The speed with which the US data privacy law wave is spreading from state to state also seems to be increasing \u2013 it took California several years to get its CCPA\/CPRA legal regime in place (and some would argue that it\u2019s still a moving target), while Virginia became the second state<\/a> to enact a comprehensive US data privacy law with the Virginia Consumer Data Protection Act (VCDPA).<\/p>\n\n\n\n Each state\u2019s draft US data privacy law looks different from the next \u2013 some with prior consent requirements akin to the EU\u2019s GDPR<\/a> and others with broader opt-out rights; some with larger scopes and some with sectoral exemptions \u2013 and no state has so far simply copied California\u2019s model.<\/p>\n\n\n\n Looming over the prospect of an uneven collage of state-level data protection across the country is the absence of a standardized federal US data privacy law<\/a>, and the difficult path ahead for getting one passed and enacted.<\/p>\n\n\n\n To date three federal US data privacy laws<\/a> have been put forward, but with no hearings planned anytime soon, the process shows signs of having stalled<\/a>.<\/p>\n\n\n\n State-level US data privacy laws springing up left and right across the country will increase the federal momentum, argues Future of Privacy Forum Senior Fellow Peter Swire to IAPP<\/a>, since a jagged patchwork of state laws with fundamentally different models create a headache of compliance and competition issues.<\/p>\n\n\n\n See IAPP's comparison of proposed federal US data privacy laws<\/a><\/p>\n\n\n\n On March 2, 2021, Virginia\u2019s Consumer Data Protection Act (VCDPA) was signed into law, making the Old Dominion the second state to enact a broad and comprehensive US data privacy law (third if you count Nevada\u2019s smaller and more limited SB220, scheduled to be overhauled soon<\/a>).<\/p>\n\n\n\n Virginia\u2019s Consumer Data Protection Act (VCDPA) came about after a surprisingly short legislative session (less than two months) and borrows provisions and principles from both California\u2019s Consumer Privacy Act (CCPA) and the EU\u2019s General Data Protection Regulation (GDPR).<\/p>\n\n\n\n Virginia\u2019s Consumer Data Privacy Act (VCDPA) will take effect on January 1, 2023<\/strong> and will be enforced by the Virginia Attorney General.<\/p>\n\n\n\n Virginia\u2019s Consumer Data Protection Act (VCDPA) quick breakdown<\/strong> \u2013<\/p>\n\n\n\n Website owners and companies who have dealt with becoming compliant with California\u2019s CCPA over the past two years will likely be familiar with the California Attorney General\u2019s frequently changing draft regulations on enforcement<\/a>, often the cause for the CCPA to be described as a \u201cmoving target\u201d in the data privacy industry.<\/p>\n\n\n\n But, as IAPP notes<\/a>, Virginia\u2019s VCDPA avoids this process altogether by not including any requirements for rule making. Rather, it rests with the Virginia Attorney General to enforce Virginia\u2019s Consumer Data Protection Act (CDPA) as it\u2019s written, with fines for non-compliance up to $7,500.<\/p>\n\n\n\n A review of potential legislative modifications has been scheduled for later in 2021.<\/p>\n\n\n\n In addition to the quick breakdown overview above, let\u2019s have a look at what rights the second comprehensive US data privacy law brings for Virginia residents.<\/p>\n\n\n\n The Virginia Consumer Data Privacy Act (CDPA) empowers Virginia residents with the following rights \u2013<\/p>\n\n\n\n Virginia\u2019s Consumer Data Protection Act (CDPA) builds on the waves of data privacy legislation that have washed over the world in the past years, most notably California\u2019s and the EU\u2019s GDPR.<\/p>\n\n\n\n Building on the first comprehensive US data privacy law, California\u2019s CCPA, Virginia\u2019s VCDPA also empowers state residents with the right to opt out of having personal data sold to third parties<\/strong>, but interestingly enough, it goes a bit further than California\u2019s by also allowing users to opt out of personal data processing<\/strong> done for data profiling and targeted advertisement purposes.<\/p>\n\n\n\n See the Virginia Consumer Data Protection Act law text<\/a><\/p>\n\n\n\n Looking across the Atlantic, Virginia\u2019s VCDPA borrows provisions from another major piece of data privacy legislation, namely the EU\u2019s GDPR<\/a>.<\/p>\n\n\n\n Like the EU\u2019s GDPR, Virginia\u2019s VCDPA requires you to obtain explicit and affirmative consent<\/strong> from your website\u2019s users when processing sensitive data. This makes the VCDPA's consent provision broader and stricter than California\u2019s CCPA\/CPRA, which only applies to minors.<\/p>\n\n\n\n The VCDPA's definition of consent is even word-for-word taken from the EU\u2019s GDPR, requiring the \u201cfreely given, specific, informed and unambiguous agreement\u201d<\/strong> to constitute a valid end-user consent.