Comprehensive State Consumer Data Protection Acts

We reported to you last year on the new California Consumer Privacy Act, as updated by the 2020 California Privacy Rights Act (collectively as amended, the CCPA) and foresaw a trend of state legislation in this area. Sure enough, in early March, Governor Northam of Virginia signed into law the Virginia Consumer Data Protection Act (VCDPA). And in July, Governor Polis of Colorado signed the Colorado Privacy Act (CPA). Each state's law protects consumers residing in that state, more closely aligns with the E.U.'s General Data Protection Regulation (GDPR), and addresses some holes left by California's privacy law. The Virginia Act takes effect January 1, 2023, while the Colorado Act takes effect July 1, 2023. Virginia and Colorado are the second and third states, after California, to enact comprehensive privacy legislation, though they are likely to be far from the last. In this series of articles, we provide a high-level summary of the provisions of these laws and what they mean for businesses doing business in those states. In part one, we discuss the factors that determine whether the various state laws apply to your company, and what are the exceptions. In part two, we outline some key obligations of the Acts, and how to comply. Finally, in part three, we discuss the various enforcement regimes established by the three Acts, and we also talk about how the CCPA, VCDPA, and CPA affect businesses' agreements with their IT and telecom providers.

* Special thanks to our colleague Pat Whittle for his contributions to these articles.

Part 1 - Do I Need to Comply?

Part 2 - If One or More of the Acts Apply to You, What are Your Obligations?

Part 3 - Obligations with Regard to Processors/Service Providers and Enforcement

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.