U.S. Privacy Law: Past, Present and Future

Privacy law is a hot topic for legislatures in the United States at both the state and federal levels. With the advent of influential laws from international governments, including the European Union, the lack of significant privacy regulation in the U.S. has become glaringly apparent. In this article, we discuss the history of privacy regulation and look at new state statutes. We conclude by providing a brief overview of what may be next for privacy law in the U.S.

The U.S. Privacy Regime

While the United States Constitution does not explicitly mention any privacy protections, privacy rights have been derived from the First, Fourth and Fourteenth Amendments. In Whalen v. Roe, the Supreme Court interpreted the constitutionally protected “zone of privacy” to extend to the “‘individual interest in avoiding disclosure of personal matters.’”[1] In other words, the Constitution guarantees an individual’s right to privacy regarding personal information.

The U.S. approach to personal data protection is a “sectoral model,” where information privacy protection is achieved through various laws typically aimed at a specific industry.[2] In contrast, the European Union utilizes a “comprehensive model,” which defines data privacy and security requirements for organizations across the board through the General Data Protection Regulation (GDPR).[3] There is no federal privacy law in the U.S. that is comparable to the GDPR. However, as discussed below, much of the legislation enacted or proposed in U.S. states is modeled on the GDPR and its comprehensive regulatory model. 

The most well-known example of U.S. federal privacy regulation is the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[4] The HIPAA Privacy and Security Rules[5] set standards for covered entities to guard protected health information (PHI).[6] The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened HIPAA by requiring business associates of covered entities to comply with the HIPAA Rules and by establishing harsher penalties for failure to comply with HIPAA.[7]

HIPAA compliance is achieved by penalizing violators. As of March 31, 2021, almost 260,000 complaints had been lodged, with 99% of those cases resolved.[8] Frequent complaints include impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of administrative safeguards of electronic PHI and use or disclosure of more than the minimum necessary PHI.[9]

Enacted State Legislation: California and Virginia Privacy Laws

California and Virginia became the first states to enact comprehensive consumer privacy laws in the United States.[10] The California Consumer Privacy Act of 2018 (CCPA) borrowed significantly from the GDPR.[11]  Amended several times since its initial passing in 2018, California voters altered and expanded the CCPA in 2020 by passing the California Privacy Rights Act (CPRA).[12]  Following California’s lead, Virginia adopted the Consumer Data Protection Act (VCDPA) on March 2, 2021.  Like the CPRA, the VCDPA does not take effect until Jan. 1, 2023.[13]

CCPA/CPRA

The CCPA and CPRA protect the privacy rights of California consumers. The CPRA expands the scope and applicability of the CCPA and introduces new privacy protections.[14]  The CPRA also establishes a new enforcement body, the California Privacy Protection Agency [hereinafter Agency], which is tasked with additional rulemaking on several issues.[15]  

Scope and Applicability

Under the CCPA/CPRA, consumers are natural persons who are California residents, however identified, including by any unique identifier.[16] This broad definition extends the CPRA’s protections to all California residents, regardless of context, and includes employees once the CPRA takes effect in 2023.[17]  The CPRA and CCPA both define “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with or may reasonably be linked, directly or indirectly, with a particular consumer or household.[18] The CPRA also expands the CCPA’s definition by classifying certain data as “sensitive personal information.”[19], [20] 

The CCPA/CPRA’s obligations apply to “businesses” that meet the law’s threshold requirements and collect consumers’ personal information or that, alone or jointly with others, determine the purpose and means of processing consumers’ personal information.[21]  Moreover, some obligations apply directly to service providers and contractors.[22]  The CPRA slightly alters the scope of covered businesses under the CCPA.  For-profit entities that do business in California meet the CPRA’s threshold requirements when they satisfy one of the following:  (1) they annually buy, sell or share personal information of least 100,000 consumers or households, alone or in combination;[23] (2) they derive 50% or more of their annual revenues from selling or sharing consumers’ personal information;[24] or (3) they had an annual gross revenue exceeding $25 million in the preceding calendar year starting Jan. 1, as adjusted periodically for inflation.[25] 

