Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Virginia enacts additional consumer data protections

    Privacy, Cyber Risk & Data Security

    On April 11, the Virginia governor signed legislation enacting additional amendments to the Virginia Consumer Data Protection Act (VCDPA). Both bills take effect July 1.

    HB 714 (identical bill SB 534) expands the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.

    HB 381 amends VCDPA provisions related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. 

    As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” 

    Privacy/Cyber Risk & Data Security State Issues State Legislation Virginia Consumer Protection Act Virginia Consumer Protection VCDPA

  • Utah becomes fourth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Utah Consumer Protection

  • Wyoming enacts genetic data privacy provisions

    Privacy, Cyber Risk & Data Security

    On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.

    Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Wyoming Consumer Protection

  • Virginia passes additional VCDPA amendments

    Privacy, Cyber Risk & Data Security

    On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.

    As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Virginia VCDPA

  • Florida house tries again on consumer privacy legislation

    Privacy, Cyber Risk & Data Security

    On March 2, the Florida house passed HB 9, which would, among other things, regulate the sale and sharing of consumers’ personal data and provide consumers the right to sue over alleged violations. This is the state’s latest attempt to pass comprehensive consumer privacy legislation. Last year, the Florida legislatures failed to reconcile differences in their bills before the session ended. Highlights of the bill (which include changes from last session’s versions) include:

    • Applicability. The bill will apply to any entity meeting the definition of a controller, processor, or third party that buys, sells, or shares consumers’ personal information and (i) has global annual gross revenues exceeding $50 million; (ii) annually buys, receives, sells, or shares personal information of at least 50,000 consumers, households, or devices; or (iii) derives 50 percent or more of its global annual revenue from the selling or sharing of personal information. The bill sets forth numerous exemptions from its requirements, including personal information shared “with a financial service provided solely to facilitate short term, transactional payment processing for the purchase of products or services”; deidentified or aggregated personal information; data governed by certain federal, state, or local regulations or used to exercise or defend legal claims; certain personal information collected through a controller’s direct interaction with a consumer that is used to advertise or market products or services that are produced or offered directly by the controller; personal information used in the context of a consumer’s role or former role with the controller; specified protected health information; financial institutions covered by the Gramm-Leach-Bliley Act; personal information disclosed during intentional interactions or disclosed as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller; and personal information used to fulfill the terms of a written warranty, a product recall, or public- or peer-reviewed scientific or statistical research in the public interest.
    • Consumer rights. Under the bill, consumers will be able to, among other things, access their personal data; request deletion or make corrections; and opt out of the sale or sharing of personal information to third-parties. Controllers will be required to deliver the requested information free of charge within 45-calendar days (a one-time additional 45-day extension may be granted), but are not required to provide personal information to a consumer more than twice in a 12-month period. Controllers will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances. Additionally, the bill will provide controllers the ability to charge a consumer who exercises any of their rights under the bill “a different price or rate, or provide a different level or quality of goods or services to the consumer” provided the “difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program, including a bona fide loyalty, rewards, premium features, discounts, or club card program offered by the controller.” Financial incentives that are not unjust, unreasonable, coercive, or usurious may also be offered as long as consumers give prior consent and are allowed to revoke consent at any time. The bill further stipulates that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
    • Disclosures. The bill will require controllers that collect consumers’ personal information to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Additionally, processors or third parties must require any subcontractor to meet the same obligations with respect to personal information. Businesses also will be prohibited from collecting or using additional categories of personal information without first notifying consumers.
    • Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information.
    • Private cause of action, right to cure. The bill will provide a private right of action to allow consumers to bring a civil action under certain circumstances for injunctive or declaratory relief, and establishes a damage amount of either statutory damages of at least $100 but not more than $750 per consumer per incident, or actual damages, whichever is greater. Consumers may obtain specific relief from businesses with annual gross revenues greater than $50 million. In lawsuits involving businesses with annual gross revenues exceeding $500 million, consumers also are permitted to recover attorneys’ fees and costs. Civil actions must be filed within one year after discovery of the violation. The Department of Legal Affairs is also authorized to take action against a controller, processor, or third party for unfair or deceptive acts or practices. Fines may be tripled if a violation involves consumers 18 years of age or younger, or if a controller, processor, or third party fails to cure the violation upon written notice within 45 calendar days.

