In mid-2021, Access began publishing this quarterly update, documenting the latest legislation and regulatory news happening around the world. The feedback so far has been positive, and professionals in the IG, legal, compliance and records management fields have been appreciative of the briefings. Our areas of research focus include data privacy and security, records retention, financial services, payment processing, workplace safety, and back office refresh.

Just as we set out to do when we first launched last year, in this second quarter of 2022, we aim to ensure that you have all the latest regulatory updates and provisional information you need to do your job as efficiently as possible and with the utmost confidence.

We also include notations, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo, as a courtesy to active clients. We look forward to continuing to provide these updates throughout this year and beyond. Following is the latest on that front.

New & Noteworthy Legislation in the United States:

  • California
    • CAL. GOV’T. CODE § 12946(a). Effective January 1, 2022, employers must now retain “all applications, personnel, membership, or employment referral records” for 4 years from the date the records were created, or the date the employment action was taken. Prior to this amendment to Government Code section 12946, these records only needed to be kept for 2 years.
  • Virginia
    • CODE ANN. § 59.1-577(B)(5). Virginia’s governor recently approved legislation to amend the Virginia Consumer Data Protection Act (VCDPA).
      • The new language adds an exemption to the right to delete. Specifically, the new language states that data controllers that have obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data by either: (1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remain deleted from the business’s records, and not using such retained data for any other purpose; or (2) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the VCDPA.
    • Utah
      • New Consumer Privacy Act
        • Applies to for-profit entities that (1) conduct business in Utah or target products and services to consumers who are residents of the state, (2) have annual revenues of at least $25 million, and (3) meet one of two threshold requirements:
          • Annually control or process the personal data of 100,000 or more Utah residents (“consumers”); or
          • Derive over 50 percent of gross revenue from the “sale” of personal data and control or process personal data of 25,000 or more consumers.
        • Businesses subject to the UCPA will generally find that their compliance efforts for other state privacy laws offer a significant foundation for UCPA implementation as they build for its December 31, 2023, effective date.

As always, over the coming months, the Access Legal Research Team will be conducting new research and reviewing existing research in the following jurisdictions:

  • Argentina
  • Australia
  • Austria
  • Belgium
  • Brazil
  • Canada
  • Chile
  • China
  • Colombia
  • Croatia
  • Czech Republic
  • Germany
  • Djibouti
  • France
  • India
  • Iraq
  • Japan
  • Kuwait
  • Lebanon
  • Mexico
  • Netherlands
  • Panama
  • Philippines
  • Singapore
  • Slovenia
  • Turkey
  • South Africa
  • UAE
  • US
  • UK

To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo here.

Request A Free Trial Now