The introduction of the word “sharing,” defined as disclosing personal information to third parties for cross-contextual behavioral advertising purposes,[26] expands the CCPA’s more limited threshold requirement.  Finally, the CPRA also expands the definition of covered businesses to cover joint ventures or partnerships composed of other covered businesses that each have at least a 40% interest in the entity.[27]         

Consumer Rights

California consumers enjoy several rights regarding their personal information.  While both the CCPA and CPRA give consumers rights to control the collection, use and disclosure of their personal information, the CPRA also expands their access rights and modifies the right to delete.  Additionally, the CPRA creates new consumer rights to correct inaccurate personal information, opt out of personal information shared for cross-contextual behavioral advertising purposes and restricts sensitive personal information use and disclosure.    

Both the CPRA and CCPA establish an information right that requires businesses to make several disclosures.  First, covered businesses must disclose the personal information and sensitive personal information categories collected and the data’s collection use purposes.[28] Second, businesses must also disclose whether they sell, share for cross-contextual advertising, or disclose for a business purpose, personal information.[29]  Third, businesses must disclose the data’s retention period and the categories of sources where it collected personal information.[30]  Fourth, businesses must provide a description of the consumer’s rights.[31]  Finally, businesses must provide consumers with individualized notices upon request but no more than twice in any 12-month period.[32]

The CCPA/CPRA also establish access and data portability rights and require businesses not to discriminate against consumers exercising their statutory rights.  The CPRA modifies the CCPA’s deletion right and allows consumers to delete personal information the business collected from the consumer, subject to a few exceptions.[33]  Once a consumer makes a deletion request, the business must also notify all third parties to whom the personal information was sold or shared, unless the notification proves impossible or involves disproportionate effort.[34]   The CPRA, however, allows a business to deny a deletion request if maintaining the personal information is reasonably necessary to accomplish one of its specifications for using the information,[35]  including when retaining personal information is reasonably necessary to fulfill a product recall conducted in accordance with federal law.[36]  The CCPA allowed businesses to deny a deletion request when its internal use reasonably aligned with consumer expectations and the business relationship and when its internal uses were compatible with the context in which the consumer provided the information.[37]  The CPRA combines these two denial grounds into one, but the change is unlikely to impact a business’s ability to deny a deletion request in practice.[38]

The CPRA creates two new consumer rights: the right to correct data and the right to opt-out of selling and sharing data.  Under the CPRA, consumers may correct inaccuracies in their personal information, subject to certain exceptions.[39]  Furthermore, consumers may opt out of personal data sales, sharing personal data for cross-context behavioral advertising and processing sensitive personal information for unnecessary purposes.[40]  Unlike selling personal information under the CCPA, sharing personal information under the CPRA does not require any type of monetary or other valuable consideration in exchange for the personal information.[41]  The CPRA also authorizes the creation of regulations for opt out and access rights where automated decision-making technology is used.[42]

Businesses’ Obligations to Consumers

The CCPA/CPRA impose various data protection obligations on covered businesses, including the duty to generally limit the collection, use, retention and sharing of consumer information to what is reasonably necessary and proportionate to achieve the disclosed purpose for the data.[43]  Businesses must also execute written processing agreements with third parties, service providers or contractors with specific data protection terms.[44]  Further, covered businesses must protect personal information by implementing reasonable security measures and providing clear notice about personal information collection, use, sale and sharing.[45]    

Penalties and Private Right of Action

The CCPA/CPRA give consumers a private right of action for certain data breaches, under which consumers may recover damages.[46]  Administrative fines or civil penalties of $2,500 may be imposed for each unintentional violation (and $7,500 for intentional violations or those involving minors).[47]  While the CCPA and CPRA do not currently provide covered businesses a cure period following a violation, the Agency has authority to allow for one in the future.

