As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.
Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote
Virginia
Minnesota Debates New Privacy Bills
Building on the momentum of the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach. In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022.
Continue Reading Minnesota Debates New Privacy Bills
Florida House and Senate Privacy Legislation Fails to Pass
Florida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action. As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action.
Continue Reading Florida House and Senate Privacy Legislation Fails to Pass
Step Aside California: Virginia Consumer Data Protection Act Becomes Law
On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law without further amendments. Virginia now joins California as the second U.S. state to enact comprehensive privacy legislation. The CDPA will come into effect January 1, 2023 simultaneously with California’s Consumer Privacy Rights Act (CPRA). While similar, the laws reflect somewhat differing approaches to a consumer data law, and covered businesses should begin preparing compliance strategies now. In particular, the new Virginia law may well presage movement in other states, such as Washington, New York, etc., or perhaps movement on a federal privacy law. In light of these developments, many clients are shifting away from jurisdiction-specific policies and towards a rationalized national or global approach to privacy and data protection – with local variations as appropriate.
Continue Reading Step Aside California: Virginia Consumer Data Protection Act Becomes Law
Virginia Poised to Join California with Comprehensive Data Protection Framework
Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.
Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework