Virginia

State Privacy Guide_widget_300x196-03

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

State Privacy Guide_widget_300x196-02

Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.

This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.

Below is an analysis of this issue.

2022-Data-Privacy-State-Privacy-Update

Keypoint: This week lawmakers introduced new bills in Georgia, Hawaii and Oklahoma, the Indiana Senate passed a bill out of committee, and hearings were held on bills in Alaska, Maryland, and Washington.

Below is our third weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we will be regularly updating our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.

In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.

Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.

Keypoint: Virginia lawmakers will consider multiple amendments to the Virginia Consumer Data Protection Act in advance of its January 1, 2023 effective date.

As the legislature opened on January 12, Virginia lawmakers proposed seven bills to amend the Virginia Consumer Data Protection Act (VCDPA). The bills come after the VCDPA Work Group held six meetings from June to August 2021 and issued a Final Report on November 1, 2021 (see our summary of the report here).

The bills seek to amend the VCDPA’s right to delete, nonprofit definition, and enforcement provisions. The Work Group’s Final Report identified many other topics for potential amendments. It remains to be seen whether other amendments will be offered as the legislative session advances. The Virginia legislature is scheduled to close on March 12, 2022 unless the session is extended.

Below is a summary of the bills.

Keypoint: The VCDPA Work Group’s final report contains 17 “points of emphasis” derived from six Work Group meetings; however, the Work Group’s recommendations for modifying the VCDPA will not be presented until the legislature opens in January 2022.

On November 1, 2021, the Virginia Consumer Data Protection Work Group issued its 2021 Final Report. By way of background, § 59.1-581.2 of the Virginia Consumer Data Protection Act (VCDPA) required the Chairman of the Joint Commission on Technology and Science to create a work group to “review the provisions of [the VCDPA] and issues related to its implementation.” The Chairman was required to “submit the work group’s findings, best practices, and recommendations regarding the implementation of [the VCDPA] to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.”

The Work Group met six times from June to August 2021. A summary of those meetings is contained in the Final Report and copies of materials relating to those meetings are available on the Joint Commission’s webpage.

Ultimately, the Work Group identified 17 “points of emphasis” from its six meetings but stated that the Work Group’s “recommendations based on these points of emphasis” would be presented by Delegate Hayes and Senator Marsden (the VCDPA’s sponsors) during the upcoming legislative session.

Below is a summary of the points of emphasis along with some analysis. For ease of reference, we have grouped the points of emphasis into seven categories.

Keypoint: This week an amended version of the Colorado Privacy Act unanimously passed out of committee, Alaska’s House held another hearing on its bill (and scheduled another hearing for May 12), Connecticut’s bill was tabled for the Senate calendar, and Nevada’s Assembly Committee on Commerce and Labor scheduled a May 10 hearing on its bill.

Below is our eleventh weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide two reminders.

First, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Keypoint: There were four notable developments this week: the Florida House passed a bill out of committee, lawmakers proposed a new bill in Texas, the Washington Privacy Act was  scheduled for a public hearing and committee session on March 17 and 19, respectively, and the Illinois Right to Know Act was scheduled for a March 19 hearing in the Cybersecurity, Data Analytics & IT Committee.

For the third week in a row, we are providing an update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide three reminders.

First, we hosted a webinar on Virginia’s Consumer Data Protection Act on March 11. You can access the recording here.

Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Keypoint: It was a busy week for privacy law. Since the update we provided last week Virginia’s bill was signed into law, bills in Washington and Oklahoma advanced, and Utah’s bill failed to pass before its legislative session closed.

Last week, we provided an update on the status of proposed CCPA-like privacy legislation. In that article, we noted that the contents were “time-sensitive and subject to change.” Typical to privacy law, in just a week, the landscape of these proposed laws changed dramatically. Given these changes, we decided to publish another update and, like last week, waited until a weekend when state legislatures are quiet.

Before we get to our update, we wanted to provide three reminders.

First, we will be hosting a webinar on Virginia’s Consumer Data Protection Act on March 11. You can register for the webinar here. If you are unable to attend the webinar live, you can still register, and we will email a copy of the presentation and a link to the webinar recording to you.

Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Keypoint: Virginia joins California as the second state to enact state consumer data privacy legislation.

As first confirmed by Amy Miller at MLex, on March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA). The CDPA will go into effect on January 1, 2023. With the enactment of the CDPA,