act of 2021 appear to concede regulatory supremacy to the states.

2. Clinical Research On Marijuana People Consume

For years, state marijuana regulators, universities, and commercial labs have been lobbying for increased investment into clinical research on the therapeutic effects of cannabis. Because marijuana is still listed as a controlled substance by the federal government, clinical research on how marijuana sold at a state-sanctioned dispensary treats, for example, chronic pain, is virtually non-existent.

Under current federal law, researchers can only study effects of marijuana from plants produced by the University of Mississippi, under contract with the National Institute on Drug Abuse (NIDA), which is not the same as commercial-grade marijuana. 

A federal law removing the classification as a controlled substance would usher in long-awaited funding for clinical research by state universities and private labs that is expected to expand treatment capacities for marijuana and further stoke the industry’s burgeoning market. 

3. Access to Financial Services for Marijuana Businesses

The marijuana industry is growing dramatically, despite restricted access to traditional financial tools and the banking system.

Removing marijuana as a prohibited federal Schedule 1 controlled substance would be a rather simple and immediate fix for many marijuana businesses that cannot gain access to most banking services because their income is seen as money laundering under the Bank Secrecy Act. 

Amending the Bank Secrecy Act to specifically exempt proceeds of legal marijuana sales would be another solution, albeit more restricted. Some say this approach may work better than a broader bill decriminalizing or legalizing marijuana.

In addition, under the proposed SAFE Banking Act, federal banking regulators could no longer penalize a depository institution for providing banking services for a legitimate cannabis-related business, nor would a depository institution be liable or subject to asset forfeiture for providing a loan or other financial services to a legitimate cannabis-related business.

These and other legislative and regulatory changes to open access to banking and financing for marijuana businesses are supported by an array of financial institutions and associations, including the National Credit Union Administration (NCUA). Only 200 credit unions across the country are servicing state-legal marijuana businesses, despite NCUA representing more than 5,000 financial institutions.

4. Equity Policies

Even some of the oldest and most extensive state-based marijuana regulatory schemes remain works in progress, with lawmakers in many legislatures looking for ways to ensure equity for minorities, small businesses, and individual growers in an evolving industry.

But state and local efforts are being directed toward developing more diversity, equity, and inclusion in the industry, such as the bill Colorado Gov. Jared Polis signed this year to create a social equity fund within the state’s Office of Economic Development & International Trade. The fund will support cannabis businesses owned by people who qualify as “social equity licensees,” those most impacted by state and federal “drug war” policies, under Colorado law.

Michigan lawmakers are also seeing a push for racial equity to ensure businesses of all sizes can operate fairly in the state’s emerging cannabis market. Michigan Marijuana Regulatory Agency Executive Director Andrew Brisbo said under a 2022 equity proposal, that new license types could be approved for marijuana “microbusinesses” and an interim step before “full-blown integration with all license types.”

Rhode Island, where one proposal would dedicate 20 percent of new licenses for minority owned businesses, Connecticut, Illinois, and New York are among states where lawmakers will consider equity marijuana proposals. Cities such as Oakland, Boston, and Chicago have adopted such standards that are almost constantly being tweaked. In October, Florida rolled out a process for Black farmers to compete for a coveted license to grow, process and dispense medical marijuana in the state.

When Florida lawmakers created their medical marijuana regulatory system in 2017, they set aside a license to be awarded to a ”recognized class member” in the “Pigford” lawsuit, a decades-old federal court ruling that determined federal and state governments engaged in racial discrimination against Black farmers for more than a century.

5. Federal Taxes

Nearly all state regulators call on Congress to exempt legal marijuana businesses from the provisions of Internal Revenue Code 280E, which prevents them from claiming standard deductions available to other businesses and requires them to pay significantly higher federal income taxes than other companies.

According to The Cannabis Regulators Association (CANNRA), because of IRS 280E, legally licensed marijuana businesses can pay up to 70 percent of their income in tax liabilities. 

Considering marijuana is already heavily taxed at the state and local levels in many states, lifting the IRA rule — or making exceptions for state-licensed operators — would be a boon to the marijuana industry, especially for small businesses and entrepreneurs.

Autonomous Vehicles

The roads are opening up for autonomous vehicles (AVs) as the technology advances from experimental stages to demonstrations to street-legal driverless cars, trucks and buses — whether state regulators are ready for them or not. Many fear they are not ready from the perspective of developing the best AV technology, passenger safety, liability, cybersecurity, and data privacy regulations — not for lack of regulating on their states’ parts, but from the limitations of state regulations without comprehensive federal guidance and oversight plotting a national strategy.

