Keypoint: This week the Connecticut legislature passed a consumer data privacy bill.

Below is our sixteenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

State of Connecticut Waving Flag in 3D

Keypoint: Subject to the Governor’s approval, Connecticut will become the fifth state to pass a broad consumer privacy act with a bill that is comparable to the Colorado Privacy Act.

On April 28, 2022, the Connecticut legislature passed what we are calling the Connecticut Data Privacy Act (CTDPA) (SB 6). Subject to the Governor’s approval, Connecticut will join California, Virginia, Colorado, and Utah as states having passed broad consumer privacy bills.

Husch Blackwell’s data privacy team will present a webinar on the CTDPA on May 5, 2022, at 1:00 p.m. eastern / 10:00 a.m. pacific. The webinar will provide a deep dive analysis into the CTDPA and how it compares with the laws in California, Colorado, Utah, and Virginia. To register click here.

Below are high level takeaways about the CTDPA along with context of how the CTDPA compares with other state laws.

Keypoint: This week the Connecticut Senate passed a consumer data privacy bill.

Below is our fifteenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: This week a new bill was introduced in Michigan; the Connecticut bill passed a second committee; Maryland and Kentucky legislatures adjourned without passing bills; Virginia Governor Youngkin signed three VCDPA amendment bills into law; Maine’s House passed a biometric privacy bill; and Delaware lawmakers advanced a data broker bill.

Below is our fourteenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: The VCDPA is now finalized in advance of its January 1, 2023 effective date.

On April 11, 2022, Virginia Governor Glenn Youngkin signed three Virginia Consumer Data Protection Act (VCDPA) amendment bills into law. The three bills will go into effect July 1, 2022. With the signing of the bills, the VCDPA’s text is now finalized in advance of its January 1, 2023 effective date.

As discussed more fully below, the bills (1) add a new exemption to the VCDPA’s right to delete, (2) repeal the Consumer Privacy Fund provision and, instead, direct penalties, expenses and attorney fees recovered enforcing the VCDPA to a different fund; and (3) modify the VCDPA’s definition of nonprofit.

Keypoint: This week a new bill was introduced in Louisiana; the Maryland work group bill received an unfavorable committee report; the Connecticut bill was referred to a second committee; and California’s biometric privacy bill was voted out of one committee.

Below is our thirteenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

State Privacy Guide_widget_300x196-10

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.

Keypoint: This week there were hearings on bills in Maryland, Rhode Island and Vermont, and the Oklahoma bill was assigned to the same committee where a similar bill died last year.

Below is our twelfth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

State Privacy Guide_widget_300x196-09

Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.

This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.

In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.