Exemptions

Healthcare-related companies do not enjoy a blanket exemption from the CCPA or CPRA—a fact that is often misunderstood.[48]  The CCPA/CPRA exempt no healthcare companies at the entity level and instead exempt specific health-related data.[49]  Under the CCPA, information collected by a covered entity or business associate and regulated as PHI by HIPAA or California’s Confidentiality of Medical Information Act (CMIA) is exempt from the CCPA.[50]  Information that a business associate “maintains in the same manner” as PHI is also exempt.[51]

Before the CCPA was amended in 2020, the definition of “deidentified information” under the CCPA and HIPAA did not align.  Now, HIPAA deidentified information is expressly excluded under the law if deidentification is performed in accordance with HIPAA and the information is derived from patient information originally collected, created, transmitted or maintained by an entity subject to HIPAA, the CMIA or the Federal Policy for the Protection of Human Subjects (the Common Rule).[52]  This change fixed a theoretical gap between the CCPA and HIPAA’s de-identification standards. 

Further, information that is re-identified is no longer exempt from the CCPA subject to certain exceptions.[53] One exception applies to re-identified information used for treatment, payment or healthcare operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity.[54] The CCPA also exempts re-identification of information for public health activities or purposes aimed at ensuring public health and safety and for research conducted in accordance with the Common Rule.[55] 

The CCPA excludes information that is collected, used or disclosed in research, as defined under HIPAA.[56]  This includes, but is not limited to, “a clinical trial conducted in accordance with applicable ethics, confidentiality, privacy and security rules of HIPAA, the Common Rule,[57] good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the [FDA].”[58]      

Outside of the healthcare-related exclusions, the CCPA and CPRA exempt personal information and processing activities subject to certain sectoral laws: the Fair Credit Reporting Act; the Gramm-Leach-Bliley Act; the California Financial Information Privacy Act; the Farm Credit Act; and the Driver’s Privacy Protection Act.[59]  The CCPA and CPRA also contain several other narrow carve outs.[60]

The CPRA includes two temporary exceptions from certain CCPA requirements that expire on Jan. 1, 2023.  The first temporary exception is for workforce personal information that a business collects about natural persons acting as job applicants, employees, owners, directors, officers, medical staff members or contractors for the business.[61]  But this information is only exempted when collected and used either solely within the context of that individual’s role, for that individual’s emergency contact information or to administer that individual’s benefits.[62]  The second temporary exception applies to business-to-business communications and covers personal information reflecting a written or verbal communication or transaction between the business and a natural person acting as an agent of the business.[63]  The exception also covers communications or transactions with the business that occur solely within the context of the business conducting due diligence or providing or receiving a product or service to or from that entity.[64]

Virginia’s Privacy Law

The VCDPA, like the CCPA/CPRA, grants Virginia residents rights regarding their personal information and imposes various data privacy obligations on certain entities conducting business in the state.  The VCDPA and the CCPA/CPRA have some significant differences, but businesses with existing CCPA compliance programs will be well positioned for compliance with the Virginia law. 

Scope of Protection

The VCDPA defines consumers as natural persons who are Virginia residents acting only in an individual or household context.[65]  Thus, the VCDPA only protects Virginia residents when they act in these contexts, and it specifically excludes employees or people acting solely in a commercial context.[66]  Further, the VCDPA provides similarly broad definitions of personal data[67]  and also distinguishes between personal data and sensitive personal data.[68]   

The VCDPA’s definition of a business is substantially the same as the CPRA’s.  But the VCDPA uses the terms “data controller” and “data processor”—terminology also used in the GDPR—to define businesses that control and process consumer information.[69]  The VCDPA’s jurisdictional thresholds more narrowly cover businesses that either (i) control or process personal data of at least 100,000 consumers during a calendar year or (ii) control or process data of at least 25,000 consumers and derive more than 50% gross revenue from the sale of personal data.[70]  The VCDPA, however, does not include the CCPA’s/CPRA’s broader, catch-all provision that requires compliance by any business with annual revenue of more than $25 million.[71]