Lawmakers in 40 states and the District of Columbia have enacted legislation regarding AVs or Automated Driving System Equipped Vehicles since Nevada became the first U.S. state to do so in 2011.

In 2021, lawmakers in 26 states introduced 56 AV-related bills, including seven insurance and liability legislative packages for driverless vehicles in six states, and significant revisions of existing AV laws and regulations in Arizona and Arkansas. Significant AV legislation failed in Wyoming and Missouri, while New Jersey lawmakers still have two AV bills pending on their 2021 calendar.

But states have been operating with belated collaboration from the federal government which has issued voluntary guidance that many anticipate to be dramatically upscaled by the Biden administration in the coming years. The U.S. Department of Transportation (DOT), Federal Highway Administration (FHA), Federal Transit Administration (FTA), and the National Highway Traffic Safety Administration (NHTSA) are among federal agencies engaged in developing a nationwide regulatory framework for AVs.

The DOT has two plans. The Ensuring American Leadership in Automated Vehicle Technologies, or the AV 4.0 Act, was released in January 2020; and the DOT’s Automated Vehicles Comprehensive Plan was released in January 2021. Both are regarded as outlines to be filled in as the technology develops.

President Joe Biden has pledged a $1 billion annual grant program to help cities adapt and transition to AVs, promote efficient markets and prepare the transportation system for the new technology. AVs are coming, regardless, so there is growing urgency in calls for the federal government to address concerns from manufacturers and state regulators.

The $100 billion global AV car and truck market is expected to grow from 670,000 units in 2020 to 4.223 million in 2030 with a $7 trillion economic foundation by 2050. AVs aren’t restricted to cars, trucks and buses; autonomous transportation includes delivery drones, trains, ships, shuttle buses, and business truck fleets that will support many industries. 

Developing a more robust federal framework will help state regulators adjust policies and proposals to overcome hesitation over a hodgepodge of competing regulations. Here are three state AV regulatory issues that would benefit from federal guidance and oversight: 

1. Harmonizing Safety & Testing Standards

Since there are no comprehensive federal requirements for roadway testing protocols, minimum safety criteria, or vehicle design to provide definitive guidance to AV manufacturers or suppliers, state regulators have assumed that role. As a result, the United States is considered lacking by international standards in developing comprehensive and concrete AV testing and operating safety protocols. 

“The United States does not have a federal regulatory framework currently in place to address autonomous vehicle testing and deployment,” states the Global Guide to Autonomous Vehicles 2021 report by Denton’s, a multinational law firm with one of the world’s largest banking and insurance practices. “As a result, testing and deployment is regulated by a state-centric patchwork of laws.” 

At least 37 states have issued policies or regulations related to AV testing, mostly by executive order. California, Florida, Michigan, and Nevada have passed comprehensive regulations governing testing of autonomous vehicles. 

Of those states, California regulates most extensively with a code book dedicated to the testing and deployment of AVs. As of February 2021, California had issued 56 permits for AV testing with a driver, six permits for driverless testing, and authorized the deployment of autonomous vehicles from only one entity — a disappointing pace according to some critics.

2. Insurance/Liability

Traditional state tort and contract liability for traffic accidents, warranty rules and product liability laws will all govern civil liability from AV accidents. But in the absence of federal preemption, most states have viewed AVs as technology ripe for economic development and adopted varying standards designed to encourage companies to invest in research and technology rather than to regulate an emerging industry for consumer safety.

Ironically, developers and manufacturers say a lack of state-to-state consistency complicates compliance issues, fosters wasteful certification requirements, and curries confusion and hesitancy for corporations, investors, and innovators. 

Reciprocity and harmonization between states may require modifications to existing tort and contract liability laws to ascertain the potential liability of manufacturers, suppliers, and sellers to those injured in AV mishaps. As of October, 29 states have adopted AV liability laws. During the 2021 sessions, seven AV liability packages for driverless vehicles were considered in six states and adopted in at least two: Arkansas and Arizona.

“I believe that the states themselves will never be able to figure out five or six or seven or eight different companies and how they operate, and standards, and things of that nature,” said Florida state Sen. Jeff Brandes, R-St. Petersburg, who has spearheaded AV development in the Sunshine State. “But, if we can set up a simple system of validation, an insurance standard that is universally recognized, a ‘Good Housekeeping Seal of Approval’ for a functional and safe self-driving car, then I think we’re making real progress.”

