Map of the United States - State Privacy Laws

State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow

Image Credit: Free-Photos from Pixabay.

Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.

In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most recently, the Virginia Governor signed the Consumer Data Protection Act into law, thereby making Virginia yet another U.S. state with a comprehensive state privacy law. 

As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.

Washington’s Privacy Act 2021, SB 5062
**Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.

*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.

The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.

Scope

The WPA would apply to legal entities that:

Continue Reading State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow
Image of virginia state and shield. Virginia has a new data privacy law.

Virginia Governor Signs Comprehensive Data Privacy Law

Image Credit: Kjrstie from Pixabay.

Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.

California Consumer Privacy Act
(CCPA)
California Privacy Rights Act
(CPRA)
Virginia Consumer Data Protection Act
(VCDPA)
Date of effectJanuary 1, 2020January 1, 2023January 1, 2023
Law applies toA “business” that meets at least one threshold below:
• Generates over $25M in annual gross revenue;
• Handles the records of at least 50,000 California consumers; or
• Generates over 50% in annual revenue from sales of consumer data
Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000.Applies to businesses that
• Handles the records of at least 100,000 Virginia consumers; or
• Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data

Definition of personal data
Any information that could be associated or linked with a particular consumer or household.Same as CCPA, except that there is a reasonableness element:
Any information that could be reasonably associated or linked with a particular consumer or household.
Limited to particular consumers.
“Any information that is linked or reasonably linkable to an identified or identifiable natural person”
Definition of sensitive personal dataDoes not define sensitive personal data.Defines sensitive personal data to include:
• Social security number
• Driver’s license
number
• Account log-in, debit,
or credit card number in combination with password or PIN
• Precise geolocation
• Racial/ethnic origins
• Religious or
philosophical beliefs
• Union membership
• Contents of e-mails or
texts to others
• Genetic/biometric
data
• Health information
• Sex life/sexual
orientation data
Defines sensitive personal data to include:
• Racial/ethnic origins
• Religious beliefs
• Mental or physical
health diagnosis
• Sexual orientation
• Citizenship/
immigration status
• Genetic/biometric
data
• Children’s data
• Precise geolocation
Consumer rights• Access
• Deletion
• Non-Discrimination
• Opt-out of:
o Sale of personal data
Same as CCPA, with the addition of rights to:
• Correct personal information
• Limit the use of
sensitive personal information
• Access
• Correction
• Deletion
• Port
• Opt-out of:
o Targeted advertising
o Sale of personal data
o Profiling in furtherance of decisions that produce legal effects
Data Privacy Impact AssessmentsNo requirement to conduct or document.No requirement to conduct or document.Controllers must conduct and document data protection assessments for the following activities:
• Targeted advertising
• Sale of personal data
• Profiling
• Sensitive data
• Catch-all: any data that presents a “heightened risk of harm to consumers.”
Data Protection AuthorityCalifornia Office of the Attorney General$10 million allocated per year to the California Privacy Protection Agency (CPPA).
Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA.
Virginia Office of the Attorney General
Cure Provision30 days to cure upon written notice of a violation by the California Attorney General’s office.Ability to cure removed from CPRA.30 days to cure upon written notice of a violation by Virginia Attorney General’s office.
EnforcementAdministrative fines ranging from $2,500 per violation to $7,500 for intentional violations.Administrative fines of $7,500 now includes intentional violations and children’s data violations.Administrative fines of $7,500 per violation.
Private Right of ActionConsumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information.Same as CCPA.Consumers do NOT have a private right of action.
Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Continue Reading What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)