On Tuesday, March 2, 2021, Virginia became the second U.S. state to enact a broad data privacy regime after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. Virginia follows California, which became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in June 2018. The CCPA became operative January 1, 2020 after several amendments necessary for its implementation, which we previously covered here and here. (California is set to enact another privacy law entitled the California Privacy Rights Act (CPRA) - to update the CCPA in November 2020.) There is also a raft of other state privacy laws in the pipeline, and Virginia’s new law aligns with a trend toward states ratcheting up broadly applicable privacy-related legal obligations.
While the CCPA, CPRA and Virginia’s CDPA were all inspired by the European Union’s 2018 General Data Protection Regulation (GDPR), they contain key differences related to their applicability, definitions, exemptions, rights of action and remedies, and consent and opt-out requirements. Of particular note, the CDPA does not provide a private right of action and may only be enforced by the state’s Attorney General. Below, we highlight the key differences between the CDPA and its California analogue.
Like the GDPR, the CDPA emphasizes that controllers are required to document data protection assessments of the risks and benefits of their data processing activities after the law takes effect.
Several other states, including Washington (whose senate privacy bill the CDPA was modeled after), New York, Florida, Oklahoma, Minnesota, and Utah are currently considering enacting their own variations of broad data privacy laws. The growing patchwork of data privacy regimes across states underscores the absence of a broad federal consumer data protection law in the United States. Large businesses with multistate or national reaches should anticipate an increasingly complex landscape as they confront complying with each state’s privacy laws.