3. Cybersecurity/Data Privacy

AV technology presents cybersecurity and data privacy risks for manufacturers, suppliers, sellers, consumers, and the public. Any jamming or hacking of data being fed into an AV’s system can lead to accidents.

State lawmakers and regulators have done little to concretely and comprehensively address questions from manufacturers and others in the industry about cybersecurity and data privacy. In 2021, only two bills addressing AV cybersecurity and data privacy were introduced nationwide — both in Arizona and both failed. In 2022, it is likely that many state legislatures will continue to wait for federal guidance.

There are also numerous concerns beyond having a driverless vehicle hijacked by a remote highwayman. IT security concerns must be addressed to boost consumer confidence enough for manufacturers and regulators to develop the standards to provide pre-purchase assurances that an AV can handle cybersecurity threats through software updates and ongoing monitoring.

State and federal privacy laws as currently written will find little application in AV technology, which will generate vast amounts of data and, eventually, spur legal challenges over data ownership, privacy, and security. 

Gig Economy

The gig, sharing, or platform economy employed an estimated 55 million Americans in 2017, about one-third of the United States’ workforce. Since the emergence of COVID-19 in March 2020, those numbers have significantly increased, with some projecting that the majority of the American workforce will be freelance or “giggers” by 2027. 

The gig economy is a global network of workers who are not employees of any organization but perform specialized tasks for clients on a case-by-case basis. 

In the U.S., most gig workers are classified as “independent contractors,” which the IRS defines as “people who offer their services to the general public” in an independent trade, business, or profession. Gig employees are freelancers, independent contractors, temporary or part-time hires, or project-based workers. Examples of gig workers include self-employed artists, Uber and Lyft drivers, and hairdressers. Pre-COVID-19, gig workers were ineligible to seek state jobless claims. 

Freelancers, who often have additional full-time jobs or are independent small business owners, have been a growing component of the economy as workers seek flexible earning opportunities and businesses cut labor costs associated with health insurance and other benefits. 

But regulatory skirmishes threaten to produce new labor-defining legislation and litigation unless gig employers can resolve battles with labor unions at state levels before federal regulators get involved. Lawmakers in California, New York, New Jersey, Massachusetts, and Illinois have pondered legislation regarding gig economy workers’ status. Companies such as Uber, Lyft, DoorDash, Instacart, and TaskRabbit have fought back.

The California Assembly passed a 2019 bill that included a standards-based test that classified some app-based delivery and cab drivers as employees but did not address the vast majority of gig workers. In response, Uber, Lyft, and others spent $200 million to finance Proposition 22, which defines per-call drivers as independent contractors. A judge ruled in August that Prop 22 is unconstitutional, but the law is still in effect as the companies appeal.

According to Reuters, the companies have established lobbying groups in Massachusetts, New York, New Jersey, Illinois, Colorado, and Washington to push for laws classifying app-based drivers as independent contractors in exchange for offering them some benefits. A Massachusetts coalition of gig companies is attempting to get a proposal on the November 2022 ballot that would classify gig workers as independent contractors.

New York lawmakers are attempting to get gig economy companies, unions, and state officials to accept a plan that classifies gig workers as independent contractors but would allow some to negotiate wages, cap company commission fees, and provide unemployment insurance in some circumstances.

The New York chapter of the AFL-CIO, the largest U.S. labor organization, backs the compromise proposal, while state chapters of the Service Employees International Union (SEIU) oppose it. The Colorado AFL-CIO chapter opposes a similar prospective 2022 proposal in that state.

Issues also include ownership of data, content moderation, ability to reach customers, harassment in virtual “workplaces,” and monetization policies. In California, voters approved an industry-backed ballot measure that exempts ride-hail and food delivery workers from rules that require other types of contractors to be classified as employees and provides them with limited benefits. The California referendum, a costly victory for the gig companies, was also a cautionary tale for unions, as well as for drivers, who are now left without avenues to organize or object to the terms stipulated by the companies.

At least four gig economy-related issues will confront lawmakers in 2022. They are, briefly:

1. Unemployment

As independent contractors, gig workers are generally ineligible for state unemployment benefits. But during the height of the COVID-19 pandemic, Congress authorized a Pandemic Unemployment Assistance (PUA) weekly stipend for the first time to gig workers, freelancers, and part-timers to collect benefits via a new federal program. 