Consumer Rights

Under the VCDPA, consumers are given rights to access and to know what personal information a business collects and processes about them.[72]  The VCDPA also provides correction[73] and data portability rights.[74] Businesses are required to provide a privacy notice that outlines these rights and other information. [75]

The consumer has the right to delete personal data provided by or obtained about them, subject to certain exceptions.[76]  Like the CPRA’s deletion right, there are exceptions related to critical business needs that justify data retention or First Amendment free speech rights.  But the VCDPA’s deletion right is broader as it includes all data about the consumer, not just data collected from the consumer.[77] 

The VCDPA also contains certain opt-out rights for consumers, who may prevent the sale of their personal information[78] and opt out of online behavioral advertising that involves sharing personal data about their actions over time and across different platforms.[79] It also addresses using personal data for profiling and automatic decision-making.  The VCDPA restrictions only apply to activities that produce legal or similarly significant effects for the consumer.[80]  The statute does not provide a right to opt-out of personal data used for marketing purposes.[81]

Anti-discrimination requirements exist to protect consumers exercising their data protection rights,[82] but there are exceptions to this right that allow for voluntary consumer participation in financial incentive programs. 

Businesses’ Obligations

Although there are some differences with the CCPA/CPRA, the VCDPA provides similar data controller/business obligations that reflect the data processing privacy principles of collection limitation, purpose specification, use limitation, security safeguards and transparency.[83]  Further, the duty to execute written contracts with service providers/processors also appears in the VCDPA.[84]  Additionally, the VCDPA expressly prohibits processing sensitive data without the consumer’s consent, subject to some limited statutory exceptions.[85] 

The VCDPA requires businesses/controllers and processors to conduct a data protection impact assessment for processing that may pose a heightened risk for consumer harm.  An impact assessment is required when businesses process personal data for targeted advertising; sell personal data; or process sensitive data, and the processing activities present a heightened risk of consumer harm, including for profiling activities that present a reasonably foreseeable risk of consumer harms or disparate impacts.[86] 

Penalties and No Private Right of Action

The VCDPA does not give consumers a private right of action. [87] Virginia’s Attorney General is exclusively empowered to investigate and enforce the VCDPA.[88]  Under this enforcement power, the Attorney General may seek an injunction to restrain violations and civil penalties of up to $7,500 for each violation, as well as reasonable expenses, including attorney fees.[89]  The VCDPA provides businesses with a 30-day cure period for violations.

Exemptions

The VCDPA broadly exempts covered entities or business associates governed by HIPAA, and it does not apply to personal data and related processing activities protected by other sectoral laws, including the Common Rule, the Health Care Quality Improvement Act and the Patient Safety and Quality Improvement Act.[90], [91]  As stated above, the VCDPA excludes data processed or maintained for employment purposes, including benefits administration.[92] 

Outside of healthcare, the VCDPA also provides exemptions for certain entities and for the different types of personal data that other sector-specific legislation already protects.  These entities include: Virginia governmental entities, financial institutions or data subject to the Gramm-Leach-Bliley Act, nonprofit organizations and higher education institutions.[93] The VCDPA does not apply to personal data and related processing activities protected by other laws, which include: the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act and the Farm Credit Act.[94]

Trends in U.S. Consumer Privacy Legislation

 The current patchwork of different state privacy laws will likely prove to be a compliance headache for businesses. Colorado will soon join California and Virginia as the third state with a data privacy law,[95] but they are not the only states to consider the issue.[96]  In 2021 alone, 27 comprehensive data privacy bills were introduced in 21 different states.[97]  Although most of the states’ attempts at data privacy legislation failed,[98] three states—Florida,[99] Oklahoma[100] and Washington[101]—nearly passed legislation, and it is still possible that data privacy legislation proposed in Massachusetts[102] will pass before the end of the year.  

