The Virginia legislature has introduced several bills that would amend Virginia’s Consumer Data Protection Act (“CDPA”) that was enacted last year. These bills are largely in response to the November 1, 2021 Virginia Consumer Data Protection Act Work Group report (the “Report”), which outlined 17 “points of emphasis” related to the CDPA. The Report includes recommendations regarding administrative items, permitting the Attorney General to seek actual damages based on consumer harm, implementing a right (that would sunset) to cure violations of the CDPA, amending the right to delete, amending the definition of sensitive data, implementing global privacy control, and providing resources to consumers and small business, among other topics.

The following is a high-level summary of the relationship between the introduced bills and the Report:

I.     HB 381 and SB 393

In the Report, the work group specifically called for the “right to delete” provision in the CDPA to be a “right to opt out of sale” as well. This change is meant to address the scenario where the benefit of deleting data may be undone if there is indirect collection at a later date. These bills would permit a business to satisfy a consumer’s request to delete by opting the consumer out of processing of their data for targeting advertising, sale, or profiling. Note that the opt out in HB 381 is more broad and would opt the consumer out of processing for any purpose (with certain exceptions).

II.     HB 714 and SB 534

The work group also outlined that there is a need to employ an “ability to cure” option for violations, should a potential cure exist, as well as permitting the Office of the Attorney General to pursue actual damages based on consumer harm.

Accordingly, these bills add a 30-day cure period that would only apply to violations that the Attorney General deems curable. Additionally, these bills would allow the Attorney General to seek actual damages in addition to existing remedies (injunctive relief and statutory damages of $7,500.00 per violation).

III.     HB 1259

The Report also mentioned the need to consider whether the definition of “sensitive data” should exclude general demographic data used to promote diversity and outreach to underserved populations.

This bill proposes to address this by removing consent requirements for processing sensitive data when such processing involves “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status” if the data is used solely for marketing, advertising, fundraising, or similar outreach, communications or information sharing that does not result in decisions that could produce legal or similarly significant effects concerning the consumer.

Virginia is not the only state working to change its existing privacy framework. Colorado’s Office of the Attorney General will begin rulemaking activities shortly and the California Privacy Protection Agency recently held a public meeting to discuss updates to its rulemaking process. More details available on CPW’s blog covering these announcements.

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or below.

CPRA/CDPA/CPA Unpacked: Develop a Preparedness Plan Now

In a must-read, CPW’s Glenn Brown provides a detailed breakdown of the Virginia Consumer Data Protection Act (the “CDPA”) and how it stacks up relative to the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), which amends and will essentially replace the CCPA on 1 January 2023, and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).  Check out his article available at One Trust’s Data Guidance.

Just this week Virginia joined California as being one of the few states where consumers have a “right to delete” under applicable state privacy laws.  This loosely follows the approach in the EU General Data Protection Regulation (“GDPR”) that also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.  State approaches to consumers’ “right to delete” are not uniform, however, which makes understanding the nuance in the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”) all the more important.

CPW’s Glenn Brown has prepared a detailed analysis that is a must-read in light of the VCDPA’s passage that compares the “right to delete” under the CCPA, CPRA and VCDPA.  As he explains, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”  (emphasis added).  Notably, the CPRA does not amend the wording of this right.  By comparison, the VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”  (emphasis added).  The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.

Glenn provides a fantastic breakdown discussing the relevant exceptions to the “right to delete” under each of these laws, including a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.

*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.

**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.

Be sure to check out Glenn‘s complete analysis here.

Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature.  Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA. Continue Reading Connecticut General Assembly Passes Comprehensive Privacy Bill

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

JUST RELEASED: 2022 Q1 AI/Biometric Litigation Trends | Consumer Privacy World

Registration Open: March 30 Webinar on International Data Transfers | Consumer Privacy World

France Updates its Whistleblower Protection to Transpose the EU Whistleblower Directive | Consumer Privacy World

Federal Court Dismisses Litigation Challenging U.S. Postal Service’s Use of Facial Recognition and Related Technologies | Consumer Privacy World

United States and European Commission Announce Trans-Atlantic Data Privacy Framework: Setting the Scene for Schrems III? | Consumer Privacy World

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World