Lanton Law’s privacy practice has been closely monitoring the various state conversations around data privacy. We previously wrote a blog post titled California’s Consumer Privacy Act Could Be Coming to a State Near You, where we traced how California took the first step to create a consumer privacy law in the wake of Europe’s General Data Protection Regulation.    

So what’s going on with Virginia? Earlier this month the Virginia Senate passed 

 Senate Bill 1392, titled the Consumer Data Protection Act. The Virginia House of Delegates approved a companion (identical) House Bill H.B. 2307 by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. The state General Assembly will adjourn on March 1, it is expected that Governor Northam will sign the legislation. 

What does the bill do? The proposed legislation seeks the following:

“Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The bill has a delayed effective date of January 1, 2023.”

As with major policy issues that have yet to have a federal solution, states like California, Virginia and others are creating piecemeal policies, which will create compliance issues for entities that operate in several jurisdictions. New York, Oklahoma, Washington State, Minnesota, and North Dakota are jurisdictions that we continue to monitor with brewing policies on point.  

As we become more reliant on technology which crosses several sectors now, businesses are finding that they have to increase their awareness of state and federal policy in order to remain compliant. We at Lanton Law can help. Our legal and lobbying tools can help offer your organization a clear path forward to navigate what will be changing policies for healthcare, technology and clean energy stakeholders. We are a D.C. based firm with no state boundaries as we are active nationwide. Contact us today to discuss your options. 

Oftentimes policy changes that sweep across the nation originate in policy “hot spots” like Massachusetts, California, New York, etc. This time its consumer privacy. As we rely more and more on the internet of things, artificial intelligence and fitness applications, we are unfortunately becoming more exposed to potential data breaches. If you operate in California, the California Consumer Privacy Act (CCPA) will be a defining factor in how you manage risks around consumer data. Approximately 500,000 businesses across all business sectors will have to comply with CCPA once the act goes into effect on January 1, 2020. 

So what is the CCPA? Passed in 2018 as AB 375, the Act models itself on Europe’s General Data Protection Regulation that went into effect recently. The bill awards California residents with the right to be informed on how companies collect and use their data. The law also allows their personal data to be deleted. CCPA creates a sliding scale approach by applying to California businesses who generate an annual gross revenue of $25 million with half of their annual revenue deriving from selling consumer information, or by companies that buy, sell or share personal information from at least 50,000 consumers, households or devices. 

Recently, the California legislature passed five bills seeking to amend CCPA in which Governor Gavin Newsom (D-CA) has until October 13, 2019 to sign or veto the legislation. Additionally, the state attorney general is expected to release draft regulations by the end of the year. Interestingly, an economic impact assessment prepared by a third party for the California Attorney General’s office stated that the new law could cost companies a total of up to $55 billion in initial compliance costs. 

So what is this important? Our society’s reliance on connectivity is not slowing down. The very companies that many of us interact with on a daily basis such as Amazon, Twitter and Facebook find themselves at the center of how they will comply with CCPA. But while this can be explained away as something that impacts only California, I have seen this type of legislation starting to spread to a cluster of other states. 

If you traffic in data, it will be a good idea to take inventory of your operational risks and whether your company will be able to comply if a similar law is enacted in your state. If you need assistance with regulatory compliance or are interested in finding out how your company can best engage with policymakers on this issue, don’t hesitate to reach out to us at either Lanton Strategies or Lanton Law.