Virginia Enacts Consumer Data Privacy Legislation. Virginia has become the second state with its own comprehensive data privacy legislation. Following passage by both houses of Virginia’s state legislature with large bipartisan majorities, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) into law on March 2, 2021. It should come as no surprise that Virginia’s CDPA is similar, but not identical to, California’s CCPA. Indeed, as we discussed in our 2019 Bloomberg Law article, So the CCPA is Ambiguous – Now What?, all privacy laws derive from the same core foundational principals, namely the Fair Information Practice Principles. The CDPA includes similar concepts and provisions, such as giving Virginians the right to determine whether their data is being collected and processed, to ask for a copy of their data, to correct inaccuracies, to ask for the deletion of personal data, and to opt out of processing personal data that may be used for targeted advertising, sale, or consumer profiling. The CDPA gives the Virginia attorney general exclusive enforcement authority, and does not provide for a private right of action. The CDPA becomes effective Jan. 1, 2023, the same day most of the provisions of the California Privacy Rights Act, the updated voter-approved version of the California Consumer Privacy Act, will take effect. The CDPA will apply to all businesses that control or process data for at least 100,000 Virginians, or those commercial entities that derive at least 50% of their revenues from the sale and processing of consumer data of at least 25,000 customers.
Troutman Pepper’s forthcoming five-part series on Virginia’s CDPA will provide a detailed overview of the Act and how it compares to California’s approach to privacy under the CCPA and CPRA, including a discussion of consumer rights, notice and disclosure obligations, data processing obligations, and enforcement. At the conclusion of the series, Troutman Pepper will host a webinar on the CDPA. Stay tuned for registration information.
DFS Releases Its Cyber Insurance Risk Framework. Although DHS Cybersecurity Insurance Working Sessions released reports about the sessions a few years ago, and the National Association of Insurance Commissioners (NAIC) had formed a working group that issued recommendations in 2017, New York’s Department of Financial Services is the first U.S. regulator to issue specific guidance for property/casualty insurers writing cyber insurance. As cybercrime becomes more common and more costly, this new cyber insurance framework seeks to “foster the growth of a robust cyber insurance market” to help protect against the growing number of cyber threats faced by organizations in modern life. Among other things, the DFS recommends against paying ransom payments, which it contends “fuels the vicious cycle of ransomware” and does not guarantee that an organization will get its data back or that criminals will not use that stolen data in the future. For a full copy of the Framework, go to the DFS website.
Oklahoma and Utah Lawmakers Introduce Privacy Bills. The Oklahoma House of Representatives introduced House Bill 1602 to enact the Oklahoma Computer Data Privacy Act (Act). As drafted, the Oklahoma Computer Data Privacy Act applies to certain businesses that collect consumers’ personal information and gives consumers the right to request disclosure and deletion of information. Similarly, Utah’s state Senate introduced Senate Bill 200 to enact the Utah Consumer Privacy Act. Like Oklahoma’s Computer Data Privacy Act, Utah’s Consumer Privacy Act gives Utah consumers the right to access, correct, and delete certain personal data, among other things. Oklahoma and Utah now join Alabama, Arizona, Connecticut, Florida, Kentucky, Minnesota, New York, Virginia, and Washington on the list of states considering comprehensive privacy bills.
FTC Releases Fraud Report. On February 4, the FTC announced it received over 2.1 million fraud reports in 2020. The most common type of fraud reported to the FTC related to “imposter scams.” The second most common, with an elevated surge during the start of the pandemic, relates to online shopping. Compared to 2019, consumers reported a $1.5 billion loss increase in 2020, totaling nearly $3.3 billion in losses. For those interested in reviewing the full breakdown of reports received last year, click here. To read the February 4 announcement, click here.
FTC Acting Chairwoman Details Priorities at Future of Privacy Forum. Speaking at the February 10 Future of Privacy Forum, FTC Acting Chairwoman Rebecca Kelly Slaughter emphasized the need for strong privacy legislation at the federal level. She also called for FTC staff to be more creative in fashioning settlements, suggesting disgorgement of data as one tool in the FTC “toolbox” when pursuing misconduct. Slaughter discussed the current pandemic and its resulting privacy and security issues, including those related to technology, that have become more prevalent due to the pandemic, such as ed-tech and health apps. Finally, Slaughter addressed racial equity and the FTC’s role in fighting racial injustice. For Slaughter’s full remarks, click here.