Just when organizations start to feel comfortable with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), this year we saw the passage of two new comprehensive privacy laws in Virginia and Colorado and nearly another in Connecticut. This article discusses the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CoPA) and identifies parallels and differences between these statutes and other privacy laws. The article also discusses the pending comprehensive privacy law in Connecticut – we anticipate its passage in the near future.
For those familiar with current privacy laws, both in the United States and globally, the VCDPA and the CoPA do not present entirely new concepts. They are variations on a theme, in that the provisions and concepts are mostly based on the Fair Information Practice Principles, as are many other privacy laws. Proponents of the VCDPA and the CoPA hail them as an adoption of the best parts of current privacy laws while opponents refer to them as an odd mish-mash of current regulations.
This article provides an overview of the VCDPA and the CoPA with an emphasis on the portions of the laws that we anticipate will receive the most inquiries from attorneys general enforcing the acts. The article provides a brief overview of the key dates and provisions, the similarities and shared concepts between the statutes and other laws, newly introduced concepts by the statutes, as well as expectations for enforcement.
It is assumed that those reading this article are familiar with the basic requirements of the CCPA and the European Union’s General Data Protection Regulation (GDPR).
Important Dates
Virginia enacted the Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, becoming the second state to enact comprehensive legislation regarding data privacy (behind only California). Following California and Virginia, Colorado became the third state to enact a comprehensive privacy law with the passage of the Colorado Privacy Act (CoPA) on July 8, 2021. A comprehensive privacy law overwhelmingly passed in the Senate in Connecticut but was stricken by the House shortly before the remaining parts of the bill were presented to the Governor for his signature.
VCDPA Effective Date
While the VCDPA was signed into law on March 2, 2021, the VCDPA is not effective until January 1, 2023, in order to provide organizations and stakeholders time to prepare for the changes.
CoPA Effective Date
Similarly, while the CoPA was signed into law on July 8, 2021, it does not become effective until July 1, 2023. The CoPA includes a number of other significant dates as well. The notice and cure period (discussed below) are automatically repealed on January 1, 2025. Additionally, the Colorado Attorney General (the “Colorado AG”) must adopt rules outlining technical specifications for opt-out mechanism by July 1, 2023, and the Colorado AG is also authorized to adopt rules by January 1, 2025, which would then become effective on or before July 1, 2025. The VCDPA, by contrast, does not require any implementing regulations.
Definitions of Key Terms
The VCDPA and the CoPA define parties and information differently than the CCPA, and this article will briefly mention some of the key defined terms.
“Consumers”
The VCDPA and the CoPA were enacted to empower “consumers” to protect their personal information and to require companies to be responsible with personal information they obtain. “Consumers” is defined by the statutes to include an individual who is a Colorado/Virginia resident acting only in an individual or household context and does not include someone acting in a commercial or employment context.[1]
“Controller” vs. “Processor”
Borrowing a concept from the GDPR, the VCDPA and the CoPA regulate “controllers” and “processors.”[2] A “controller” is the person or entity that “determines the purpose and means of processing personal data”, whereas a “processor” is a person or entity that “processes personal data on behalf of a controller.”[3]
“Personal Data” vs. “De-Identified Data” vs. “Sensitive Data”
The VCDPA and the CoPA regulate the collection, storage and use of “personal data,” which is defined to include information that is linked or reasonably linkable to an identified or identifiable individual. As in other privacy laws, personal data does not include “de-identified data.”[4]
De-identified data is also similarly defined by both statutes to include data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:
(a) takes reasonable measures to ensure that the data cannot be associated with an individual;
(b) publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and
(c) contractually obligates any recipients of the information to comply with these requirements.[5]
Borrowing a concept from the GDPR and the CPRA, the VCDPA and the CoPA also provide special protections for a subset of personal information defined as “sensitive data”, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data for the purpose of uniquely identifying a natural person; and personal data collected from a known child.[6]
Scope of Application: Who is Covered?
