Mike Summers is a law clerk in Husch Blackwell's privacy and cybersecurity practice group.

Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.

This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.

In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.

Keypoint: Starting in 2023, organizations that are subject to one or more of the laws will need to enter into contracts with recipients of personal information/data that address numerous statutory requirements.

This is the eighth article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat data processing agreements (DPAs). The CPRA, VCDPA and CPA require, in certain situations, businesses/controllers to enter into contracts with entities to whom they transfer personal information. The CPRA establishes three categories of recipients – service providers, contractors, and third parties – and sets forth a baseline set of requirements that must be contractually addressed when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.

In comparison, the VCDPA and CPA require contracts when a controller transfers personal data to processors. The VCDPA and CPA generally align their requirements although there are differences as discussed below. There also are many differences as compared to the CPRA’s requirements.

Keypoint: The CPRA requires that businesses use certain types of sensitive personal information only for limited purposes, otherwise they must notify consumers of the additional purposes and provide consumers the opportunity to opt-out of such processing, while the VCDPA and CPA require controllers to obtain consumer consent and conduct data processing assessments prior to processing sensitive data. 

This is the fourth article in our ten-part weekly series comparing key provision of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat sensitive personal information. The CPRA has a broad definition of sensitive personal information although, to be subject to the law’s limitations, a business must collect or process that information for the “purpose of inferring characteristics about a consumer.” If so, the CPRA grants consumers the right to limit a business’s processing of such data to certain purposes specified in the law. Conversely, the VCDPA and CPA define sensitive data differently than the CPRA and require controllers to obtain consumer consent and conduct a data processing assessment prior to processing such information.

Below is an analysis of this topic.

Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.

This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.

Below is an analysis of this issue.