<\/p>\n\n\n\n Also inspired by the EU\u2019s GDPR, Virginia\u2019s VCDPA requires you to perform data protection assessments<\/strong> for so-called \u201chigh risk processing\u201d of personal data, which covers if you engage in targeted advertisement, the selling of personal data and profiling (though a bit different in practice from the GDPR\u2019s provision).<\/p>\n\n\n\n Learn more about EU GDPR compliance with Cookiebot CMP<\/a><\/p>\n\n\n\n Scan your website for free to see all cookies and trackers in use<\/a><\/p>\n\n\n\n When comparing Virginia\u2019s VCDPA to California\u2019s CCPA\/CPRA, as we did in the introduction of this article, it becomes clear that (although inspired by California\u2019s model) Virginia has gone its own way with its US data privacy law.<\/p>\n\n\n\n The biggest differences between Virginia\u2019s VCDPA and California\u2019s CCPA\/CPRA are \u2013<\/p>\n\n\n\n With a faster legislative session and a, in many ways, tighter and more straight-forward bill in hand, Virginia now offers a different roadmap for US data privacy laws than California\u2019s model.<\/p>\n\n\n\n On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy act<\/a>, making the centennial state the third state to enact a broad and comprehensive US data privacy law following California in 2018 and Virginia earlier in 2021.<\/p>\n\n\n\n The enactment of Colorado\u2019s CPA is a continuation of the trend of state legislatures directing the progress of the general consumer data privacy framework in the U.S.<\/p>\n\n\n\n The CPA extends consumer data protections and business compliance obligations in ways that can be described as very similar to California\u2019s CCPA<\/a>, the upcoming CRPA<\/a> and Virginia\u2019s CDPA.<\/p>\n\n\n\n Colorado\u2019s Privacy Act will take effect on July 1, 2023.<\/p>\n\n\n\n After the quick breakdown, let\u2019s now look at what rights the third comprehensive US data privacy law brings for Colorado consumers.<\/p>\n\n\n\n The Colorado Privacy Act (CPA) empowers Colorado consumers with the following five rights \u2013<\/p>\n\n\n\n Not unlike Virginia\u2019s CDPA, the CPA also gives the consumers the right to appeal a business\u2019 denial to take action within a reasonable time period. Under the CPA, a business has to respond to a consumer request within 45 days.<\/p>\n\n\n\n If a business fails to take action, the CPA dictates that the controller provide an appeal process that must be visibly available and easy to use.<\/p>\n\n\n\n Try Cookiebot CMP free for 14 days \u2013 or forever if you have a small website<\/a><\/p>\n\n\n\n Colorado\u2019s CPA has a controller to determine the purposes for and means of processing personal data. Colorado\u2019s CPA has obligations that are similar to the ones defined in California\u2019s CCPA<\/a> and Virginia\u2019s CDPA.<\/p>\n\n\n\n These obligations will be explained in more detail here:<\/p>\n\n\n\n Besides these obligations, the controller also has to be governed by a contract between the controller and the processor.<\/p>\n\n\n\n The purpose of the contract is to establish the processing instruction to which the processor is bound, including the nature of the processing and its duration. Similar requirements are stated in the EU\u2019s GDPR<\/a> and Virginia\u2019s CPDA as well.<\/p>\n\n\n\n Overall, Colorado\u2019s CPA is not a trailblazer in the data privacy world, but its significance is reflected in the growing trend of enhanced consumer privacy protections in the US and by the fact that it is one of the first ones to be enacted.<\/p>\n\n\n\n If you were to compare it with the ones in California and Virginia, the Colorado CPA is probably a bit harsher than Virginia\u2019s CDPA and a bit more moderate than California\u2019s CCPA.<\/a><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days \u2013 or forever if you have a small website.<\/a><\/p>\n\n\n\n Scan your website to see all cookies and trackers in use<\/a><\/p>\n\n\n\n On January 1, 2020, California became the first state to enact a comprehensive US data privacy law when the California Consumer Privacy Act (CCPA)<\/a> took effect.<\/p>\n\n\n\n Unlike Virginia\u2019s CDPA that flew through the state\u2019s legislatures, the California Consumer Privacy Act (CCPA)<\/a> was a grassroots initiative by Alastair McTaggart of Californians for Consumer Privacy<\/a>, who drafted an early version of the CCPA as a ballot initiative meant to be included in the 2018 November election.<\/p>\n\n\n\n After heavy industry lobbying, the initiative was watered down and co-written, sponsored, passed unanimously and signed into law on Thursday June 28, 2018.<\/p>\n\n\n\n Breaking new waves in the US data privacy law landscape, California\u2019s CCPA is the first to empower residents with several rights over their personal information, chief among them the right to opt out of having it sold to third parties<\/strong> (the now-famous requirement for a Do Not Sell link on your website).