The VCDPA and the CoPA deviate from the CCPA in that an entity is covered by the statutes regardless of the amount of that entity’s revenues.[7]
Under the VCDPA, an entity is covered if it conducts business in the Commonwealth or produces products or services that target residents of the Commonwealth, and:
-
during a calendar year, controls or processes personal data of at least 100,000 consumers; or
-
controls or processes personal data of at least 25,000 consumers and derives over 50% percent of gross revenue from the sale of personal data.[8]
Similarly, under the CoPA, a controller is covered if it conducts business in the state or produces or delivers commercial products or services that are intentionally targeted to residents in the state; and:
-
controls or processes the personal data of 100,000 consumers or more during a calendar year; or
-
derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
In addition to exempting de-identified data and certain categories of information that are already subject to privacy regulations, the VCDPA provides blanket exemptions for certain types of organizations, including (1) government agencies and authorities, (2) financial institutions subject to GLBA, (3) “covered entities” regulated by HIPAA and HITECH, (4) nonprofit organizations, and (5) institutions of higher education.[9] The CoPA similarly exempts de-identified data and exempts certain categories of information, but it has fewer categories of institutions that are per se exempt from the statute.[10]
Shared Concepts and Provisions regarding Controllers[11]
In addition to having some similar definitions and the scope of their application, the VCDPA and the CoPA have many similar requirements and provisions. The statutes create a number of rights for consumers, place a number of obligations on controllers, require processes for consumers whose requests for information are denied, and impose similar data protection requirements.
Consumer’s Rights
The VCDPA and the CoPA provide consumers[12] with a number of rights concerning their personal data, including:
-
The Right to Know whether “whether a controller is processing the consumer’s personal data;”
-
The Right to Access such personal data;
-
The Right to Correct Inaccuracies in the consumer’s personal data;
-
The Right to Delete personal data provided by or obtained about the consumer;
-
The Right to a Data Portability that allows a consumer to obtain a copy of the consumer’s personal data; and
-
The Right to Opt Out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.[13]
The CoPA’s Right to Opt Out of the processing of personal data slightly deviates from the VCDPA.[14] The CoPA requires that consumers be provided with a “universal opt-out mechanism” that is compliant with the technical specifications that must be promulgated by the Colorado AG.[15] The Colorado AG’s “technical specifications” must ensure that the mechanism is not used to unfairly disadvantage another controller, sufficiently informs consumers about the opt-out choices available to them, represents the consumer’s affirmative and unambiguous choice to opt out, is consumer friendly, is consistent with any similar mechanisms required by law or regulation elsewhere in the United States, and permits the controller to accurately authenticate the consumer.[16]
Data Collection, Security, and Management
While the VCDPA and the CoPA have differences, they also share a number of concepts and provisions with respect to imposing obligations on controllers. We discuss the key concepts and provisions below but recommend that you read the actual text of the statutes to understand nuances and distinctions of the laws.
The VCDPA and the CoPA have adopted the data minimization concept, which generally provides that controllers’ collection of personal data and must be limited to that data which is adequate, relevant, reasonably necessary for the specified purpose for which the data was collected.[17]
The VCDPA and the CoPA also require controllers to disclose the purpose for which the personal data is collected and processed, and a controller cannot process personal data for purposes other than those that are disclosed.[18]
The VCDPA and the CoPA also require controllers to take reasonable actions to secure the personal data during both storage and use of the data to protect the confidentiality, integrity, and accessibility of the personal data.[19]
Finally, under the VCDPA and the CoPA, a controller is prohibited from processing “sensitive data” without first obtaining the consumer’s consent.[20] “Sensitive data” includes “(a) [p]ersonal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) Personal data from a known child.”[21]
Processes for Appeals
Not only do the statutes endow consumers with rights, they also require that controllers must be provided with an avenue to exercise those rights, and controllers are required to respond to consumer inquiries. Specifically, consumers may submit requests to controllers to specify the rights the consumer wishes to invoke, and the laws require that controllers must respond within 45 days of receiving the request with only one possible 45-day extension when “reasonably necessary” and when certain conditions are met.[22]
Further, the controller must establish an internal process wherein consumers may appeal a controller’s decision to refuse to take action on the consumer’s request to exercise any of its rights.[23] If the appellate process does not cause the controller to change its position, the controller is required to provide the consumer with the contact information for the attorney general in order to submit a complaint.[24]
Data Protection Assessments
The VCDPA and the CoPA also require controllers to “conduct and document a data protection assessment” of certain processing of personal data for purposes of targeted advertising or profiling in certain circumstances, the sale of personal data, and the processing of sensitive data.[25]