The $600 weekly allowance was reduced to $300 before being discontinued by the federal government in September. Labor advocates have called for the PUA program to be a permanent fixture of federal and statute unemployment programs and it is likely state lawmakers in numerous states will be pondering such proposals in 2022. 

2. Right to Organize

Collective action for giggers is a difficult prospect since there often is little interaction with fellow workers, but there are coalescing efforts to collectively bargain for higher wages and benefits. 

3. Equity

State lawmakers will likely see 2022 legislation that seeks to provide gig workers with protections from non-payments or lower payments than agreed upon, a widespread issue in the freelance industry with little recourse but to go to court.

4. Stock Options

Among ways gig companies have suggested they can better compensate freelance workers is by offering stock options. SEC Rule 701 allows companies to issue stock to employees, consultants, and advisors as compensation without having to submit detailed financial records, but gig workers don’t qualify.

Data Privacy

In 2016, the European Union adopted its landmark General Data Protection Regulation (GDPR). Two years later, the California Assembly passed the California Consumer Privacy Act (CCPA). They remain the gold standards in comprehensive digital data privacy, although the pace of cybersecurity legislation, amid a rash of ransomware attacks, data breaches, and upheaval fostered by social media, is accelerating globally as the technology becomes ever more pervasive. 

Online retailers, social media, and mobile devices and apps are an increasingly integral part of consumers’ lives, but they collect and share personal information in ways not previously accounted for in the law. 

In the U.S., states are primarily responsible for ensuring data security, although the federal government imposes a disparate array of privacy regulations through:

• HIPAA: the Health Insurance Portability & Accountability Act of 1996
• FCRA: the Fair Credit Reporting Act
• FERPA: the Family Educational Rights and Privacy Act
• GLBA: the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999
• ECPA: the Electronic Communications Privacy Act of 1986
• COPPA: the Children's Online Privacy Protection Act
• VPPA: the Video Privacy Protection Act of 1988

While acronym-heavy, the matrix of laws and regulations within these federal bills addresses specific types of data, such as credit or health information, or relate to specific populations, such as children, but only incidentally address data privacy. Otherwise, the federal government does not have a comprehensive data privacy law or guidance for states.

The 2018 adoption of the CCPA was followed by the 2020 passage of the California Privacy Rights and Enforcement Act (CPRA), which added more protections, and was approved by state voters in November 2020. Since then, Virginia and Colorado have enacted similar broad-based data privacy legislation that go into effect in January 2023.

The CCPA broadly regulates the collection, use, and disclosure of personal information and provides an express set of consumer rights with regard to collected data, such as the right to access, correct, and delete personal information collected by businesses. 

California’s CCPA was one of two data privacy bills approved by state legislatures nationwide in 2018. The following year, 12 states adopted 15 bills and in 2020, 24 data privacy bills were enacted in 16 states. In 2021, more than 160 consumer-privacy-related bills were introduced in 38 legislatures with 17 passing in 27 states.

Lawmakers in at least four states — Massachusetts, New York, North Carolina, and Pennsylvania — have comprehensive consumer data privacy proposals in committees this fall and could be adopted by year’s end or during 2022 sessions. Other states will ponder more narrowly-tailored consumer privacy legislation.

“Data privacy will almost certainly be part of the conversation” during Connecticut’s 2022 session, said Ryan Bingham, senior director of government affairs at Sullivan & LeShane, in Torrington, Conn.

“There have been robust debates in the past and the Senate Majority leader is committed to getting something done in the 2022 session,” Bingham said. “Considering the national debate, this may be one of the hottest topics this year.”

State-based lobbyists in Minnesota, Florida, Colorado, and Wyoming also said they expected to see slates of data privacy bills during 2022 sessions. Here are some of the key discussion topics around data privacy policy:

1. Right of Action

The most controversial component of state data privacy laws is affording customers the right to sue businesses that violate any provision of the law. But only California’s CCPA offers consumers a limited right of action if their personally identifiable information is lost in a hack or breach. Virginia and Colorado’s data privacy laws will not include the provision when they go into effect in 2023.

Businesses, claiming that a private right of action poses the potential for significant legal exposure through consumer class-action lawsuits, resisted the provision and derailed likely adoptions of comprehensive data privacy legislation in Florida, Oklahoma, and, for the third straight year, Washington state.

2. Consumer Rights Protections

While right of action generates the most regulatory angst among lawmakers and businesses, state-based data privacy bills include an ever-widening range of consumer rights protections, including the rights of access, recertification, deletion, restriction, portability, opt-out, and against automated decision-making.

