The Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Draft Connecticut Privacy Legislation: An Overview and Practical Guide

Simply when organizations begin to really feel snug with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), this 12 months we noticed the passage of two new complete privateness legal guidelines in Virginia and Colorado and practically one other in Connecticut. This text discusses the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CoPA) and identifies parallels and variations between these statutes and different privateness legal guidelines. The article additionally discusses the pending complete privateness regulation in Connecticut – we anticipate its passage in the close to future.

For these accustomed to present privateness legal guidelines, each in the United States and globally, the VCDPA and the CoPA don’t current totally new ideas. They’re variations on a theme, in that the provisions and ideas are largely primarily based on the Truthful Data Apply Rules, as are many different privateness legal guidelines. Proponents of the VCDPA and the CoPA hail them as an adoption of the finest components of present privateness legal guidelines whereas opponents seek advice from them as an odd mish-mash of present rules.

This text gives an outline of the VCDPA and the CoPA with an emphasis on the parts of the legal guidelines that we anticipate will obtain the most inquiries from attorneys normal imposing the acts. The article gives a short overview of the key dates and provisions, the similarities and shared ideas between the statutes and different legal guidelines, newly launched ideas by the statutes, in addition to expectations for enforcement.

It’s assumed that these studying this text are accustomed to the fundamental necessities of the CCPA and the European Union’s Common Data Protection Regulation (GDPR). Readers can entry the articles and assets printed by Troutman Pepper relating to those legal guidelines and different privateness legal guidelines by clicking on the hyperlinks under.

Essential Dates

Virginia enacted the Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, turning into the second state to enact complete laws concerning knowledge privateness (behind solely California). Following California and Virginia, Colorado grew to become the third state to enact a complete privateness regulation with the passage of the Colorado Privacy Act (CoPA) on July 8, 2021. A complete privateness regulation overwhelmingly handed in the Senate in Connecticut however was laid low with the Home shortly earlier than the remaining components of the invoice had been offered to the Governor for his signature.

VCDPA Efficient Date

Whereas the VCDPA was signed into regulation on March 2, 2021, the VCDPA is just not efficient till January 1, 2023, as a way to present organizations and stakeholders time to arrange for the modifications.

CoPA Efficient Date

Equally, whereas the CoPA was signed into regulation on July 8, 2021, it doesn’t turn into efficient till July 1, 2023. The CoPA consists of quite a few different vital dates as properly. The discover and remedy interval (mentioned under) are robotically repealed on January 1, 2025. Moreover, the Colorado Lawyer Common (the “Colorado AG”) should undertake guidelines outlining technical specs for opt-out mechanism by July 1, 2023, and the Colorado AG can also be licensed to undertake guidelines by January 1, 2025, which might then turn into efficient on or earlier than July 1, 2025.  The VCDPA, in contrast, doesn’t require any implementing rules.

Definitions of Key Phrases

The VCDPA and the CoPA outline events and info in another way than the CCPA, and this text will briefly point out a few of the key outlined phrases.

“Consumers”

The VCDPA and the CoPA had been enacted to empower “consumers” to guard their private info and to require corporations to be accountable with private info they acquire. “Consumers” is outlined by the statutes to incorporate a person who’s a Colorado/Virginia resident appearing solely in a person or family context and doesn’t embrace somebody appearing in a industrial or employment context.[1]

“Controller” vs. “Processor”

Borrowing an idea from the GDPR, the VCDPA and the CoPA regulate “controllers” and “processors.”[2] A “controller” is the individual or entity that “determines the purpose and means of processing personal data”, whereas a “processor” is an individual or entity that “processes personal data on behalf of a controller.”[3]

“Personal Data” vs. “De-Identified Data” vs. “Sensitive Data”

The VCDPA and the CoPA regulate the assortment, storage and use of “personal data,” which is outlined to incorporate info that’s linked or fairly linkable to an recognized or identifiable particular person. As in different privateness legal guidelines, private knowledge doesn’t embrace “de-identified data.”[4]

De-identified knowledge can also be equally outlined by each statutes to incorporate knowledge that can’t fairly be used to deduce details about, or in any other case be linked to, an recognized or identifiable particular person, or a tool linked to such a person, if the controller that possesses the knowledge:

(a) takes cheap measures to make sure that the knowledge can’t be related to a person;

(b) publicly commits to keep up and use the knowledge solely in a de-identified vogue and not try to re-identify the knowledge; and

(c) contractually obligates any recipients of the info to adjust to these necessities.[5]

Borrowing an idea from the GDPR and the CPRA, the VCDPA and the CoPA additionally present particular protections for a subset of private info outlined as “sensitive data”, which incorporates private knowledge revealing racial or ethnic origin, spiritual beliefs, psychological or bodily well being prognosis, sexual orientation, or citizenship or immigration standing; genetic or biometric knowledge for the function of uniquely figuring out a pure individual; and private knowledge collected from a identified little one.[6]

Scope of Software: Who’s Lined?

