In the absence of comprehensive federal privacy law, states are following California’s lead and proposing their own privacy bills. This blog post provides an overview of three state bills that we are tracking closely in this year’s legislative session: the Washington Privacy Act (“WAPA”), the New York Privacy Act (“NYPA”), and the Virginia Consumer Data Protection Act (“VCDPA”). Though the proposed bills are distinct, there are similarities that largely track existing CCPA and/or GDPR requirements:
- Distinguishing between controllers and processors. Similar to the EU’s GDPR, all three bills distinguish between “controllers,” which generally determine the purposes and means for processing personal data, and “processors,” which process data on behalf of the controller.
- Imposing contractual requirements between controllers and processors. Similar to the CCPA, the three measures require establishing contractual obligations between controllers and processors that provide specific instructions for processing, among other requirements, depending on the bill.
- Defining targeted advertising. In contrast to the CCPA and GDPR, each of these state bills provides an explicit definition of targeted advertising. Generally, this definition includes advertising targeted to consumers based on the personal data that a controller has collected about those consumers from across a number of websites. This definition generally does not include advertising solely based on a consumer’s current visit to the website.
- Providing rights for consumers. Consistent with the GDPR and CCPA, all three bills provide consumers with various privacy rights, including the right to confirm processing, access, delete, correct, and opt-out of their data processing for specific purposes. Notably, the NYPA goes one step further and requires opt-in consent for all data processing.
- Providing transparency about data practices. All three measures require those subject to the law to provide transparent privacy notices with information about their data processing practices.
- Conducting risk assessments. Each measure references risk assessments, or similar measures, that applicable entities must conduct with respect to data processing, including, in the instance of the WAPA, targeted advertising, data sales, and some specific instances of profiling. Though the NYPA references risk assessments, it does not provide explicit requirements.
While the bills include many similarities, some of the measures’ differences are worth noting, specifically as they apply to thresholds for which entities are subject to the law, consent requirements, enforcement mechanisms, and penalties. The following chart identifies some of these key distinctions.
|Thresholds to Applicability||None||Conduct business in WA and (a) annually control or process personal data of 100,000+ consumers; or (b) derive over 25% of gross revenue from the sale of personal data and process or control personal data of 25,000+ consumers*||Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers*|
|Data Brokers||Separately defines and provides obligations for data brokers||N/A||Separately defines data brokers|
|Consent||Required for all processing||Generally not required, except for sensitive data||Only required where a consumer has restricted processing, or a risk assessment indicates that risks of processing outweigh consumer benefits|
|Opt-Out||Permitted for all processing||Permitted for processing for targeted advertising, sale, or profiling for decisions that have legal effects||Permitted where processing requires consent|
|Fiduciary Duty?||Yes, for controllers and data brokers||No||No|
|Private Cause of Action||Yes||No||Yes|
|Cure Period?||No||Yes, 30 days after receipt of a warning letter from the Attorney General||Yes, 30 days after receipt of notice of alleged noncompliance|
|Damages/Penalties||Injunction, damages, and a civil penalty based on number of and type of violations, and the size of the entity||Up to $7,500 per violation||
Private plaintiffs can seek the greater of actual damages or $500, or, for willful actions, the greater of treble damages or $1,000**
Attorney General can seek up to $2,500 per willful violation
*Consumers are defined as residents of the respective state acting in an individual or household context, and explicitly exclude individuals acting in a commercial or employment context.
**The VCDPA permits a private cause of action under the state Consumer Protection Act, which includes a cap on damages as identified in the chart.
Notably, two of the three bills include a private cause of action, a point of contention at the federal level. The absence of such a provision in the WAPA helped kill two prior attempts to enact a state privacy law. Critics of the WAPA point to the lack of a private right of action as the biggest reason to reject the bill, and we could see changes to these provisions as the bill moves through the legislative process.
The three bills are still pending, with the NYPA and WAPA referred to committees in their respective legislatures. The VCDPA is the closest to enactment, with companion bills having passed in both the state House and Senate. The legislature must now reconcile the companion bills before the General Assembly adjourns on February 11, 2021. The bill would then require the governor’s signature to become law, which could be by the end of the month. If enacted, the VCDPA would become effective on January 1, 2023. Stay tuned to this blog for updates on these and other proposed measures, and what their enactment means for future privacy compliance.