While only three states have passed laws that would be classified as “comprehensive,” many have passed an array of data privacy laws designed to ensure consumer rights. Among them:

The Right to Delete/Correct

Provisions that grant consumers the right to request deletion of personal information and require the business to delete that information upon receipt of a verified request. Some proposed and adopted state legislation includes provisions that give individuals the ability to direct businesses to delete their information.

Disclose Use of Personal Data

Under many proposed and adopted state-based data privacy laws and regulations, consumers are granted the right to request a business that sells the consumer’s personal information, or discloses it for a business purpose, to disclose the categories of information it collects and identity of third parties to which the information was sold or disclosed in response to verifiable consumer requests.

Opt-outs

Some state measures authorize consumers to opt out of the sale of their personal information by a business and bars businesses from retaliating against those who opt out. 

A “global opt-out” to be removed from data-sharing by device or browser, instead of being forced to opt-out on each site individually, is also among provisions included in some adopted state laws and will likely be included in those proposed in coming years.

Right to Control

Similar to a “global opt-out,” some states specifically accord consumers the right to control selling their information to third parties via a “do not sell my personal information” link.

Age Restrictions

Most state data privacy regulations include prohibitions on businesses from selling information of people under age 18 without explicit consent and require parental consent before selling information about a consumer under the age of 13.

Expand Regulatory Realm

With a dramatically expanding technology comes corresponding growth in lexicon and definitions. Some state data privacy laws and proposals expand the definition of personal information to include IP addresses, device IDs, cookie IDS, and psychographic profiles based on customers’ preferences, characteristics, behavior, interests, and other facts.

Opt-Ins

Unlike California’s CCPA, instead of focusing on opt-outs, the failed 2021 Oklahoma Computer Data Privacy Act proposed a consent-based, opt-in model reflecting policies announced by Google and Apple.

Clear Business Obligations

Amid all the consumer rights and data privacy legislation, lawmakers have expressed concern on behalf of businesses about being saddled with a confusing array of regulations.

Lawmakers must ensure businesses and others who deal with people’s personal data are aware of their responsibilities under opt-in, prohibitions on sales of information notices, transparency requirements, data breach notifications, risk assessments, prohibitions on discrimination, “purpose limitation,” “processing limitations,” and fiduciary duty.

3. Data Broker Regulation

Data brokers are businesses or corporate units that collect, sell, or license personal information of consumers with whom they do not have a direct relationship. They are essentially the middleman between first-party data handlers such as Facebook, Google, or Amazon — which harvest data directly from their users — and third parties that use the data to market products, conduct background checks, ascertain financial assets, and a range of personal information.

Data brokers have been operating in the “data economy” for years with few regulations, collecting and selling consumer data for targeted advertising to marketers, providing credit information to financial institutions for personal loan terms, or providing information to potential employers for background checks.

Federal regulation of data brokers is limited. At the state level, Vermont’s 2019 law was the first state-based legislation to directly address information brokers by requiring them to register with the state and disclose specific information to consumers. Within a year, 121 companies had registered.

Since Vermont passed its law, California and Nevada have adopted similar bills regulating data brokers. In 2021, bills seeking to regulate data brokers were introduced in 11 states, but only Nevada lawmakers adopted one, an amended expansion of its previously passed law.

4. Genetic Data

More than 30 state legislatures have installed genetic information safeguards to protect privacy and restrict access to potential users, such as insurers and employers. Laws in 16 states require “informed consent” for a third party to perform or require a genetic test or obtain genetic information, and 24 states require informed consent to disclose genetic information. Rhode Island and Washington require that consent be in the form of written authorization.

Four states require consumers be granted individual access to personal genetic information and 18 states have adopted specific penalties, including criminal, for violating genetic privacy laws.

Alaska, Colorado, Florida, Georgia, and Louisiana explicitly define genetic information as personal property. Alaska also extends personal property rights to DNA samples. There were six genetic data privacy bills introduced in state legislatures in 2021, all of which were adopted. 

The emergence of direct-to-consumer genetic testing is the primary genesis of these bills as consumers realized their test results could be used or shared without their knowledge. 

Standard provisions include requiring notice about policies and procedures for using and disclosing genetic data and obtaining consent before collecting or transferring genetic data, or using the data for a purpose other than what it was collected for.

Defining genetic data as personal property is a trend across the states, although Oregon changed its law 20 years specifically to exclude DNA as personal property and Washington’s regulations explicitly treat genetic information the same as other health information.