The VCDPA and the CoPA deviate from the CCPA in that an entity is roofed by the statutes no matter the quantity of that entity’s revenues.[7]  

Beneath the VCDPA, an entity is roofed if it conducts enterprise in the Commonwealth or produces services or products that focus on residents of the Commonwealth, and:

  • throughout a calendar 12 months, controls or processes private knowledge of a minimum of 100,000 customers; or

  • controls or processes private knowledge of a minimum of 25,000 customers and derives over 50% % of gross income from the sale of private knowledge.[8]

Equally, beneath the CoPA, a controller is roofed if it conducts enterprise in the state or produces or delivers industrial services or products which might be deliberately focused to residents in the state; and:

  • controls or processes the private knowledge of 100,000 customers or extra throughout a calendar 12 months; or

  • derives income or receives a reduction on the worth of products or companies from the sale of private knowledge and processes or controls the private knowledge of 25,000 customers or extra.

Along with exempting de-identified knowledge and sure classes of knowledge which might be already topic to privateness rules, the VCDPA gives blanket exemptions for sure forms of organizations, together with (1) authorities companies and authorities, (2) monetary establishments topic to GLBA, (3) “covered entities” regulated by HIPAA and HITECH, (4) nonprofit organizations, and (5) establishments of upper schooling.[9] The CoPA equally exempts de-identified knowledge and exempts sure classes of knowledge, nevertheless it has fewer classes of establishments which might be per se exempt from the statute.[10]

Shared Ideas and Provisions concerning Controllers[11]

Along with having some related definitions and the scope of their software, the VCDPA and the CoPA have many related necessities and provisions. The statutes create quite a few rights for customers, place quite a few obligations on controllers, require processes for customers whose requests for info are denied, and impose related knowledge safety necessities.

Consumer’s Rights

The VCDPA and the CoPA present customers[12] with quite a few rights regarding their private knowledge, together with:

  1. The Proper to Know whether or not “whether a controller is processing the consumer’s personal data;”

  2. The Proper to Entry such private knowledge;

  3. The Proper to Right Inaccuracies in the client’s private knowledge;

  4. The Proper to Delete private knowledge offered by or obtained about the client;

  5. The Proper to a Data Portability that enables a client to acquire a duplicate of the client’s private knowledge; and

  6. The Proper to Decide Out of the processing of private knowledge for functions of (i) focused promoting, (ii) the sale of private knowledge, or (iii) profiling in furtherance of selections that produce authorized or equally vital results regarding the client.[13]

The CoPA’s Proper to Decide Out of the processing of private knowledge barely deviates from the VCDPA.[14] The CoPA requires that buyers be supplied with a “universal opt-out mechanism” that’s compliant with the technical specs that should be promulgated by the Colorado AG.[15] The Colorado AG’s “technical specifications” should be sure that the mechanism is just not used to unfairly drawback one other controller, sufficiently informs customers about the opt-out selections accessible to them, represents the client’s affirmative and unambiguous option to decide out, is client pleasant, is in keeping with any related mechanisms required by regulation or regulation elsewhere in the United States, and permits the controller to precisely authenticate the client.[16]  

Data Assortment, Safety, and Administration

Whereas the VCDPA and the CoPA have variations, additionally they share quite a few ideas and provisions with respect to imposing obligations on controllers. We talk about the key ideas and provisions under however suggest that you simply learn the precise textual content of the statutes to know nuances and distinctions of the legal guidelines.

The VCDPA and the CoPA have adopted the knowledge minimization idea, which typically gives that controllers’ assortment of private knowledge and should be restricted to that knowledge which is satisfactory, related, fairly vital for the specified function for which the knowledge was collected.[17]

The VCDPA and the CoPA additionally require controllers to reveal the function for which the private knowledge is collected and processed, and a controller can not course of private knowledge for functions aside from these which might be disclosed.[18] 

The VCDPA and the CoPA additionally require controllers to take cheap actions to safe the private knowledge throughout each storage and use of the knowledge to guard the confidentiality, integrity, and accessibility of the private knowledge.[19]

Lastly, beneath the VCDPA and the CoPA, a controller is prohibited from processing “sensitive data” with out first acquiring the client’s consent.[20] “Sensitive data” consists of “(a) [p]ersonal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) Personal data from a known child.”[21]

Processes for Appeals

Not solely do the statutes endow customers with rights, additionally they require that controllers should be supplied with an avenue to train these rights, and controllers are required to answer client inquiries. Particularly, customers might submit requests to controllers to specify the rights the client needs to invoke, and the legal guidelines require that controllers should reply inside 45 days of receiving the request with just one potential 45-day extension when “reasonably necessary” and when sure situations are met.[22]

Additional, the controller should set up an inner course of whereby customers might attraction a controller’s choice to refuse to take motion on the client’s request to train any of its rights.[23] If the appellate course of doesn’t trigger the controller to alter its place, the controller is required to supply the client with the contact info for the lawyer normal as a way to submit a grievance.[24]  

Data Protection Assessments

The VCDPA and the CoPA additionally require controllers to “conduct and document a data protection assessment” of sure processing of private knowledge for functions of focused promoting or profiling in sure circumstances, the sale of private knowledge, and the processing of delicate knowledge.[25]

The knowledge safety assessments are to determine and weigh the advantages which will movement, instantly and not directly, from the knowledge processing to the controller, the client, different stakeholders, and the public towards the potential dangers to the rights of the client related to such processing. The evaluation additionally should be disclosed to the lawyer normal when such knowledge safety evaluation is related to an investigation.[26]

Litigation and Enforcement

Timeline for Enforcement

The Virginia and Colorado AGs can not begin enforcement actions beneath the VCDPA and the CoPA till January 1, 2023 and July 1, 2023, respectively. Nonetheless, primarily based on the strategy taken by the California AG in imposing the CCPA, organizations can anticipate investigations and enforcement exercise to start as quickly as the statutes allow. Moreover, utilizing what we all know from the California AG’s first 12 months of CCPA enforcement, anticipate that the Colorado AG and Virginia AG Workplaces can have very busy years.[27]

VCDPA – Enforcement and Fines

The VCDPA gives no personal proper of motion. The Virginia AG has unique authority to implement the VCDPA.[28] The Virginia AG is even given broad authority and can start an investigation even earlier than a violation happens if it has cheap trigger to consider that an individual is “about to engage in any violation” of the Act.[29]

The VCDPA gives a controller or processor with a 30-day interval after receiving written discover from the Virginia AG of an alleged violation as a way to remedy that violation.[30] If the controller or processor doesn’t remedy such violation inside the 30-day interval, the Virginia AG might provoke a lawsuit to hunt an injunction and to get better civil penalties of as much as $7,500 for every violation and cheap bills, together with attorneys’ charges.[31]  

The VCDPA additionally creates a particular fund referred to as the Consumer Privacy Fund, and all civil penalties, bills, and attorneys’ charges recovered beneath the VCDPA shall be credited to the Fund, which is then used to assist the Virginia AG’s work to implement the VCDPA.[32]

CoPA – Enforcement and Fines

Likewise, the CoPA doesn’t create personal proper of motion.[33] It as a substitute can be enforced by the Colorado Lawyer Common and Colorado’s district attorneys.[34] 

The CoPA notes that the Colorado Lawyer Common should present a controller or processor with a 60-day interval to remedy an alleged violation earlier than bringing an enforcement motion.[35]  Nonetheless, efficient January 1, 2025, the Colorado AG is not required to supply a remedy interval however can instantly convey an enforcement motion.[36]

Violations of the CoPA are thought of a misleading commerce apply, which permits for a civil penalty of $20,000 for every violation.[37] 

No Test-the-Field Compliance

The AGs will possible concentrate on quite a few areas for enforcement however with a normal theme. Particularly, utilizing the California AG’s expertise with imposing the CCPA, we are able to anticipate that the Virginia and Colorado AGs will wish to be sure that organizations are usually not treating the new legal guidelines as check-the-box workouts however, relatively, are offering customers with required info and well timed participating with client’s requests. Certainly, not solely will the AGs need organizations to supply the vital info, they are going to demand that or not it’s conveyed in a manner that may be simply understood by the common client and during which customers can have the fewest variety of steps to entry the info and train their rights.


  1.  See Va. Code Ann. § 59.1-575; Colo. Rev. Stat. § 6-1-1303(6)

  2. See Colo. Rev. Stat. § 6-1-1303(7) (barely completely different definition of controller) see GDPR, Artwork. 4(7) (defining Controller); id. Artwork. 4(8) (defining Processor). The proposed invoice in Connecticut likewise used this distinction. See CT Senate Invoice 893 § 1(8), (20).

  3. Va. Code Ann. § 59-1-571.

  4. Colo. Rev. Stat. § 6-1-1303(17); Va. Code Ann. § 59.1-575.

  5. Colo. Rev. Stat. § 6-1-1303(11); Va. Code Ann. § 59.1-575; see id. § 59.1-581.

  6.  Colo. Rev. Stat. § 6-1-1303(24); Va. Code Ann. § 59.1-575 (the VCDPA’s definition additionally consists of “precise geolocation data” as delicate info).

  7. To ensure that an entity to be thought of a enterprise, and therefore regulated by the CCPA, it should fulfill a minimum of one among three thresholds. One such threshold is whether or not the enterprise has gross annual income over $25 million. See Cal. Civil Code 1798.140(c)(1)(A) (Oct. 2020).

  8.  Connecticut proposed related {qualifications}. See CT Senate Invoice 893.

  9.  Connecticut has likewise proposed related exemptions. CT Senate Invoice 893 § 3.

  10.  Colo. Rev. Stat. § 6-1-1304(2).

  11.  For extra info regarding the function of processors, please seek advice from Va. Code Ann. § 59.1-579 and Colo. Rev. Stat. § 6-1-1305.

  12. “Consumer” is a particularly outlined time period in the Acts. Va. Code Ann. § 59.1-575; CT SB893 § 1(7).

  13. Va. Code Ann. § 59.1-577.A; Colo. Rev. Stat. § 6-1-1306. Connecticut SB 893 contained related necessities.  See CT SB 893 § 4(a).

  14.  Colo. Rev. Stat. § 6-1-1306(1)(a)(IV).

  15. Id.

  16.  Colo. Rev. Stat. § 6-1-1313.

  17. Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. § 6-1-1308(3).

  18. Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. §§ 6-1-1308(2), (4).

  19.  Va. Code Ann. § 59.1-578(A)(3); Colo. Rev. Stat. § 6-1-1308(5).

  20. Va. Code Ann. § 59.1-578(A)(5); Colo. Rev. Stat. § 6-1-1308(7).

  21. Colo. Rev. Stat. § 6-1-1303(24); see Va. Code Ann. § 59.1-575 (equally defining “personal data” but in addition together with “precise geolocation data”). Connecticut Senate Invoice 893 included related provisions. See CT SB 893 § 5(a).

  22.  Va. Code Ann. §§ 59.1-577.A.-C.; Colo. Rev. Stat. § 6-1-1306(2); see CT SB 893 § 4.

  23. Va. Code Ann. § 59.1-577.C.; Colo. Rev. Stat. § 6-1-1306(3).

  24. Id.

  25. Va. Code Ann. § 59.1-580.A. (additionally requiring a knowledge safety evaluation for “[a]ny processing activities involving personal data that present a heightened risk of harm to consumers”); see Colo. Rev. Stat. § 6-1-1309.

  26. Va. Code Ann. § 59.1-580.C.

  27. Bloomberg Legislation, Prime Takeaways from a 12 months of CCPA Enforcement (printed Aug. 6, 2021)

  28.  Va. Code Ann. § 59.1-584.A.

  29. Va. Code Ann. § 59.1-583.

  30. Va. Code Ann. § 59.1-584.

  31. Va. Code Ann. § 59.1-584.C.-D.

  32. Va. Code Ann. § 59.1-585.

  33. In contrast to the CCPA, the VCDPA and the CoPA shouldn’t have a carve-out that enables customers to convey an motion for statutory damages in the occasion of a knowledge breach. See Colo. Rev. Stat. § 6-1-1310.

  34. Colo. Rev. Stat. § 6-1-1311.

  35.  Id.

  36.  Id.

  37. Colo. Rev. Stat. §§ 6-1-1311 and 6-1-112.

Source link