Two data privacy bills were introduced on the federal side this year.[103] In many respects, comprehensive federal legislation is desirable because it prevents businesses from the challenges inherent in complying with different laws. The Consumer Data Privacy and Security Act of 2021 (CDPSA), introduced by Sen. Jerry Moran of Kansas would apply to “all businesses under the purview of the Federal Trade Commission as well as non-profits and common carriers,” but certain businesses would be exempt.[104] This legislation would create the same consumer rights and business obligations seen in state legislation, but there is no exemption for clinical trials.[105]  There is no private right of action as proposed.[106] 

Importantly, the Information Transparency and Personal Data Control Act, introduced by Rep. Suzan Delbene of Washington,[107] contains neither an exemption for clinical trials nor a private right of action.[108] The absence of an exemption for clinical trials makes state legislation more appealing to the pharmaceutical industry than these federal bills, even if legislating at the state level imposes more of a compliance burden.

This constantly evolving regulation landscape means companies should stay attuned to proposed U.S. privacy legislation. As is apparent from the sheer volume of legislation proposed in the first half of 2021, data privacy is incredibly popular with lawmakers and, ostensibly, their constituents. In the near term, companies will likely be tasked with learning how to comply with an increasingly complicated patchwork of regulation in the U.S.

*Valerie Diden Moore, a former attorney with Butler Snow, was a contributing author to this article.


[1] Daniel J. Solove, A Brief History of Information Privacy Law, in Proskauer on Privacy 23 (2006), https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2076&context=faculty_publications (quoting Whalen v. Roe, 433 U.S. 425 (1977)).

[2] Federal laws have been adopted to protect information collected by credit reporting agencies, financial institutions, and telecommunications carriers and internet providers. See, e.g., Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681; Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §§ 16801–09; Cable Communications Policy Act of 1984, 42 U.S.C. § 551; Telecommunications Act of 1996, 47 U.S.C. § 222; Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-06. Various federal agencies have been entrusted with enforcement of these laws, including the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Federal Communications Commission. Certain medical information is prohibited from disclosure by credit reporting agencies under the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). See generally 15 U.S.C. § 1681a.

[3]  Peter Swire & DeBrae Kennedy-Mayo, U.S. Private-Sector Privacy: Law and Information for Privacy Professionals 19-21 (2d ed. 2018).

[4] Pub. L. No. 104-191.

[5] Promulgated by the U.S. Department of Health and Human Services.

[6] 45 C.F.R § 164.

[7] What is the HITECH Act? HIPAA J., https://www.hipaajournal.com/what-is-the-hitech-act/ (last visited May 25, 2021).

[8] Enforcement Highlights, U.S. Dep’t Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html (last visited June 1, 2021).

[9] Id.

[10] Colorado will be the third state to adopt a comprehensive data privacy law. See infra n. 96 for more information on Colorado’s new law, which needs only to be signed by the Governor.

[11] DataGuidance & Future of Priv. F., Comparing Privacy Laws: GDPR v. CCPA 5 (2019), https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf.

[12] Brian H. Lam, California Privacy Rights Act Passes—Dramatically Altering the CCPA, Nat’l L. Rev. (Nov. 6, 2020), https://www.natlawreview.com/article/california-privacy-rights-act-passes-dramatically-altering-ccpa.

[13] Id.

[14] Id.

[15] Id.

[16] Cal. Civ. Code § 1798.140 (i) (West 2020) (effective Jan. 1, 2023) [hereinafter CPRA]; Cal. Civ. Code § 1798.140 (c) (West 2021) (effective Jan. 1, 2020 to Dec. 31, 2022) [hereinafter CCPA].  

[17] CPRA § 1798.140 (i).   

[18] CPRA § 1798.140 (v) (listing specific categories and examples of personal information); see also CCPA § 1798.140 (o).

[19] Compare VCDPA § 59.1-571, with CPRA § 1798.140 (ae). The processing of biometric information for the purpose of uniquely identifying a consumer and information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation is sensitive personal information under the CPRA. See CPRA § 1798.140 (ae).

[20] CPRA § 1798.140 (ae).  This also includes a consumer’s driver’s license, state identification card, passport number, any credentials allowing access to an account, credit card number, religious or philosophical beliefs, or union membership.  Id.

