Tag Archives: Robert N. Famigletti

Colorado Consumer Privacy Bill Passes, Heads to Governor’s Desk

by Marian A. Waldmann Agarwal, Cynthia J. Rich, and Robert N. Famigletti

With the passage of SB21-190, Colorado is poised to become the third U.S. state—behind California and, most recently, Virginia—to enact a comprehensive consumer privacy law. On June 8, 2021, the Colorado Senate approved House amendments to the bill, which previously sailed through full Senate and House votes with overwhelming approval. The bill will soon be transmitted to Governor Jared Polis for his approval and, if enacted, the Colorado Privacy Act (CPA) will become operative on July 1, 2023.  

The CPA tracks closely with the recently-enacted Virginia Consumer Data Protection Act (VCDPA), including by distinguishing between data “controllers” (i.e., businesses that determine the purpose and means of processing personal data) and “processors” (i.e., businesses that process personal data on behalf of a controller), and by prescribing GDPR-like obligations. However, the CPA’s enforcement regime would mark a significant departure from the other state consumer privacy laws, empowering both the Colorado Attorney General (AG) and district attorneys to enforce violations of the Act and prescribing civil penalties of up to $20,000 per violation.

Continue reading

Will Virginia Be the Next Domino to Fall in State Privacy Law?

by Nathan D. Taylor and Robert N. Famigletti

As the Virginia Consumer Data Protection Act (H.B. 2307) heads to Governor Northam’s desk, it appears increasingly likely that Virginia will become the second state to enact a comprehensive consumer privacy law.

After overwhelmingly passing slightly different versions of the bill in late January and early February 2021, Virginia’s House of Delegates and Senate reconciled and passed a substitute, H.B. 2307, on February 19, 2021.  This comes just three months after California voters dramatically changed the California privacy law landscape by approving the California Privacy Rights Act (CPRA), a set of numerous amendments to the California Consumer Privacy Act (CCPA) that will become operative on January 1, 2023.  If enacted, H.B. 2307 will impose additional compliance obligations beyond the CCPA, even as amended by the CPRA.  Moreover, Virginia’s passage of comprehensive privacy legislation may encourage other state legislatures to follow suit—all likely renewing the call for a federal consumer privacy law.

This post provides an overview of the Virginia bill, with a focus on the areas in which it departs from the CCPA and/or CPRA.  Like the CPRA’s substantive obligations, H.B. 2307, if enacted, would become operative on January 1, 2023.

Continue reading