Utah has made headlines this month with the state’s Senate and House approval of the Utah Consumer Privacy Act (S.B. 227), or UCPA. While the bill still awaits the governor’s signature, it’s not the only US privacy and protection legislation in the works — and it looks like Utah will not be the only state to pass a comprehensive privacy law this year.

There are currently over thirty US states with pending privacy legislation. Six of those states — Florida, Indiana, Oregon, Washington, West Virginia, and Wisconsin — have legislative sessions set to adjourn within the next few weeks. Privacy is on the docket for all of them.

With amendments to Virginia’s CDPA and Utah’s new bill days away from either being vetoed or signed into law, here is a snapshot of the (rather crowded) privacy landscape this legislative session.


The Virginia legislature passed four amendments to its Consumer Data Protection Act (CDPA) between February 25 and March 4 of this year. The current legislative session is scheduled to close on March 12, 2022, and Virginia’s governor has yet to sign off on any of the amendments.


The Utah legislature passed the Utah Consumer Privacy Act (S.B. 227), or UCPA, last week. The bill had only been introduced two weeks prior when it passed unanimously in both houses one day before the legislative session ended. While Utah’s governor has yet to sign or veto S.B. 227, there are about two weeks remaining for it to become law.


The Florida legislature filed two privacy-related bills in 2022: SB 1864 and HB 9.

  1. SB 1864 was introduced in the Senate Judiciary Committee on January 18, where it has remained idle.
  2. HB 9 was filed in the House on January 11 — and was referred to the House Commerce Committee one day later. Amended versions of HB 9 would require controllers to provide notice to consumers on data collection, sharing, and selling practices, as well as provide consumer rights to correct, delete, or access data and to opt-out of the sale or sharing of personal data. If passed, the bill would take effect on January 1, 2023.


Although two consumer privacy bills were introduced this year, only one of them appears to be active.

Indiana’s SB 358 provides for a number of consumer rights, such as the right to access, correct, or delete personal data. Additionally, the bill allows a business the right to cure within 30 days and does not preserve a private right of action for consumers in its current form.


Unlike the other bills discussed here, HB 4017 is a privacy-adjacent bill in that it regulates data brokers. It requires business entities that qualify as data brokers to register with Oregon’s Department of Consumer and Business Services.


Washington introduced four bills in January 2022, but none of them appear ready to pass before the legislative session ends on March 10. The bills are intended to provide stronger privacy measures over consumers’ personal data, rights, and protections.

West Virginia

If passed, HB 4454 would allow consumers to limit the sale and sharing of personal information and provide consumers with opt-out mechanisms for the sale, sharing, or use of personal information — as well as any use of sensitive personal information.


Like Virginia’s CDPA, Wisconsin’s AB 957 exempts certain entities from coverage, including governmental bodies, financial institutions, nonprofits, institutions of higher education, and some entities that are subject to federal health privacy laws, such as HIPAA.

The Wisconsin legislature is also considering three other privacy bills that concern the protection of consumer personal data.

The only other state legislatures scheduled to adjourn this week — Arkansas and Wyoming — have not introduced any privacy legislation in 2022.

Idaho and Kansas are the last two state legislatures set to close in March, and neither state has introduced any privacy bills. However, March is a long month — and, as we’ve seen with Utah, anything is possible in this space.

It is crucial that privacy professionals pay close attention to these bills in the upcoming weeks. Staying on top of privacy updates can ensure that your company maintains a robust privacy program and meets compliance for each and every state in which it operates. Find out how BigID can help — see it in action with a quick demo.