Search results for: CDPA

The Virginia legislature has introduced several bills that would amend Virginia’s Consumer Data Protection Act (“CDPA”) that was enacted last year. These bills are largely in response to the November 1, 2021 Virginia Consumer Data Protection Act Work Group report (the “Report”), which outlined 17 “points of emphasis” related to the CDPA. The Report includes recommendations regarding administrative items, permitting the Attorney General to seek actual damages based on consumer harm, implementing a right (that would sunset) to cure violations of the CDPA, amending the right to delete, amending the definition of sensitive data, implementing global privacy control, and providing resources to consumers and small business, among other topics.

The following is a high-level summary of the relationship between the introduced bills and the Report:

I.     HB 381 and SB 393

In the Report, the work group specifically called for the “right to delete” provision in the CDPA to be a “right to opt out of sale” as well. This change is meant to address the scenario where the benefit of deleting data may be undone if there is indirect collection at a later date. These bills would permit a business to satisfy a consumer’s request to delete by opting the consumer out of processing of their data for targeting advertising, sale, or profiling. Note that the opt out in HB 381 is more broad and would opt the consumer out of processing for any purpose (with certain exceptions).

II.     HB 714 and SB 534

The work group also outlined that there is a need to employ an “ability to cure” option for violations, should a potential cure exist, as well as permitting the Office of the Attorney General to pursue actual damages based on consumer harm.

Accordingly, these bills add a 30-day cure period that would only apply to violations that the Attorney General deems curable. Additionally, these bills would allow the Attorney General to seek actual damages in addition to existing remedies (injunctive relief and statutory damages of $7,500.00 per violation).

III.     HB 1259

The Report also mentioned the need to consider whether the definition of “sensitive data” should exclude general demographic data used to promote diversity and outreach to underserved populations.

This bill proposes to address this by removing consent requirements for processing sensitive data when such processing involves “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status” if the data is used solely for marketing, advertising, fundraising, or similar outreach, communications or information sharing that does not result in decisions that could produce legal or similarly significant effects concerning the consumer.

Virginia is not the only state working to change its existing privacy framework. Colorado’s Office of the Attorney General will begin rulemaking activities shortly and the California Privacy Protection Agency recently held a public meeting to discuss updates to its rulemaking process. More details available on CPW’s blog covering these announcements.

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA

In a must-read, CPW’s Glenn Brown provides a detailed breakdown of the Virginia Consumer Data Protection Act (the “CDPA”) and how it stacks up relative to the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), which amends and will essentially replace the CCPA on 1 January 2023, and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).  Check out his article available at One Trust’s Data Guidance.

Just this week Virginia joined California as being one of the few states where consumers have a “right to delete” under applicable state privacy laws.  This loosely follows the approach in the EU General Data Protection Regulation (“GDPR”) that also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.  State approaches to consumers’ “right to delete” are not uniform, however, which makes understanding the nuance in the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”) all the more important.

CPW’s Glenn Brown has prepared a detailed analysis that is a must-read in light of the VCDPA’s passage that compares the “right to delete” under the CCPA, CPRA and VCDPA.  As he explains, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”  (emphasis added).  Notably, the CPRA does not amend the wording of this right.  By comparison, the VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”  (emphasis added).  The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.

Glenn provides a fantastic breakdown discussing the relevant exceptions to the “right to delete” under each of these laws, including a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.

*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.

**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.

Be sure to check out Glenn‘s complete analysis here.

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

Announcing the July 31, 2025, effectiveness of Minnesota’s strict consumer privacy law (CPL), the Act’s author said in a press release that he will be personally making requests to a “long list of ‘data brokers’ … [to] provide a timely ‘test case’ that we can use to measure compliance….”  Until January 31, 2026, businesses will have 30 days to cure violations.

Continue Reading Minnesota’s Comprehensive Privacy Law Takes Effect – and Enforcement Efforts Begin Immediately

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

StateState Customer Privacy Law TitleEffective Date
CaliforniaCalifornia Customer Privacy Act (CCPA)January 1, 2020; CCPA Regulations effective January 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Personal Data Privacy and Online Monitoring ActJuly 1, 2023
DelawareDelaware Personal Data Privacy ActJanuary 1, 2025
FloridaFlorida Digital Bill of RightsJuly 1, 2024
IndianaIndiana Customer Data Protection ActJanuary 1, 2026
IowaIowa’s Act Relating to Customer Data ProtectionJanuary 1, 2025
KentuckyKentucky Customer Data PrivacyJanuary 1, 2026
MarylandMaryland Online Data Privacy ActOctober 1, 2025
MinnesotaMinnesota Customer Data Privacy ActJuly 31, 2025
MontanaMontana Customer Data Privacy ActOctober 1, 2024
NebraskaNebraska’s Data Privacy ActJanuary 1, 2025
New HampshireAct Relative to the Expectation of PrivacyJanuary 1, 2025
New JerseyNew Jersey Data Protection ActJanuary 15, 2025
OregonOregon Customer Privacy ActJuly 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
TennesseeTennessee Information Protection ActJuly 1, 2025
TexasTexas Data Privacy and Security ActJuly 1, 2024
UtahUtah Customer Privacy ActDecember 31, 2023
VirginiaVirginia Customer Data Protection ActJanuary 1, 2023
Continue Reading Rhode Island Makes it an Even 20

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

Online privacy and safety of children and teens are hot legislative topics this year. In a companion post we provide an update of federal and state legislative efforts to fundamentally change how online content and advertising are delivered to children and teens. We have previously discussed legislation in California and Connecticut to require assessments of online privacy impacts on minors. In this post we focus on proposed regulatory and legislative changes to the 1998 Children’s Online Privacy Protection Act (COPPA) (effective in 2000) and its corresponding regulations (COPPA Rule), which were last updated in 2013.

Continue Reading Federal Children’s Privacy Requirements to Be Updated and Expanded

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.

Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer