On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.

In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.

Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below. Continue Reading And Then There Were Two: The Commonwealth of Virginia Joins California in Enacting Comprehensive Privacy Rights Law

A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.

Continue Reading New Year Rings in New State Privacy Laws

Hard to believe, but 2025 will be here before you know it. And what goes best with a new year? A countdown list!

Last week, I spoke at the Dayton Bar Association’s Corporate Counsel Section on the topic of the Top 10 legal technology issues that in-house counsel should have on its radar for 2025.

Continue Reading Top 10 Technology Issues to Watch for in 2025

Believe it or not, we are now more than halfway through 2024. As of July 1st, we now have additional state privacy laws in effect in Florida (narrow applicability), Oregon, and Texas – with more on the way later this year and into 2025. We thought it would be a good time to provide a recap on the current privacy law landscape in the United States today. 

Continue Reading Comprehensive State Privacy Laws – Halfway Through 2024 and Looking Ahead to 2025

Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.

Continue Reading Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations

It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know.

Continue Reading The Garden State Joins the Privacy Party – New Jersey Becomes the Latest State to Adopt a Comprehensive Data Privacy Law

In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 (“the Act”). Initially introduced in 2019, the draft bill went through several iterations before being approved by India’s Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU’s GDPR and the United Kingdom’s UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you should know.

Continue Reading Breaking Down India’s Digital Personal Data Protection Act, 2023

Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.

Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.
Continue Reading 12 Down, 38 to Go: Oregon Becomes One of the Latest States to Enact a Comprehensive Data Privacy Law

On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.

The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.

Continue Reading Montana Enacts Privacy Law

On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Protection Act (the “TIPA”) into law. Tennessee is now the eighth state to enact a comprehensive privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia. The TIPA is set to go into effect on July 1, 2025.

Continue Reading State Number Eight: Tennessee Becomes Eighth State to Enact Privacy Law