New Virginia & California Data Privacy Laws in 2023
The widespread use of the internet for many of the functions of daily life has led to concerns over the privacy and security of users’ personally identifiable information (PII). Information like addresses, credit card numbers, and Social Security numbers can be very valuable to people who intend to misuse it for their own gain. Identity theft and related crimes cost consumers and businesses billions of dollars every year. Various federal and state laws attempt to protect data privacy, but the U.S. has no comprehensive data privacy law at the national level. Several states, however, have enacted laws that provide sweeping data privacy protections, including California data privacy laws, which have been at the forefront of individual state regulations for the past few years.
This trend of states implementing more stringent data privacy regulations continues in 2023 with Virginia enacting a new data privacy law and California amending its existing data privacy regulations – both taking effect in January 2023.
When Do the New Laws Take Effect?
Both the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023. Three more states, Colorado, Connecticut, and Utah, will join them later in the year.
What Do the New Laws Protect?
The CPRA and the VCDPA offer extensive protections for consumer data held by third parties.
Who Do the New Laws Cover?
Both laws apply to for-profit businesses and organizations that operate in their respective states and meet criteria related to annual revenue and receipt or use of PII. One criterion in both laws, for example, involves the processing of PII from at least 100,000 consumers per year. The VDCPA may also apply to some individuals and nonprofit organizations.
What Are Consumers’ Rights under the New Laws?
The laws provide consumers with numerous rights regarding their PII, including:
- To know what information is being used, and how;
- To access their personal information;
- To correct inaccuracies;
- To delete certain personal information; and
- To opt out of certain uses of personal information.
With regard to the right to opt out, the CPRA prohibits covered entities from using information belonging to anyone under the age of 16 unless they obtain “opt in” permission.
What Information Do the New Laws Protect?
The CPRA amends the California Consumer Privacy Act (CCPA), which has been in effect since 2020. It uses the CCPA’s definition of “personal information,” which includes anything “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CPRA adds a new category of “sensitive personal information,” which includes:
- ID numbers, such as Social Security or passport;
- Login information for online accounts;
- Geolocation data;
- Genetic data;
- Biometric processing data; and
- Information about racial or ethnic origin, union membership, or political or religious affiliations.
The VCDPA uses a similar definition of “personal information.” Its definition of “sensitive data” includes most of the above examples, as well as personal information collected from someone known to be a child under the age of 18.
Who Enforces the New Laws?
For California data privacy laws, the California Attorney General (AG) and the newly created California Privacy Protection Agency may enforce the CPRA. Consumers also have the right to bring a cause of action for violations. The Virginia AG will enforce the VCDPA.
Learn More
Baer Reed advises law firms and in-house counsel on how to address concerns regarding data breaches, data privacy, and related litigation issues. Contact us today to learn more.
- On March 15, 2023
- Back to post list