In June 2018, one month after the EU's General Data Protection Regulation (GDPR) went into effect, California became the first state in the U.S. to enact a comprehensive consumer data privacy law, the California Consumer Privacy Act (CCPA). It took a few years, but on March 2, 2021, Virginia became the second state to enact such legislation when the Consumer Data Protection Act (CDPA) was signed into law.

Virginia's CDPA will become effective on Jan. 1, 2023, and is similar to California's CCPA— with some notable differences.

Like the CCPA, consumers will have enhanced rights to access and request deletion of their personal data, as well as the ability to opt out of the collection and sale of data . Unlike the CCPA, the CDPA provides an additional right to opt out of targeted advertising and requires opt-in consent for the use of certain types of “sensitive" personal data, defined to include race, ethnicity, precise geolocation and health data. It does not, however, establish a separate enforcement agency, and there is no private right of action for consumers. Instead, the CDPA will be enforced by Virginia's attorney general.

The CDPA has significant limitations and exemptions. First, it is only applicable to companies that:

1) Conduct business in Virginia or produce products or services targeted to Virginia; and

2) Control or process personal data of at least 100,000 Virginia consumers in a calendar year; or 25,000 Virginia consumers while deriving more than 50% of gross revenue from the sale of personal data in a calendar year.

Moreover, the CDPA does not apply to any entities already subject to the Gramm-Leach-Bliley Act (GLBA), any entity governed by the Health Insurance Portability and Accountability Act (HIPAA), or any nonprofit organization. 

While Big “I" members should largely fall under one or more of the exemptions to Virginia's CDPA, particularly as entities already subject to the GLBA, the adoption of consumer privacy laws is likely to accelerate in 2021.

At least 10 other states, including Illinois, Minnesota and Massachusetts, have introduced privacy bills similar to the CDPA and CCPA. In February 2021, at least one chamber of state legislatures in Oklahoma and Washington passed comprehensive consumer privacy bills.

While most proposed bills are similar, they contain key differences from state to state. For example, the Massachusetts bill lacks express exemptions for entities subject to the GLBA.

If action continues at the state level, businesses may have to contend with an increasingly complex and onerous patchwork of privacy regulations. That said, standard-setting organizations like the National Association of Insurance Commissioners (NAIC) have taken note and will focus on the adoption of more uniform state consumer privacy laws.

Federal legislation also remains a possibility for setting a national standard, especially in any areas it might preempt state law. While a variety of bills have been introduced over the years without success, the latest proposal—the Information Transparency and Personal Data Control Act—has garnered attention and received endorsement from at least one retail coalition.

Overall, it will be important to stay apprised of new developments in the data privacy arena. It is also never too late or a waste of time to establish, review or update an effective data privacy program, in addition to a company's data security program.

For more information, members are encouraged to review the Agents Council for Technology's Agency Cyber Guide 3.0, which includes various sample documents, such as a website privacy policy and a link to the Office of General Counsel memorandum on the application of the GLBA.

If you have any further questions about this or related topics, contact Ron Berg, Wes Bissett, Scott Kneeland, or Eric Lipton.

Eric Lipton is Big "I" senior counsel.