State lawmakers are considering, and in some cases, have enacted comprehensive privacy laws. Similar to the California Consumer Privacy Act of 2018 (CCPA), these laws and proposals include now familiar elements, including emphasis on transparency, consumer rights, disclosure and processing limitations, and accountability.

There are, however, notable differences when comparing CCPA with other state privacy laws:

Colorado Privacy Act.  In June, Colorado passed comprehensive privacy legislation, known as the Colorado Privacy Act (CPA).  Once signed into law, the CPA will take effect July 1, 2023.  The CPA provides broad protections for consumer data similar to CCPA, however, the CPA does not apply to individuals acting in a commercial or employment context.  CPA applies to data controllers who do business in Colorado or target Colorado residents and either control the personal data of at least 100,000 consumers annually or derive revenue or receive a discount from the sale of personal data, and control or process personal data of at least 25,000 consumers.  Unlike CCPA, the CPA does not include a private right of action.  Prior to any enforcement action, the Attorney General or district attorney must issue a notice of violation and give the controller 60 days to cure.

Virginia Consumer Data Privacy Act. The Virginia Consumer Data Privacy Act (CDPA), enacted recently, will go into effect January 1, 2023.  Similar to CCPA, the CDPA provides broad protections for consumer data, including the right to know, to correct inaccuracies in data, to delete data, to obtain a copy of data, and to opt out of data collection for targeted advertising, sale of personal data, or profiling.

Unlike CCPA, the CDPA expressly defines “consumer” to “not include a natural person acting in a commercial or employment context.”  The CDPA also applies to a narrower category of entities; “persons that conduct business in the Commonwealth or that produce products or services that are targeted to residents of the Commonwealth” who “control or process personal data of at least 100,000 consumers” or those who “control or process the data of at least 25,000 consumers” and “derive at least 50% of their gross revenue from the sale of personal data.”  Additionally, the CDPA has no private right of action, leaving enforcement to the Virginia Attorney General who must first provide 30 days’ written notice of any alleged current or past violation.

Nevada Privacy Law.  Nevada’s general privacy law went into effect on October 1, 2019.  Similar to Colorado’s CPA and Virginia’s CDPA, the Nevada privacy law expressly excludes information obtained within an employment context and does not permit a private right of action.  Further, unlike the CCPA, Nevada’s law does not require notice to consumers of the right to opt out of sale of their information.

Other State Proposals.  No other state has passed a general privacy law like California, Colorado, Virginia, and Nevada.  However, almost two dozen other states have introduced similar privacy bills.  More states may pass their own general privacy laws in the near future, building on existing momentum for more regulation.

About the Author:

Kristin Madigan is a partner in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups. Madigan focuses her practice on representing clients in high-stakes complex litigation with a focus on technology, as well as privacy and consumer protection matters including product counseling, compliance, investigations, and enforcement. Prior to joining Crowell & Moring, Madigan served as an attorney at the FTC in Washington, D.C., in the Bureau of Consumer Protection, Division of Privacy and Identity Protection.