Stacey Weber

Stacey Weber is a law clerk in Husch Blackwell's privacy and cybersecurity practice group.

State Privacy Guide_widget_300x196-10

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.

Keypoint: The CPRA and CPA introduce the concept of dark patterns into state consumer data privacy laws although this area has come under increased attention recently with FTC enforcement actions and guidance, state attorneys general lawsuits, and class action litigation.

This is the seventh post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treats dark patterns. The CPRA and CPA both prohibit use of dark patterns to obtain consumer consent. The basic distinction between the CPRA and CPA is when they require consumer consent. The CPRA generally allows businesses to obtain consumer consent to circumvent certain consumer rights that have already been exercised. In comparison, the CPA requires consumer consent for the processing of sensitive data. The legal landscape will also likely continue to change and develop, as both laws may see additional rulemaking on this issue.

In contrast, the VCDPA does not directly address dark patterns although, in theory, the state Attorney General could still regulate dark patterns through the law’s definition of consent.

Finally, while the concept of dark patterns is new for the CPRA and CPA, it must be understood in the context of Federal Trade Commission (FTC) enforcement and guidance, state attorneys general lawsuits, and class action litigation.

In the below article, we first consider what constitutes a dark pattern and ongoing multi-layered enforcement regarding them. We then analyze the role of dark patterns in each of the three state privacy laws.

State Privacy Guide_widget_300x196-06

Keypoint: The requirements for recognizing opt-out preference signals for certain types of processing vary widely depending on which state laws apply.

This is the sixth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat opt-out preference signals. The California Consumer Privacy Act (CCPA), through its regulations, requires businesses to recognize such signals. However, the CPRA makes this an optional requirement. In contrast, Colorado will require controllers to recognize these signals as of July 1, 2024, whereas Virginia sits on the other end of the spectrum and does not require controllers to recognize them.

In the below article, we first discuss how California currently addresses this issue under the CCPA and how the CPRA will change those requirements. We then discuss Colorado’s approach.

State Privacy Guide_widget_300x196-05

Keypoint: Organizations subject to these laws will need to determine whether they are engaging in “sales,” which can be a complex and multifaceted analysis given the statutes’ varying definitions and exemptions.

This is the fifth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat “sales” of personal information/data. The CPRA, CPA, and VCDPA all give consumers the right to opt-out of the sale of their personal information/data by businesses/controllers. Whether organizations need to provide this right is obviously dependent on whether they are selling personal data. That analysis, however, is complicated by the fact that the laws define “sale” differently and contain different exemptions. Reconciling the definitions and exemptions will be an important step for any organization complying with these laws.

In the below article, we analyze these issues by first comparing the definitions of sale under the three laws and then analyzing the various exemptions.

Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.

In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.

Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.