Data Protection 2022: New U.S. State Laws Reflect Convergence of Privacy and Security Requirements

February 25, 2022

Public Sector

Many countries around the world recognized Data Protection Day in January — a day that highlights the importance of protecting individual privacy and data against misuse. The U.S. celebrated Data Privacy Day, where privacy and security have often been seen as two separate issues. This is evidenced by the way law has historically developed. 

At the federal level, Congress has enacted sectoral privacy laws over the last few decades — known colloquially as HIPAA in the healthcare sector, COPPA for children’s privacy, GLBA for financial privacy, and so on. Congress has also given the Federal Trade Commission (FTC) enforcement authority to protect individuals from unfair or deceptive acts or practices, which is often used in the context of protecting privacy.1 Additionally, there are security-focused federal laws, such as the Wiretap Act and the Electronic Communications Privacy Act. At the same time, all 50 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands, all enacted distinct data breach notification laws.2 The past two years alone highlight a shift toward a more holistic approach to data protection laws where privacy and security requirements are intertwined.

Privacy and Security Meet in New State Laws

In 2020, the California Privacy Rights Act (CPRA) was passed, amending the first state privacy law, California’s Consumer Privacy Act of 2018. In 2021, both the Consumer Data Protection Act (CDPA) in Virginia and Colorado Privacy Act (CPA) in Colorado were enacted. In response, there has been increased activity at both the state and the federal levels with regard to the introduction of similar privacy laws in the respective legislatures.3 

The CPRA and the CDPA differ from the privacy and security laws of the past because cybersecurity requirements are tucked into these laws. For example, under CPRA, a business subject to the California requirements must implement reasonable security procedures and practices,4 and a violation of such reasonable security procedures gives an individual the right to bring legal action against the business.5 Similarly, under Virginia’s CDPA, a business must create and maintain reasonable technical and physical security practices.6 Although many other states are proposing privacy laws, these laws tend to look more like data protection laws, with privacy and security requirements converging.

New Cybersecurity Requirements Around the Corner

At this point, the other security and cybersecurity requirements that fall under the CPRA and the VA CDPA are not known. Although the Virginia legislature has been discussing possible amendments to the law, none have yet been adopted. In California, the CPRA created the California Privacy Protection Agency (‘the Agency’), and the Agency is tasked with defining the cybersecurity audit and risk assessment requirements. In November 2021, the Agency solicited feedback from the community writ large on what these requirements should entail, but to date, the Agency has not finalized the requirements. 

As the cybersecurity audit requirements are defined, policy makers should take note of the advantages of establishing a uniform, high-level standard and to look to established standards, such as NIST or ISO. Additionally, as the risk assessment requirements are defined, organizations should think operationally about security measures in place, both in terms of what threat actors are likely to exploit and what defenders must do to protect privacy. 


  1. 15 U.S.C. § 45(a).
  2. See Security Breach Notification Laws, NCSL (Jan. 2022).
  3. See generally US State Privacy Legislation Tracker, IAPP (Jan. 2022).
  4. Cal. CIV Code § 1798.1.00(A)-(D).
  5. Cal. CIV Code § 1798.150(a)(1).
  6. Va. Code § 59.1-574(A)(3).

Additional Resources

Related Content