The VCDPA (Virginia Consumer Data Protection Act) was enacted on March 2, 2021, making Virginia the second US state after California passing far-reaching data privacy law. Those who are familiar with the GDPR (European Union General Data Protection Regulation) will recognize the terminology throughout the VCDPA, mimicking many terms defined by the GDPR, such as processor, controller and personal data. While not as broad as the GDPR in all respects, the VCDPA is a broad-based privacy law that is comparable to the CCPA (California Consumer Privacy Act).
Although its scope is much narrower than other new and pending privacy laws, Utah’s Cybersecurity Affirmative Defense Act was enacted on March 11, 2021. The law creates a defense affirmative (safe harbor) for corporations in data breach notification of Uttah in case they have a written information security program that fulfills certain requirements as provided in law.
Florida’s privacy bill, House Bill 969, promises to pass and contains game-changing provisions. HB969 is far-reaching privacy legislation sharing numerous resemblances with the CCPA, imposing a wide range of requirements on businesses and granting a number of rights for consumers with respect to their personal information. In addition, like the CCPA, the bill also consists of private right of action in case of certain data breaches. The bill passed with an overwhelming majority in the Florida House of Representatives 118 to 1 and has now moved to the Florida Senate. HB 969 also has the support of Florida Governor Ron DeSantis. On April 29, 2021, the Florida Senate passed its own privacy law – Senate Bill 1734 – which has few vital contrasts from HB 969 and returned to the House for reconciliation. The Florida’s 2021 legislative session ended on April 30, 2021.
Specifically, the Washington Privacy Act of 2021 (SB 5062) was not passed for the third year in a row. The Washington Privacy Act was a comprehensive privacy bill similar to the GDPR, offering consumers broad privacy rights with respect to their personal data. As in the past, much of the controversy over the bill revolved around whether the bill should have an inclusion of private right of action to permit residents to bring violations of the law claims directly. While the bill showed promise this year when it was passed in the Senate, the House version containing a private right of action, have no advancement when the legislative session closed on April 25, 2021.
While it did not gain the national attention that the Washington Privacy Act generated, the Oklahoma Computer Data Privacy Act (HB1602) was also a comprehensive privacy bill that borrowed numerous concepts from the CCPA and included a private right of action. If passed, the HB1602 would have pioneered U.S. privacy law – requiring consumers opt-in before their personal information is collected, which we haven’t seen before in the U.S. Privacy Law. The bill received bipartisan support, proceeded with the Oklahoma House, but did not have advancement to the Oklahoma Senate Judiciary Committee prior to deadline of April 8, 2021. Much of the opposition to the bill has focused on the requirement of opt-in, and there has been strong lobbying pressure from the industry to oppose it.