[21] CPRA § 1798.140 (d). 

[22] CPRA § 1798.140 (j) (“’Contractor’ means a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business . . . .”); CPRA § 1798.140 (ag) (“’Service provider’ means a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract . . . .”). 

[23] The CPRA increases the CCPA’s consumer threshold from 50,000 to 100,000. Compare CPRA § 1798.140 (d), with CCPA § 1798.140 (c).

[24] The CPRA changes the threshold to cover entities that derive 50% or more of their annual revenue from selling or sharing consumer’s personal information. Compare CPRA § 1798.140 (d), with CCPA § 1798.140 (c).

[25] The CPRA deletes the CCPA’s commercial purpose limitation, which could change the scope of covered businesses in the future. Compare CPRA § 1798.140 (d), with CCPA § 1798.140 (c).

[26] CPRA § 1798.140 (ah) (1).

[27] Compare CPRA § 1798.140 (d), with CCPA § 1798.140 (c).

[28] CPRA § 1798.100 (a).

[29] CPRA § 1798.115 (c).

[30] CPRA § 1798.100 (a).

[31] Id.

[32] CPRA §§ 1798.110(b), 1798.115(a).

[33] CPRA § 1798.105; CCPA § 1798.105.

[34] CPRA § 1798.105.

[35] CPRA § 1798.105.

[36] Id.

[37] CCPA § 1798.105 (d)(7), (9).

[38] CPRA § 1798.105 (d)(7).

[39] CPRA § 1798.106.

[40] CPRA §§ 1798.120, 1798.121.  The CPRA also includes certain narrowly tailored exceptions for consumer’s rights to opt-out of a business’s continued use or sale of their sensitive personal information including: (1) when the data is used to provide goods or performing services, if the actions are reasonably necessary and reasonably expected by an average consumer; (2) when a business uses the data to perform statutorily identified business purposes related to common critical business operations, with specific restrictions; and (3) other uses authorized by CPRA regulations, when enacted.  See id.

[41] Id.

[42] CPRA § 1798.185 (a)(16).

[43] CPRA § 1798.100.

[44] Id.

[45] Id.

[46] CPRA § 1798.150(a) (1) (explaining that there is a private right of action for certain data breaches with the greater of actual damages or damages between $100 and $750 awarded per consumer per incident).

[47] CPRA § 1798.199.90.

[48] See Brandon Reilly, California Harmonizes CCPA, HIPAA But Providers Still Face Obligations, Bloomberg L. (Oct. 27, 2020), https://news.bloomberglaw.com/us-law-week/california-harmonizes-ccpa-hipaa-but-providers-still-face-obligations.

[49] Id.  These data sets can include marketing lists, web tracking data, and employee information.  Id.

[50] CCPA § 1798.145 (c).

[51] CCPA § 1798.145(c)(B).

[52] CCPA § 1798.146 (a)(4).

[53] CCPA § 1798.148.  Other exemptions include: (1) re-identification of information under a contract, where the lawful holder of the de-identified information expressly engages a person or entity to attempt to re-identify the de-identified information to conduct testing, analysis, or validation of de-identification, or related statistical techniques, if the contract bans any other use or disclosure of the re-identified information and requires the return or destruction of the information that was re-identified upon completion of the contract; or (2) if otherwise required by law.

[54] Id.

[55] Id. Specifically, public health activities or purposes described in 45 C.F.R. § 164.512 are exempt from the CCPA.  Research, as defined in 45 C.F.R. § 164.501, conducted in accordance with the Common Rule is also exempt. 

[56] See 45 C.F.R. § 164.501 (“Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”).

[57] CCPA § 1798.146 (a)(5). The Common Rule is the baseline standard of ethics by which any government-funded research in the United States is held. Even though the FDA is not a considered a Common Rule agency, it is required to harmonize with the Common Rule whenever permitted by law.

[58]Id.

[59] CPRA §§ 1798.145(d)-(f).