    If enacted in its current form, the bill would take effect January 1, 2023. The bill must be approved by the Florida senate and any differences reconciled before being sent to the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Florida

  • Utah legislature passes privacy bill

    Privacy, Cyber Risk & Data Security

    Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:

    • Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
    • Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
    • Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
    • Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
    • Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.

    If enacted in its current form, the bill would take effect December 31, 2023. 

    Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Utah

  • Virginia passes amendments on CDPA for data deletion

    Privacy, Cyber Risk & Data Security

    On February 25, the Virginia House and Senate passed HB 381, which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Virginia VCDPA

  • Wisconsin assembly passes comprehensive data privacy bill

    Privacy, Cyber Risk & Data Security

    On February 23, the Wisconsin assembly passed AB 957, which establishes requirements for controllers and processors of consumer personal data. An assembly amendment to the bill making various changes was adopted the same day. Highlights of the bill include:

    • Applicability. The bill will apply to controllers (defined “as a person that, alone or jointly with others, determines the purpose and means of processing personal data”) that “control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.” Personal data is defined as any information linked or reasonably linkable to an individual minus publicly available information. Certain entities are exempt from the bill’s requirements, including “governmental bodies, financial institutions subject to federal privacy disclosure requirements [including affiliates of financial institutions], certain entities subject to federal health privacy laws, nonprofits, and institutions of higher education.” Data collected, processed, and maintained in compliance with the Children’s Online Privacy Protection Act is also exempt.
    • Consumer rights. Under the bill consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) make corrections; (iii) request deletion of their data; (iv) obtain a copy of their previously provided data; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, and certain forms of automated processing of their data. Controllers will be prohibited from taking discriminatory actions against consumers who exercise certain rights.
    • Controllers’ responsibilities. Data controllers under the bill will be responsible for responding to consumers’ requests without undue delay, including if a controller declines to take action regarding a consumer’s request. Responses to consumers’ requests must be provided free of charge once annually per consumer, and controllers will be required to establish an appeals process for denied requests, wherein “[w]ithin 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the attorney general to submit a complaint.” The bill will also require controllers to disclose certain information regarding data collection and sharing practices to consumers, as well as how consumers may exercise their rights under the bill. Controllers will also be prohibited from collecting or processing personal data for purposes not relevant to or reasonably necessary for the purposes disclosed in the privacy notice.
    • Data processing contracts. The bill requires controllers to enter into data processing contracts with data processors and “requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill.” The state attorney general may also request controllers to disclose any data protection assessments relevant to an investigation.
    • Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law and seek forfeiture of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses. The bill further “prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data.”
    • Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.

    If enacted in its current form, the bill would take effect January 1, 2024. The bill still needs to be approved by the state senate and any differences reconciled before the measure can be sent to the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Wisconsin

  • Virginia Consumer Data Protection Act Work Group issues final report

    Privacy, Cyber Risk & Data Security

    Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:

    • Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
    • Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
    • Employing an “ability to cure” option for violations where a potential cure is possible.
    • Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
    • Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
    • Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
    • Studying specific data privacy protections for children.
    • Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
    • Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
    • Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
    • Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.

    The Work Group’s recommendations will be presented during the upcoming legislative session.

    Privacy/Cyber Risk & Data Security State Issues Virginia State Legislation VCDPA

  • Illinois enacts the Protecting Household Privacy Act

    Privacy, Cyber Risk & Data Security

    Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Illinois Consumer Protection Enforcement

Pages

Upcoming Events