December 14, 2021
Virginia and Colorado, which earlier this year enacted comprehensive state privacy laws following California’s 2018 lead, are now poised to follow California in another way in 2022: writing implementing regulations and weighing changes to the laws themselves. Companies should account for these regulations and changes as they develop programs to comply with the laws, which take effect in 2023.
In Virginia, lawmakers are exploring possible updates to the Virginia Consumer Data Protection Act (“VCDPA”), which passed in March 2021, such as giving a state agency rulemaking authority. Unlike the California and Colorado laws, the VCDPA itself does not give a state agency the power to issue regulations to implement the new law. But a recent report mandated by the VCDPA recommended that the legislature give the Virginia Attorney General’s Office (“Virginia AG”) or another agency such rulemaking authority.
The report was issued in response to a provision in the VCDPA, which required the creation of a working group made up of government, business, and community representatives to study potential changes to the VCDPA before it goes into effect. The group met six times before issuing its final report in November. In addition to rulemaking authority, the report also suggested other significant changes, including increasing the Virginia AG’s enforcement budget, allowing the Virginia AG to collect actual damages from violations that cause consumer harm, giving companies a right to cure violations that would sunset in the future, requiring companies to honor an automated global opt-out signal, changing the “right to delete” to a “right to opt out of sale,” and considering amending statutory definitions such as “sale,” “personal data,” “publicly available information,” and “sensitive data,” among others. The final report is available here.
In Colorado, meanwhile, the Colorado Attorney General’s Office (“Colorado AG”), which already has rulemaking authority, has begun the rulemaking process for the Colorado Privacy Act (“CPA”), which passed in July 2021. In its regulatory agenda for 2022, the Colorado AG stated that it expects to propose and finalize rules for universal opt-out tools, which are mechanisms that allow users to automatically inform websites that they want to opt out of the processing of their personal data.
As we have reported in prior updates, California is tackling these issues in its own privacy laws, particularly as California is transitioning from the California Consumer Privacy Act (“CCPA”) to the California Privacy Rights Act (“CPRA”), which will take effect in 2023. In the meantime, the California Attorney General’s Office (“California AG”) promulgation of CCPA regulations that were last revised in March 2021, remain in force. Now, the new CPRA-created California Privacy Protection Agency has embarked in earnest on its own rulemaking to consider amending the California AG’s CCPA rules and to enact its own rules for the CPRA. In response to a request for comments on its proposed rulemaking, the agency received scores of comments from individuals, organizations, and government officials, which are available here.
There is no sign of a slowdown in the development of state privacy laws. In fact, more than two dozen other states have floated their own proposals for comprehensive privacy laws.
Although the precise contours of these laws remain in flux, the laws will almost certainly usher in notable regulatory changes affecting how companies collect and manage data while imposing a host of new obligations and potential liability. Companies would be well-served to focus their compliance programs accordingly.
We will continue to monitor developments, and are available to discuss these issues as applied to your particular business.
This alert was prepared by Ryan T. Bergsieker, Cassandra L. Gaedt-Sheckter, and Eric M. Hornbeck.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group.
Privacy, Cybersecurity and Data Innovation Group:
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, email@example.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, firstname.lastname@example.org)
Debra Wong Yang – Los Angeles (+1 213-229-7472, email@example.com)
Matthew Benjamin – New York (+1 212-351-4079, firstname.lastname@example.org)
Ryan T. Bergsieker – Denver (+1 303-298-5774, email@example.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, firstname.lastname@example.org)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, email@example.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, firstname.lastname@example.org)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, email@example.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, firstname.lastname@example.org)
Karl G. Nelson – Dallas (+1 214-698-3203, email@example.com)
Ashley Rogers – Dallas (+1 214-698-3316, firstname.lastname@example.org)
Deborah L. Stein – Los Angeles (+1 213-229-7164, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, firstname.lastname@example.org)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, email@example.com)
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0) 20 7071 4250, email@example.com)
Patrick Doris – London (+44 (0) 20 7071 4276, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Penny Madden – London (+44 (0) 20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Alejandro Guerrero – Brussels (+32 2 554 7218, email@example.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Sarah Wazen – London (+44 (0) 20 7071 4203, email@example.com)
Kelly Austin – Hong Kong (+852 2214 3788, firstname.lastname@example.org)
Connell O’Neill – Hong Kong (+852 2214 3812, email@example.com)
Jai S. Pathak – Singapore (+65 6507 3683, firstname.lastname@example.org)
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.