[60] These include: vehicle and ownership information, commercial credit reporting agency activities, household data, and education information. See CPRA §§ 1798.145 (g), (o)-(q).

[61] CCPA § 1798.145 (h)(1).

[62] Id.

[63] CCPA § 1798.145 (n)(1).

[64] Id.

[65] Va. Code Ann. § 59.1-571 (2021) (effective Jan. 1, 2023) [hereinafter VCDPA].

[66] VCDPA § 59.1-571.

[67] Compare VCDPA §59.1-571, with CPRA § 1798.140 (v).

[68] Compare VCDPA § 59.1-571, with CPRA § 1798.140 (ae).

[69] VCDPA §§ 59.1-571, 59.1-574, 59.1,575.

[70] VCDPA §§ 59.1-571, 59.1-572(A).

[71] CPRA § 1798.140 (d).

[72] Compare VCDPA §§ 59.1-573(A)(1), (4), with CPRA §§ 1798.110, 1798.115.

[73] Compare VCDPA §§ 59.1-573(A)(2), 59.1-578, with CPRA § 1798.106.

[74] Compare VCDPA § 59.1-573(A)(4), with CPRA §§ 1798.110 (a)(5), 1798.130 (a)(3)(B)(ii).

[75] See VCDPA §§ 59.1-574 (C)-(E). Privacy policies must cover: (1) the personal data categories processed; (2) the processing purpose; (3) how consumers may exercise their consumer rights, including how to submit requests and appeal a controller’s decision; (4) the personal data categories shared with third parties, if any; (5) the categories of third parties the controller shares personal data with, if any; (6) whether the controller sells personal data to third parties or processes personal data for targeted advertising and how the consumer may exercise the right to opt out of this processing. See id.

[76] VCDPA §§ 59.1-573(A)(1), 59.1-578.

[77] Compare VCDPA §§ 59.1-573(A)(1), 59.1-578, with CPRA § 1798.105.

[78] VCDPA § 59.1-573 (5); CPRA §§ 1798.120, 1798.121.

[79] VCDPA § 59.1-573 (5); CPRA §§ 1798.120, 1798.121.

[80] VCDPA § 59.1-573 (5).

[81] This is unlike the GDPR, which does include such a right.  See 2016 O.J. (L. 119) 679.

[82] Compare VCDPA § 59.1-574(A)(4), with CPRA § 1798.125(a)(1).

[83] VCDPA § 59.1-574; CPRA § 1798.100.

[84] VCDPA §§ 59.1-575(B), 59.1-577(A)(3).

[85] VCDPA §§ 59.1-574(A)(5), 59.1-578.  The VCDPA also requires controllers to first conduct a data protection assessment before processing sensitive consumer data. VCDPA § 59.1-576.

[86] VCDPA § 59.1-576.

[87] Id.

[88] VCDPA § 59.1-579.

[89] VCDPA § 59.1-580.

[90] VCDPA § 59.1-572 (C).

[91] Id.

[92] Id.; VCDPA § 59.1-571.

[93] Id.

[94] Id.

[95] See Alysa Zeltzer Hutnik, Aaron Burstein, & Lauren Myers, Colorado Passes Privacy Bill: How Does It Stack Up Against California and Virginia?, AD Law Access (June 9, 2021), https://www.adlawaccess.com/2021/06/articles/colorado-passes-privacy-bill-how-does-it-stack-up-against-california-and-virginia/; see also David Stauss, Colorado Legislature Passes Colorado Privacy Act, Byte Back (June 8, 2021), https://www.bytebacklaw.com/2021/06/colorado-legislature-passes-colorado-privacy-act/.

[96] See IAPP, The Growth of State Privacy Legislation, IAPP Res. Ctr. (2021) [hereinafter The Growth of State Privacy Legislation], https://iapp.org/media/pdf/resource_center/growth_of_state_privacy_chart.pdf.

