<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have 10 days to sign or explicitly veto it.CPA applies to businesses collecting data on more than 100,000 individuals, or those earning revenue from the data of more than 25,000 consumers. It includes standard data subject rights, an opt-out consent model with a universal opt-out mechanism, and a right to cure, all subject to normal AG rule-making and enforcement.

CPA is effective July 1, 2023 unless vetoed by the Gov. The biggest difference when compared to Virginia or CPRA is the broad requirement (with fewer exemptions) for data protection privacy assessments.

A more specific compliance issue Colorado presents, according to attorney David Zetoony, is the required data protection assessment. Such examinations are also required in the Virginia Consumer Data Protection Act, but Colorado does not exempt companies from these assessments like Virginia.

Original Post

The Colorado Privacy Act SB190 has passed the Colorado House of Representatives by a vote of 57-7. While the bill must return to the Senate for final reconciliation of amendments made by the House, it’s most likely. Unless the Governor vetos it, which is improbable, the amendments will be reconciled in the next few days.

All Posts

Virginia Has Passed a Privacy Act

Gov. Northam has signed the Virginia Consumer Data Protection Act into law.

One of the things 2020 should have prepared us for is the unexpected, and the Commonwealth of Virginia managed it with the mere three weeks from mid-January to the beginning of February that it took the General Assembly to introduce, debate, and favorably vote on the Consumer Data Protection Act (VCDPA) (HB 2307 / SB 1392).

So, what’s in (and not in!) the VCDPA and how does it stack up against familiar privacy acts like California’s CCPA & CPRA and the EU’s GDPR?

And what does it mean for US privacy landscape as we head further into 2021? We start with the familiar, and will see echoes of other passed and pending privacy acts (notably the Washington Privacy Act) throughout the VCDPA; but as we’re seeing in proposed bills across the state level, Virginia is putting its own spin on things.

“Virginia’s Consumer Data Protection Act has passed. As the first comprehensive state privacy law to pass following the CCPA/CPRA, Virginia’s law will again change the legal landscape for American privacy law. The Virginia law is not a California copy-cat and would greatly expand the obligations for subject businesses. Businesses should be aware of the multiple additional obligations that flow from the CDPA.”

– Michael Hellbusch, Partner – Rutan & Tucker

Scope: The VCDPA provisions take effect in 2023 and apply to all businesses that in a calendar year:

  • Control or process the personal data of at least 100,000 consumers OR
  • Control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data (§ 59.1-572.).

Borrowing from the GDPR, Virginia’s VCDPA uses terms including controller, processor, personal data, data minimization, and from the GDPR and CCPA/CPRA, has consumer rights, and the requirement of data protection assessments for high-risk processing activities. We also see the now ubiquitous requirements for reasonably accessible, clear, and meaningful privacy notices that address the collection, processing, disclosure, sale, and nature of and process for requesting consumer rights.

Definitions: Just as in the CCPA, we see the concept of “sale of personal data” for monetary consideration, with a twist that excludes from a sale “the disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience” (§ 59.1-571.).

Another divergence in the VCDPA is in the latter half of the definition of “consumer.” It begins with “a natural person who is a resident of the Commonwealth acting only in an individual or household context” but goes on to explicitly state that the definition of consumer does not include a “natural person acting in a commercial or employment context” (§ 59.1-571.). We see this in the Washington Privacy Act (WPA) as well, and in both, individuals in this context are also exempt from consumer rights provisions.

Personal data” has been defined as broadly as we see in the other regulations, and includes any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data (subject to safeguards), and consistent with the carveout to the definition of Sale, publicly available information is not considered “personal data” under the bill.

With “sensitive data,” we see the blended influence of current regulations – like the CPRA and GDPR, the act includes the concept of sensitive data:


  1. Personal data revealing "racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;"
  2. Biometric data used "for the purpose of uniquely identifying a natural person;"
  3. Data collected from a known child; or
  4. Precise geolocation data.

