Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Craig S. Horbus & Jarman J. Smith on August 18, 2021
The framework of comprehensive data privacy regulations in the United States has expanded yet again, with two states enacting new privacy legislation. Virginia became the second U.S. state, behind California, to establish consumer privacy and data security regulations through the enactment of the Virginia Consumer Data Protection Act (VCDPA) in March of 2021.1 Moreover, the state of Colorado officially enacted the Colorado Privacy Act (CPA) on July 8, 2021.2 As demonstrated by the impact of the California Consumer Privacy Act (CCPA), both the VCDPA and the CPA will have tremendous effects on businesses in every U.S. state.
Virginia Consumer Data Protection Act
The VCDPA builds on frameworks used in California’s CCPA and other early data privacy legislation, such as the European Union’s General Data Protection Regulation (GDPR). Although the VCDPA’s coverage and compliance scheme may be less strenuous than GDPR and CCPA, it still represents a major shift in data regulation within the United States.
Under the VCDPA, businesses have several obligations, including the requirement to provide disclosures and privacy notices. Additionally, businesses covered under the VCDPA will be obligated to give consumers the ability to access and control personal data that the business collects about them. Virginia consumers will have certain rights concerning their personal information, including the right to submit a request to access, correct inaccuracies within, and delete personal data they have provided or that has been obtained about them. Like the CCPA, this law also includes a right that allows consumers to obtain a copy of data the consumer has previously provided, in a usable format “to the extent technically feasible.”3 Virginia consumers can also opt-out of targeted advertising, the sale of their personal information, or any automated “profiling” that results in the business providing or denying certain resources.
Although advance preparation is recommended and will prove to be beneficial, businesses regulated under the VCDPA have until January 1, 2023 to come into compliance.
Colorado Privacy Act
The CPA is very similar to the VCDPA in substance. Under CPA, covered entities have several obligations, including a duty to provide “reasonably accessible, clear, and meaningful privacy notices” and a duty to provide specific information to a consumer regarding the purpose of their data collection efforts.4 Additionally, there are five main consumer rights created and protected under this statute, including a right to access the personal data a business holds about a consumer, a right to correct any inaccuracies in that data, a right to delete personal data concerning the consumer, a right to obtain the data in a portable format, and a right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in a manner that produces legal or other significant effects concerning the consumer.5
As with the VCDPA, progressive preparation is recommended, but businesses regulated under the CPA have until July 1, 2023 to come into compliance.
The Impact on Your Businesses
The VCDPA applies to organizations that conduct business in Virginia or that produce goods or services that are targeted to Virginia residents. However, there are certain threshold limitations and other exemptions that may allow businesses to avoid VCDPA altogether. Nonetheless, if your organization has goods or services that are available to Virginia consumers, your organization’s data processing activities should be evaluated to determine whether VCDPA compliance is required. Furthermore, even exempt businesses should bear in mind that the VCDPA can be expanded in ways that might affect them as well. If your organization is covered under VCDPA, becoming compliant and maintaining compliance could save your organization tens to hundreds of thousands of dollars, as violations could result in civil penalties of up to $7,500 per violation.6
The CPA applies to entities that conduct business in Colorado or that produce goods or services that are intentionally targeted to residents of Colorado.7 However, like the VCDPA, there are certain threshold limitations and exemptions that will allow some businesses to avoid its coverage. Thus, if your organization processes information from consumers in Colorado, its data processing activities should be evaluated to determine any appliable compliance regulations under the CPA. As privacy law in the U.S. develops, we can expect existing statutes like the CPA to expand. Therefore, even exempt organizations should stay alert and prepare for compliance in the future. Although becoming compliant may seem like a hassle at first, working with qualified professionals experienced in privacy law can make the process a lot easier. Moreover, the benefits of becoming compliant can help protect your organization’s data and its reputation amongst consumers.
There are several steps an organization can take to streamline the data compliance process. We have noted some key steps below:
- Data Mapping. Understanding how data flows throughout a company is one of the first steps in preparing for privacy laws and compliance requirements. Businesses need to understand what types of data they process and how that data flows throughout the organization or to third parties.
- Updating Contracts. Evaluating and updating language in your organization’s contracts is also key. If any of these contracts involve data transfers, the language needs to be updated to make sure adequate security measures are in place to protect the personal data at issue and to ensure that such transfers are made in accordance with restrictions under applicable data privacy regulations.
- Develop Responses to Consumer Rights Request. It is important for businesses to know how to respond to consumers who make requests in accordance with the consumers’ rights. Your organization should establish procedures for request responses and adopt policies that outline how responses will be handled within your organization.
- Consult with Experienced Professionals. Obtaining adequate advice from a trusted source is extremely important when becoming compliant with privacy regulations. Professionals with knowledge of privacy regulations can provide the guidance your organization needs to identify any issues to avoid potential fines and other privacy-related hiccups.
Update on Pending Privacy Legislation
Although the VCDPA and CPA may not be particularly groundbreaking, they are significant by reflecting the growing trend of enhanced consumer privacy regulations. Moreover, Virginia and Colorado will certainly not be the last states to regulate the relationship between consumers and the businesses holding consumer data. State-level momentum for comprehensive privacy legislation is at an all-time high, and we can expect multiple states to enact more consumer privacy and cybersecurity regulations within the next few years. For instance, New Jersey, New York, Washington, Minnesota, Oklahoma, and several other states also have privacy law bills currently under consideration.8
How Brouse Can Help
Privacy regulations are complex pieces of work; therefore, it is difficult for organizations to understand these regulations and implement the policies needed to avoid penalties for non-compliance. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to develop an understanding of basic privacy law principles and to become compliant with regulations like VCDPA and CPA. Along with providing general guidance through the complexities of data privacy laws and regulations, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.