[97] See id.; see also Nader Henein, Bart Willemsen, & Bernard Woo, The State of Privacy and Personal Data Protection, 2020-2022, Fig. 3 (2020), https://www.gartner.com/doc/reprints?id=1-25UDD6NU&ct=210423&st=sb. The states that have proposed data privacy legislation are: Alabama, Alaska, Arizona, Colorado, Connecticut, Florida, Illinois, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, New Jersey, New York, North Dakota, Oklahoma, Texas, Utah, Virginia, Washington, and West Virginia. See The Growth of State Privacy Legislation, supra note 97.

[98] See David Stauss, Status of Proposed CCPA-Like State Privacy Legislation as of June 7, 2021, Byte Back (June 6, 2021), https://www.bytebacklaw.com/2021/06/status-of-proposed-ccpa-like-state-privacy-legislation-as-of-june-7-2021/(”Alabama’s HB 216, Alaska’s SB 116 and HB 159, Arizona’s HB 2865, Florida’s HB 969 and SB 1734, Kentucky’s HB 408, Maryland’s SB 930, Minnesota’s HF 36 and HF 1492 / SF 1408, North Dakota’s HB 1330, Oklahoma’s HB 1602, Mississippi’s Senate Bill 2612, South Carolina’s H 3063, Texas’ HB 3741, Utah’s SB 200, Washington’s SB 5062, and West Virginia’s HB 3159 have all died.”).

[99] Florida’s proposed privacy legislation (H.B. 969) failed based on opposition to the individual right of action. See Allison Grande, Fla. Privacy Bill Can’t Cross Finish Line as Session Ends, Law360 (Apr. 20, 2021, 10:42 PM), https://www.law360.com/cybersecurity-privacy/articles/1380635/fla-privacy-bill-can-t-cross-finish-line-as-session-ends?nl_pk=10d88816-9b89-4448-84ed-93c5e44500c3&utm_source=newsletter&utm_medium=email&utm_campaign=cybersecurity-privacy.

[100] The Oklahoma Computer Data Privacy Act (H.B. 1602) failed because it created an “opt-in” requirement. See Christopher Buontempo & Cynthia Larose, U.S. State Privacy Law Check-In – UPDATE, JDSupra (May 3, 2021), https://www.jdsupra.com/legalnews/us-state-privacy-law-check-in-1729916/. Had the law passed, Oklahoma’s opt-in law would have been the first of its kind in the United States. See id.

[101] The Washington Privacy Act of 2021 (S.B. 5062) failed to pass for the third time, primarily because it included a private right of action. See Buontempo & Larose, supra note 101.

[102] Currently, the Massachusetts Information Privacy Act (SD 1726) is assigned to the joint committee on Advanced Information and Technology. See David Stauss, Status of Proposed CCPA-Like State Privacy Legislation as of May 24, 2021, Byte Back (May 23, 2021) https://www.bytebacklaw.com/2021/05/status-of-proposed-ccpa-like-state-privacy-legislation-as-of-may-24-2021/. Massachusetts’ legislative session ends on December 31, 2021.

[103] See infra,notes 105-109 and accompanying text.

[104]  Privacy Bill Essentials: Proposed Federal Consumer Data Privacy and Security Act, JDSupra (May 5, 2021), https://www.jdsupra.com/legalnews/privacy-bill-essentials-proposed-4498218/?origin=CEG&utm_source=CEG&utm_medium=email&utm_campaign=CustomEmailDigest&utm_term=jds-article&utm_content=article-linkBusinesses that have more than 500 employees, have earned less than $500,000 in average gross receipts in the last three years, and that collect and process no more than one million individuals’ personal data are exempt from the CDPSA. See id.

[105] Id.

[106] Id.

[107] Press Release, Office of Congresswoman Suzan DelBene, DelBene Introduces National Consumer Data Privacy Legislation (Mar. 10, 2021), https://delbene.house.gov/news/documentsingle.aspx?DocumentID=2740.

[108] Information Transparency and Personal Data Control Act, H.R. 1816, 117th Cong. (2021). 

Finis