Keypoint: Connecticut moves one step closer to enacting consumer data privacy legislation with a bill generally modeled on the Colorado Privacy Act.

On April 20, 2022, the Connecticut Senate voted unanimously (35-0 with 1 abstention) to pass Senator Maroney’s SB6. The bill is generally modeled on the Colorado Privacy Act (CPA) with some differences such as providing for greater children’s data privacy rights than found in the CPA.

The bill now moves to the House floor. It will not go through a committee process in the House because Connecticut uses joint committees. The Connecticut legislature adjourns May 4, 2022.

Keypoint: This week a new bill was introduced in Michigan; the Connecticut bill passed a second committee; Maryland and Kentucky legislatures adjourned without passing bills; Virginia Governor Youngkin signed three VCDPA amendment bills into law; Maine’s House passed a biometric privacy bill; and Delaware lawmakers advanced a data broker bill.

Below is our fourteenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Continue Reading Proposed State Privacy Law Update: April 18, 2022

Keypoint: The VCDPA is now finalized in advance of its January 1, 2023 effective date.

On April 11, 2022, Virginia Governor Glenn Youngkin signed three Virginia Consumer Data Protection Act (VCDPA) amendment bills into law. The three bills will go into effect July 1, 2022. With the signing of the bills, the VCDPA’s text is now finalized in advance of its January 1, 2023 effective date.

As discussed more fully below, the bills (1) add a new exemption to the VCDPA’s right to delete, (2) repeal the Consumer Privacy Fund provision and, instead, direct penalties, expenses and attorney fees recovered enforcing the VCDPA to a different fund; and (3) modify the VCDPA’s definition of nonprofit.

Continue Reading Virginia Governor Signs VCDPA Amendment Bills into Law

Keypoint: This week a new bill was introduced in Louisiana; the Maryland work group bill received an unfavorable committee report; the Connecticut bill was referred to a second committee; and California’s biometric privacy bill was voted out of one committee.

Below is our thirteenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Continue Reading Proposed State Privacy Law Update: April 11, 2022

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.

Continue Reading How do the CPRA, VCDPA & CPA treat consumer requests?

Keypoint: This week there were hearings on bills in Maryland, Rhode Island and Vermont, and the Oklahoma bill was assigned to the same committee where a similar bill died last year.

Below is our twelfth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Continue Reading Proposed State Privacy Law Update: April 4, 2022

Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.

This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.

In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.

Continue Reading How do the CPRA, VCDPA & CPA treat children’s data?

Keypoint: This week the Utah Governor signed the Utah Consumer Privacy Act, the Oklahoma House passed a bill, and a committee hearing was held in Rhode Island.

Below is our eleventh weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Continue Reading Proposed State Privacy Law Update: March 28, 2022

Keypoint: As it did last year, the Oklahoma House passed a consumer data privacy bill.

On March 23, 2022, the Oklahoma House voted 74-15 (with 11 excused) to pass Representative Collin Walke’s HB2969 – the Oklahoma Computer Data Privacy Act. The bill now moves to the Senate. Last year, the Oklahoma House also passed a version of this bill, only to see it stall in the Senate Judiciary Committee. The bill is generally based on the California Consumer Privacy Act (CCPA) although it contains notable differences.

Below is a brief summary.

Continue Reading Oklahoma House Passes Consumer Data Privacy Bill

Keypoint: Starting in 2023, organizations that are subject to one or more of the laws will need to enter into contracts with recipients of personal information/data that address numerous statutory requirements.

This is the eighth article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat data processing agreements (DPAs). The CPRA, VCDPA and CPA require, in certain situations, businesses/controllers to enter into contracts with entities to whom they transfer personal information. The CPRA establishes three categories of recipients – service providers, contractors, and third parties – and sets forth a baseline set of requirements that must be contractually addressed when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.

In comparison, the VCDPA and CPA require contracts when a controller transfers personal data to processors. The VCDPA and CPA generally align their requirements although there are differences as discussed below. There also are many differences as compared to the CPRA’s requirements.

Continue Reading How do the CPRA, CPA & VCDPA treat data processing agreements?