The data protection assessments are to identify and weigh the benefits that may flow, directly and indirectly, from the data processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing. The assessment also must be disclosed to the attorney general when such data protection assessment is relevant to an investigation.[26]
Litigation and Enforcement
Timeline for Enforcement
The Virginia and Colorado AGs cannot commence enforcement activities under the VCDPA and the CoPA until January 1, 2023 and July 1, 2023, respectively. However, based on the approach taken by the California AG in enforcing the CCPA, organizations can expect investigations and enforcement activity to begin as soon as the statutes permit. Additionally, using what we know from the California AG’s first year of CCPA enforcement, expect that the Colorado AG and Virginia AG Offices will have very busy years.[27]
VCDPA – Enforcement and Fines
The VCDPA provides no private right of action. The Virginia AG has exclusive authority to enforce the VCDPA.[28] The Virginia AG is even given broad authority and can begin an investigation even before a violation occurs if it has reasonable cause to believe that a person is “about to engage in any violation” of the Act.[29]
The VCDPA provides a controller or processor with a 30-day period after receiving written notice from the Virginia AG of an alleged violation in order to cure that violation.[30] If the controller or processor does not cure such violation within the 30-day period, the Virginia AG may initiate a lawsuit to seek an injunction and to recover civil penalties of up to $7,500 for each violation and reasonable expenses, including attorneys’ fees.[31]
The VCDPA also creates a special fund called the Consumer Privacy Fund, and all civil penalties, expenses, and attorneys’ fees recovered under the VCDPA shall be credited to the Fund, which is then used to support the Virginia AG’s work to enforce the VCDPA.[32]
CoPA – Enforcement and Fines
Likewise, the CoPA does not create private right of action.[33] It instead will be enforced by the Colorado Attorney General and Colorado’s district attorneys.[34]
The CoPA notes that the Colorado Attorney General must provide a controller or processor with a 60-day period to cure an alleged violation before bringing an enforcement action.[35] However, effective January 1, 2025, the Colorado AG is no longer required to provide a cure period but can immediately bring an enforcement action.[36]
Violations of the CoPA are considered a deceptive trade practice, which allows for a civil penalty of $20,000 for each violation.[37]
No Check-the-Box Compliance
The AGs will likely focus on a number of areas for enforcement but with a general theme. Specifically, using the California AG’s experience with enforcing the CCPA, we can expect that the Virginia and Colorado AGs will want to ensure that organizations are not treating the new laws as check-the-box exercises but, rather, are providing consumers with required information and timely engaging with consumer’s requests. Indeed, not only will the AGs want organizations to provide the necessary information, they will demand that it be conveyed in a way that can be easily understood by the average consumer and in which consumers will have the fewest number of steps to access the information and exercise their rights.
Scope of the CCPA and Compliance Strategies
-
“Top Takeaways From a Year of CCPA Enforcement,” Bloomberg Law, August 6, 2021
-
“Colorado Governor Signs Comprehensive Data Privacy Bill — How Does It Compare to California and Virginia?,” July 14, 2021
-
“Calif. Privacy Law Takeaways From 9th Circ. Facebook Case,” Law360, April 27, 2020
-
“INSIGHT: So the CCPA Is Ambiguous — Now What?,” Bloomberg Law, June 14, 2019
-
“Is Your Business in Need of a CCPA Intervention,” International Association of Privacy Professionals, July 2019
-
“Key Differences In Nev. And Calif. Data Privacy Laws,” Law360, June 19, 2019
-
“Ill. Privacy Bill Is Not As Robust As Calif. Law,” Law360, December 17, 2019
Implementing Regulations
-
“INSIGHT: Five Reasons to Comment on Draft CCPA Regulations,” Bloomberg Law, October 22, 2019
-
“CCPA Modified Draft Regulations: Two Steps Forward, One Step Back,” The Recorder, February 10, 2020
-
“Calif. AG’s Latest Privacy Law Revisions Miss Some Spots,” Law360, March 19, 2020
CCPA Notice and Cure Provision Relating to Data Breaches
-
“INSIGHT: First CCPA-Related Case Foreshadows Five Issues,” Bloomberg Law, February 10, 2020
-
“INSIGHT: FTC Report Offers Road Map to Mitigate CCPA Data Breach Class Actions,” Bloomberg Law, March 5, 2020
CCPA Enforcement Series
-
Enforcement Area No. 1: The Infamous “Do-Not-Sell” Button, July 14, 2020
-
Enforcement Area No. 2: Treating the CCPA Like a Check-the-Box Exercise, July 20, 2020
-
Enforcement Area No. 3: Service Providers, July 27, 2020
-
Enforcement Area No. 4: Businesses Collecting Children’s Personal Information and Health-Related Data, August 3, 2020
-
Enforcement Area No. 5: Failing to Provide Adequate Notice at Collection, August 10, 2020
-
Enforcement Area No. 6: OAG’s Reaction to CPRA Referendum, August 17, 2020
GDPR Overview and Updates
-
GDPR – Three Years Later, The Lessons Learned and What’s to Come, July 24, 2021
-
“New Standard Contractual Clauses Supply Opportunities and Obligations for Organizations Transferring Personal Data Out of the EU,” July 22, 2021
Virginia Consumer Data Protection Act Series
-
Part 1: Introduction and Overview, March 4, 2021
-
Part 2: Consumer Rights, March 11, 2021
-
Part 3: Notice and Disclosure Obligations, March 18, 2021
-
Part 4: Data Processing Obligations, March 25, 2021
-
Part 5: Litigation and Enforcement, April 1, 2021
-
See Va. Code Ann. § 59.1-575; Colo. Rev. Stat. § 6-1-1303(6)
-
See Colo. Rev. Stat. § 6-1-1303(7) (slightly different definition of controller) see GDPR, Art. 4(7) (defining Controller); id. Art. 4(8) (defining Processor). The proposed bill in Connecticut likewise used this distinction. See CT Senate Bill 893 § 1(8), (20).