<\/p>\n\n\n\n This opt out right has become a model for both Virginia\u2019s CDPA and most other US data privacy laws in draft at this moment, and it categorically sets the overall US data privacy law landscape apart from the EU\u2019s General Data Protection Regulation, which operates on a prior consent model<\/strong> \u2013 requiring first the explicit consent of users before any personal data can be processed, as opposed to California\u2019s (and Virginia\u2019s) model of post-collection opt out<\/strong>s.<\/p>\n\n\n\n Then, in the 2020 General Election, the addendum California Privacy Rights Act (CPRA)<\/a> was passed as a ballot initiative, bypassing the state legislature that had crafted the CCPA two years before.<\/p>\n\n\n\n The CPRA took effect on January 1, 2023.<\/p>\n\n\n\n California\u2019s CPRA amends and expands<\/strong> the CCPA, e.g. changing the scope<\/strong> to exclude smaller businesses but include larger companies, specifying regulation of behavioral advertisement<\/strong> in the state, empowering California residents with four new data rights<\/strong>, establishing the California Privacy Protection Agency (CPPA)<\/strong> as lead enforcer in the state (rather than the Attorney General) and creates the category of sensitive personal information<\/strong> with stronger protections.<\/p>\n\n\n\n Together, California\u2019s CCPA\/CPRA setup \u2013<\/p>\n\n\n\n Learn more about CCPA\/CPRA compliance with Cookiebot CMP<\/a><\/p>\n\n\n\n Learn more about the California Privacy Rights Act (CPRA)<\/a><\/p>\n\n\n\n Learn more about California\u2019s CCPA and website cookies<\/a><\/p>\n\n\n\n Learn more about California\u2019s CCPA and personal information<\/a><\/p>\n\n\n\n Learn more about California\u2019s CCPA and end-user rights<\/a><\/p>\n\n\n\n The state of US data privacy law is in flux \u2013 a flurry of movement is happening across a dozen state legislatures, emboldened by California, Virginia and Colorado's data protection achievements, and left to draft their own in the absence of a federal law.<\/p>\n\n\n\n The data privacy wave spilling across the US, triggered by a big public awakening to the issues of data protection and surveillance capitalism in recent years, have created a legal landscape in rapid change, with some states following California\u2019s model to varying degrees (like Virginia\u2019s CDPA and Washington\u2019s Privacy Act) and other states going their own way with an eye fixed on the EU and its strict prior consent model (like Oklahoma\u2019s OCDPA).<\/p>\n\n\n\n Different roads are forking in the US data privacy law landscape, and it remains to be seen which one \u2013 if any \u2013 a federal bill would follow.<\/p>\n\n\n\n At Usercentrics<\/a>, the creators of Cookiebot CMP, we work hard every day to push true end-user consent and data protection to the world through a balanced and sustainable Internet economy. We follow all US data privacy law developments closely, so we can bring our unmatched data privacy expertise to you and your compliance needs in the future.<\/p>\n\n\n\n Cookiebot CMP is a plug-and-play solution offering compliance for your website with all major data protection laws in the world, including California\u2019s CCPA\/CPRA.<\/p>\n\n\n\n Try Cookiebot CMP free for 14 days<\/a> \u2013 or forever if you have a small website.<\/p>\n\n\n\n Scan your website to see what cookies and trackers are in use<\/a><\/p>\n\n\n\n Learn more about Cookiebot CMP and CCPA\/CPRA compliance<\/a><\/p>\n\n\n\n Learn more about Cookiebot CMP and GDPR compliance<\/a><\/p>\n\n\n\n Get started with Cookiebot CMP and Google Consent Mode<\/a><\/p>\n\n\n\n![\"Illustration](\"\/media\/4253\/usa-data-landscape.jpeg?width=450&&mode=max\")
Virginia\u2019s Consumer Data Protection Act (VCDPA)<\/h2>\n\n\n\n
Second major US data privacy law passed in Virginia\u2019s VCDPA<\/h3>\n\n\n\n
![\"Illustration](\"\/media\/4254\/usa-data-washington.jpeg?width=450&&mode=max\")
\n
Virginia\u2019s VCDPA rights for Virginia residents<\/h3>\n\n\n\n
\n
![\"Illustration](\"\/media\/4257\/usa-data-statue-of-liberty.jpeg?width=450&&mode=max\")
Virginia\u2019s VCDPA vs EU\u2019s GDPR<\/h3>\n\n\n\n
Virginia\u2019s VCDPA vs California\u2019s CCPA<\/h3>\n\n\n\n
\n
![\"Illustration](\"\/media\/4258\/usa-data-hollywood.jpeg?width=450&&mode=max\")
Colorado\u2019s Privacy Act (CPA)<\/h2>\n\n\n\n
Newest major US data privacy law passed in Colorado's CPA<\/h3>\n\n\n\n
Colorado\u2019s Privacy Act (CPA) \u2013 quick breakdown \u2013<\/h2>\n\n\n\n
\n
![\"Illustration](\"\/media\/4255\/usa-data-trees.jpeg?width=450&&mode=max\")
Colorado\u2019s CPA rights for Colorado consumers<\/h2>\n\n\n\n
\n
Obligations of Colorado\u2019s CPA<\/h2>\n\n\n\n
\n
California\u2019s CCPA\/CPRA<\/h2>\n\n\n\n
First major US data privacy law in effect in California<\/h3>\n\n\n\n
![\"Illustration](\"\/media\/4259\/usa-data-flag-bridge.jpeg?width=450&&mode=max\")
\n
Summing up on the state of US data privacy laws<\/h2>\n\n\n\n
Four laws signed, dozens emerging and a push for a federal US data privacy law<\/h3>\n\n\n\n