December 14, 2021
Virginia and Colorado, which earlier this year enacted comprehensive state privacy laws following California’s 2018 lead, are now poised to follow California in another way in 2022: writing implementing regulations and weighing changes to the laws themselves. Companies should account for these regulations and changes as they develop programs to comply with the laws, which take effect in 2023.
In Virginia, lawmakers are exploring possible updates to the Virginia Consumer Data Protection Act (“VCDPA”), which passed in March 2021, such as giving a state agency rulemaking authority. Unlike the California and Colorado laws, the VCDPA itself does not give a state agency the power to issue regulations to implement the new law. But a recent report mandated by the VCDPA recommended that the legislature give the Virginia Attorney General’s Office (“Virginia AG”) or another agency such rulemaking authority.
The report was issued in response to a provision in the VCDPA, which required the creation of a working group made up of government, business, and community representatives to study potential changes to the VCDPA before it goes into effect. The group met six times before issuing its final report in November. In addition to rulemaking authority, the report also suggested other significant changes, including increasing the Virginia AG’s enforcement budget, allowing the Virginia AG to collect actual damages from violations that cause consumer harm, giving companies a right to cure violations that would sunset in the future, requiring companies to honor an automated global opt-out signal, changing the “right to delete” to a “right to opt out of sale,” and considering amending statutory definitions such as “sale,” “personal data,” “publicly available information,” and “sensitive data,” among others. The final report is available here.
In Colorado, meanwhile, the Colorado Attorney General’s Office (“Colorado AG”), which already has rulemaking authority, has begun the rulemaking process for the Colorado Privacy Act (“CPA”), which passed in July 2021. In its regulatory agenda for 2022, the Colorado AG stated that it expects to propose and finalize rules for universal opt-out tools, which are mechanisms that allow users to automatically inform websites that they want to opt out of the processing of their personal data.
As we have reported in prior updates, California is tackling these issues in its own privacy laws, particularly as California is transitioning from the California Consumer Privacy Act (“CCPA”) to the California Privacy Rights Act (“CPRA”), which will take effect in 2023. In the meantime, the California Attorney General’s Office (“California AG”) promulgation of CCPA regulations that were last revised in March 2021, remain in force. Now, the new CPRA-created California Privacy Protection Agency has embarked in earnest on its own rulemaking to consider amending the California AG’s CCPA rules and to enact its own rules for the CPRA. In response to a request for comments on its proposed rulemaking, the agency received scores of comments from individuals, organizations, and government officials, which are available here.
There is no sign of a slowdown in the development of state privacy laws. In fact, more than two dozen other states have floated their own proposals for comprehensive privacy laws.
Although the precise contours of these laws remain in flux, the laws will almost certainly usher in notable regulatory changes affecting how companies collect and manage data while imposing a host of new obligations and potential liability. Companies would be well-served to focus their compliance programs accordingly.
We will continue to monitor developments, and are available to discuss these issues as applied to your particular business.
This alert was prepared by Ryan T. Bergsieker, Cassandra L. Gaedt-Sheckter, and Eric M. Hornbeck.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group.
Privacy, Cybersecurity and Data Innovation Group:
United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.