-
Va. Code Ann. § 59-1-571.
-
Colo. Rev. Stat. § 6-1-1303(17); Va. Code Ann. § 59.1-575.
-
Colo. Rev. Stat. § 6-1-1303(11); Va. Code Ann. § 59.1-575; see id. § 59.1-581.
-
Colo. Rev. Stat. § 6-1-1303(24); Va. Code Ann. § 59.1-575 (the VCDPA’s definition also includes “precise geolocation data” as sensitive information).
-
In order for an entity to be considered a business, and hence regulated by the CCPA, it must satisfy at least one of three thresholds. One such threshold is whether the business has gross annual revenue over $25 million. See Cal. Civil Code 1798.140(c)(1)(A) (Oct. 2020).
-
Connecticut proposed similar qualifications. See CT Senate Bill 893.
-
Connecticut has likewise proposed similar exemptions. CT Senate Bill 893 § 3.
-
Colo. Rev. Stat. § 6-1-1304(2).
-
For more information concerning the role of processors, please refer to Va. Code Ann. § 59.1-579 and Colo. Rev. Stat. § 6-1-1305.
-
“Consumer” is a specifically defined term in the Acts. Va. Code Ann. § 59.1-575; CT SB893 § 1(7).
-
Va. Code Ann. § 59.1-577.A; Colo. Rev. Stat. § 6-1-1306. Connecticut SB 893 contained similar requirements. See CT SB 893 § 4(a).
-
Colo. Rev. Stat. § 6-1-1306(1)(a)(IV).
-
Id.
-
Colo. Rev. Stat. § 6-1-1313.
-
Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. § 6-1-1308(3).
-
Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. §§ 6-1-1308(2), (4).
-
Va. Code Ann. § 59.1-578(A)(3); Colo. Rev. Stat. § 6-1-1308(5).
-
Va. Code Ann. § 59.1-578(A)(5); Colo. Rev. Stat. § 6-1-1308(7).
-
Colo. Rev. Stat. § 6-1-1303(24); see Va. Code Ann. § 59.1-575 (similarly defining “personal data” but also including “precise geolocation data”). Connecticut Senate Bill 893 included similar provisions. See CT SB 893 § 5(a).
-
Va. Code Ann. §§ 59.1-577.A.-C.; Colo. Rev. Stat. § 6-1-1306(2); see CT SB 893 § 4.
-
Va. Code Ann. § 59.1-577.C.; Colo. Rev. Stat. § 6-1-1306(3).
-
Id.
-
Va. Code Ann. § 59.1-580.A. (also requiring a data protection assessment for “[a]ny processing activities involving personal data that present a heightened risk of harm to consumers”); see Colo. Rev. Stat. § 6-1-1309.
-
Va. Code Ann. § 59.1-580.C.
-
Bloomberg Law, Top Takeaways from a Year of CCPA Enforcement (published Aug. 6, 2021)
-
Va. Code Ann. § 59.1-584.A.
-
Va. Code Ann. § 59.1-583.
-
Va. Code Ann. § 59.1-584.
-
Va. Code Ann. § 59.1-584.C.-D.
-
Va. Code Ann. § 59.1-585.
-
Unlike the CCPA, the VCDPA and the CoPA do not have a carve-out that allows consumers to bring an action for statutory damages in the event of a data breach. See Colo. Rev. Stat. § 6-1-1310.
-
Colo. Rev. Stat. § 6-1-1311.
-
Id.
-
Id.
-
Colo. Rev. Stat. §§ 6-1-1311 and 6-1-112.