Privacy & Information Security Law Blog

On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

On March 15, 2023, the Colorado Attorney General’s Office finalized rules implementing the Colorado Privacy Act (“CPA”). The finalized rules were released with an official redline that reflects prior revisions of the rules dated December 21, 2022, January 27, 2023, and February 23, 2023. The rules will be published in the Colorado Register later this month and will go into effect on July 1, 2023, when the CPA takes effect.

On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law.

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (“VCDPA”). The bill could make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut. Although the bill closely follows the VCDPA, it departs from the Virginia law in several key areas, most notably in the definition of “personal data” and its applicability.

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

On May 4-6, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference several public pre-rulemaking stakeholder sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, stakeholders ranging from privacy and cybersecurity experts to trade associations and California small business owners provided verbal comments, insights and suggestions to the CPPA as it develops the forthcoming CPRA regulations. The sessions focused on a number of issues, including automated decision-making, data minimization and purpose limitation, dark patterns, consumers’ rights (e.g., opt-out rights, limitation on the use of sensitive personal information), and cybersecurity audits and risk assessments. Comments and positions taken amongst the stakeholders varied. Some of the positions taken by stakeholders are summarized below:

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 11, 2022, Virginia Governor Glenn Youngkin signed into law three bills that amend the Virginia Consumer Data Protection Act (“VCDPA”) ahead of the VCDPA’s January 1, 2023 effective date. The bills, HB 381, HB 714 and SB 534, (1) add a new exemption to the VCDPA’s right to delete; (2) modify the VCDPA’s definition of “nonprofit”; and (3) abolish the Consumer Privacy Fund.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On January 31, 2022, Hunton Andrews Kurth’s retail industry team released its annual Retail Industry in Review publication, which provides an overview of key issues and trends that impacted the retail sector in the past year, as well as a preview of relevant legal issues retailers can expect to arise in 2022. This year’s edition takes a close look at issues stemming from the COVID-19 pandemic, and addresses the evolving U.S. state privacy law landscape, with a focus on the passage of the Colorado Privacy Act and Virginia Consumer Data Protection Act. The publication also addresses ...

On March 18, 2021, Lisa Sotto, Chair of Hunton’s global Privacy and Cybersecurity practice, and Mike Swift, MLaw Chief Global Digital Risk Correspondent, led a webinar on Everything You Need to Know About the California Privacy Rights Act. The webinar, which was part of LexisNexis’ Emerging Issues Webinar Series, provides an immersive look at the California Privacy Rights Act (“CPRA”) and other recent privacy laws.

On March 30, 2021, Hunton Andrews Kurth will host a webinar examining Virginia’s new Consumer Data Protection Act.

On March 2, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments. In addition to California, Virginia is now the second state to enact major privacy legislation of general applicability in the U.S.

As we previously reported, significant data privacy bills, titled the Consumer Data Protection Act, are working their way through the Virginia legislature. If enacted, Virginia would be the second state to enact major data privacy legislation of general applicability.

On February 5, 2021, the state Senate of Virginia voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act, after the House of Delegates approved an identical House bill by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. Minor, clarifying amendments will likely be added in committee, but they are not expected to alter the main components of the bill. Virginia’s General Assembly will adjourn Sine Die on March 1, and legislators have until then to finalize the details of the legislation. Virginia’s Governor Ralph Northam would be in a position to sign the bill later in March. Notably, the Governor has line item veto authority, so the bill could also possibly be amended after it passes the General Assembly.

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer's identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. 

On May 16, 2014, Virginia Governor Terry McAuliffe announced the members of the Virginia Cyber Security Commission, including the appointment of Hunton & Williams LLP’s Paul M. Tiao. Tiao, one of eleven citizen members elected to the group, is a partner in the firm’s Global Privacy and Cybersecurity Practice Group.

In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.

Virginia SB 1041

On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person.  The law currently applies only to organizations, corporations and agencies supported by public funds.  In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.

Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.

Representative Rick Boucher (D-VA), current head of the House Subcommittee on Communications, Technology and the Internet, lost his reelection bid yesterday to Republican Morgan Griffith, the Majority Leader of the Virginia House of Delegates.  Representative Boucher, widely recognized and respected for his legislative efforts in the areas of technology, telecommunications and privacy law, co-authored the CAN-SPAM Act and also introduced draft privacy legislation earlier this year.  Congressman Boucher’s defeat leaves the House Subcommittee on Communications, Technology and the Internet panel without its top Democrat, and it is unclear who will fill that leadership vacancy.