The VCDPA imposes two key compliance obligations related to sensitive data – and they are significant:

First, sensitive data cannot be processed without opt-in consumer consent (§ 59.1-574.). The bill defines consent, consistent with the WPA, as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous” agreement (§ 59.1-571.).

Second, the VCDPA expressly requires the controller conduct and document a data protection assessment for the processing of sensitive data, in addition to processing for targeted advertising, profiling, sales of personal data, and the ambiguous “processing activities that present a heightened risk of harm" (§ 59.1-576.).

Consumer Rights: In § 59.1-573., the VCDPA provides consumers with the right to submit the following requests to the controller:

  • Access personal data that a business processes about them;
  • Correct inaccuracies in that data, taking into account the nature of the data and the purpose of the processing;
  • Delete personal data provided or obtained about them, subject to certain exceptions; •
  • Obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format
  • Opt-out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
  • Opt-in to the processing of sensitive data, unless the processing activity is an internal operation "reasonably aligned" with the expectations of the consumer or in furtherance of provision of a product or service specifically requested by the consumer.

Consistent with the terms of the CCPA, controllers must respond free of charge, twice a year and within 45-days. All requests are subject to authentication, and the controller can decline to take action but must provide instructions to the consumer on how to appeal that decision. Similar to the GDPR’s requirements, processors are to assist the controller in meetings its obligations (§ 59.1-575.).

Fines: Before initiating an enforcement action under the Act, the Attorney General is required to provide a controller thirty-day written notice of the specific violation of the Act at issue. Only after a controller’s continued violation of the Act may an action be initiated by the Attorney General, and damages for violations recoverable by the Attorney General are capped at $7500 per violation.

What’s Not In?

When viewed in light of the CCPA, one of the most notable absences in the VCDPA is that Virginia lacks a private right of action - meaning individuals cannot sue if their rights are being violated - leaving enforcement exclusively to the Office of the Attorney General of Virginia. Funding for initial enforcement work is not provided in the Act but is supposed to come later through fines collected in future enforcement actions.

Further, the VCDPA does not require controllers disclose or provide a list of third parties to whom personal data is shared; does not make a provision for an authorized agent to submit rights on the consumer’s behalf; and makes no provisions for instances of a data breach.

Similar to the WPA, the bill exempts a range of regulated financial services, health care, human research, consumer credit reporting, educational, and employment data from its provisions, with wide carveouts for specific types of data and covered entities regulated under laws such as HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and educational privacy law FERPA (§ 59.1-572.).

Unlike the rounds of rule-making we saw with the CCPA, the VCPDA does not provide for rule-making, though it does direct the Chairman of the General Assembly's Joint Commission on Technology and Science to create a working group of government officials, business representatives, and privacy advocates to produce recommendations related to implementation of the act by November 1, 2021.

So where does this leave us?

The Virginia Consumer Data Protection Act is another step forward, offering significant new rights for consumers, demonstrating the ongoing interest of Americans in protecting their data, and – combined with the host of other states with proposed acts – putting additional pressure on Congress to pass a federal data privacy law.

Without question, some experts had hoped law makers would go even further on the issues of Opt-In vs Opt-Out Consent and a Private Right of Action, but the VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data.

Watch our on-demand webinar here: Virginia Consumer Data Protection Act: What Businesses Need to Know

Janalyn Schreiber
About Janalyn Schreiber
Janalyn is the co-founder of Data Privacy & Security Advisors.
Recent Posts

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have...

4 Tips for Choosing the Right Privacy Tool

First, there was technology, then came the data collection. As that technology rapidly grew more intelligent and pervasive, so too did the data. As th...

The California Privacy Protection Agency Is Not Wasting Time

In a meeting agenda released today, the California Privacy Protection Agency made it clear that they are going to move quickly and start implementing ...

Update: Senate Vote on Colorado Privacy Act is In

The Colorado State Senate has unanimously passed the Colorado Privacy Act which will now move to the State Assembly for voting. The current session co...