The digital era has brought new attention to the data privacy debate. While there is limited national data privacy legislation at the time of publication, United States businesses may be subject to different privacy laws based on factors like which consumers purchase their products or services. Businesses should also be aware of new privacy legislation under development in a growing number of states.
Where are data privacy laws in effect?
Currently, data privacy laws are separated by state and category. Privacy laws may impact only certain types of data, such as health or credit information, or certain consumer groups, like children. Most consumer data collection is not regulated. Many companies are not regulated by any federal privacy laws. Instead, they may be subject to state-level data protection laws.
Legislators across the country are introducing new privacy regulations in 2022. California (CCPA and CPRA), Virginia (VCDPA), and Colorado (ColoPA) have passed or amended comprehensive data protection laws and more states are expected to join the list. At least fifteen states are considering enacting data privacy laws for 2022.
Regardless of where a company is located, California, Virginia, and Colorado privacy laws only apply to consumers based in those states. A business subject to regulations in these states must:
- Notify consumers that they are selling their data.
- Allow consumers to opt in or out of having their data sold, and
- Give consumers the ability to access, delete, change, or move their data.
Each state’s laws differ slightly in terms of how much time businesses have to fix a mistake, which businesses the law applies to, and whether opt-out requests can be handled by third parties.
Effective dates of the laws vary:
January 1, 2023
(Enforcement begins on July 1, 2023)
July 1, 2023
January 1, 2023
who must comply with california privacy laws
California is one of the forerunners and most comprehensive examples of online privacy regulation. Its data privacy guidelines are often used as a guiding framework by other states also looking to implement their own privacy protection laws. The recent California Privacy Rights Act (CPRA) amends and expands the California Consumer Privacy Act of 2018 (CCPA) and aligns more closely with the EU General Data Protection Regulation (GDPR).
Companies must comply with CPRA if:
- They serve residents of California, and
- Their annual revenue is $25 million or more.
Additionally, companies with personal data on at least 100,000 California households or consumers, or that earn half of their revenue from selling personal data, must also comply with the laws no matter how much annual revenue they earn.
Businesses subject to virginia privacy law
Virginia became the second state to pass a data privacy law in 2021 entitled the Virginia Consumer Data Protection Act (VCDPA). VCDPA mirrors California law in terms of which businesses must comply with the law. Businesses are subject to the new law if they:
- Conduct business in Virginia, or
- Produce products or services that they target to Virginia residents.
The law also applies to companies that control or process data of 100,000 Virginia consumers or more, or those that control or process the data of at least 25,000 Virginia consumers and earn at least 50% of their gross revenue from selling personal data. Nonprofits are exempt from compliance with the law.
The VCDPA will become effective on January 1, 2023.
which companies must follow colorado privacy law
On July 7, 2021 the Colorado Privacy Act (CPA) became law with an effective date of July 1, 2023. The CPA confers certain rights on Colorado consumers to control their personal data. Under the CPA, Colorado consumers will have privacy rights that are like those granted to California and Virginia residents.
Businesses must comply with CPA if they sell products or services to Colorado residents, and they also meet one of the following thresholds:
- Process or control personal data of 100,000 or more Colorado residents per year, or
- Earn revenue or discounts from selling personal data and process or control personal data of 25,000 or more Colorado residents per year.
developing a data privacy compliance plan
Despite grace periods of a year or more, the time left to comply with the CPRA, VCDPA, and the CPA is relatively short. After discussing how the laws apply to your business with an experienced attorney, you may need to modify business processes, technological infrastructure, customer-facing websites, apps, brick-and-mortar locations, security measures, and other critical operations.
The immediate challenge for impacted businesses in 2022 will be successfully integrating the new requirements with minimal disruption. Data privacy standards are changing across the country. It’s important for organizations to keep track of regulatory changes. As new bills are released in multiple states, finding out how you can stay compliant and work with new regulations is your best response.
Companies should consider taking the following steps to improve their privacy compliance:
- Work with an experienced attorney to develop an overall compliance strategy.
- Train compliance experts within your team.
- Take inventory of and track personal data that you collect.
- Create data protection policies and procedures for your organization.
- Prepare a plan for data breach responses.
- Document and monitor your compliance plans and processes.
For assistance with data privacy compliance or other corporate compliance-related issues, contact your Chugh, LLP attorney.
 The new law amends Title 59.1 of the Code of Virginia.