After a pandemic-related hiatus in 2020, a number of U.S. states have proposed new data privacy laws in 2021 – and several are very close to passage. Virginia’s proposed data privacy law appears to be the closest and is likely to be signed into law by Governor Northam in the near future. Washington and Florida’s legislatures also have privacy bills that are making their way through the legislative process, with a good likelihood of becoming law this year. The following is an overview of some of the similarities and differences among the three bills most likely to become law in the near future.
|WAPA||VCDPA||FL Proposed Bill|
Conducts business in WA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
*The WAPA would apply to nonprofit corporations starting July 31, 2026.
Conducts business in VA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) processes or controls personal data of 25,000 consumers or more and derives over 50% of gross revenue from the sale of personal data.
*Nonprofits are exempt from the provisions under the VCDPA.
Conducts business in FL and: (i) has global annual gross revenues of more than $25 million; (ii) annually buys, receives for business purposes, or shares for commercial purposes the personal data of 50,000 or more consumers, households, or devices; or (iii) derives 50% or more of its global annual revenues from selling or sharing personal data.
* Nonprofits are exempt from the provisions under Florida’s proposed bill.
|Contractual Requirements Imposed Between Data Controllers and Processors?||Yes||Yes||Yes|
|Consumer Rights||Right to access, correct, delete, and opt out of the sale of personal data or certain types of processing of personal data (e.g., targeted advertising, profiling for decisions that have legal consequences).||Right to access, correct, delete, and object to the sale of personal data or certain types of processing of personal data (e.g., targeted advertising).||Right to access, correct, delete, and opt out of the sale or sharing of personal data.|
|Risk Assessments (or similar measures)||Required||Required||Not required|
|Private Cause of Action||No||No||Yes (limited) – private plaintiffs can seek damages of not less than $100 and not more than $750, whichever is greater, if their non-encrypted personal information or email address (together with information that would allow account access) is subject to unauthorized access due to a business’ failure to implement reasonable security measures.|
|Consent||Generally not required except for the processing of sensitive data.||Required where a consumer has restricted processing or a risk assessment indicates the risks of processing outweigh the benefits to the consumer.||Required before a business may enter a consumer in a financial incentive program.|
|Opt-Out||Required for targeted advertising, sale of personal information, or profiling decisions that have legal effects.||Required for targeted advertising, sale of personal information, or profiling.||Required for the sale or sharing of personal information.|
|Exceptions||Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, the Federal Farm Credit Act, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data.||Does not apply to protected health information under HIPAA, personal data regulated under the GLBA, employment-related data, certain types of data regulated under the FCRA, personal data under the DPPA, and clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46).||Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data.|
|Cure Period?||Yes – 30 days after receipt of a warning letter from the Attorney General.||Yes – 30 days after receipt of notice of alleged noncompliance.||Yes – 30 days after being notified in writing of alleged noncompliance.|
|Damages/Penalties||Up to $7,500 per violation.||Up to $7,500 per violation.||
Not less than $100 and not more than $750 per consumer per incident or actual damages, whichever is greater.
Attorney General can seek up to $2,500 for each unintentional violation or $7,500 for each intentional violation.
As noted in the table above, the WAPA, VCDPA, and Florida’s proposed bill contain similarities with one another, such as imposing contractual requirements between data controllers and processors, providing various consumer privacy rights such as the right to access, correct, delete, and opt out of/object to the sale or certain types of processing of personal data, and requiring transparent privacy notices concerning the collection and sharing of personal data. Further, the WAPA, VCDPA, and Florida’s proposed bill do not impose a fiduciary duty on data controllers, unlike the proposed New York Privacy Act, which is currently pending in the New York state legislature. One notable difference between the WAPA and the VCDPA and Florida’s proposed bill, however, is that the WAPA and the VCDPA do not include a private right of action whereas Florida’s proposed bill allows consumers to bring a private cause of action for actual or statutory damages.
The VCDPA has passed in both the state House and Senate and its enactment appears imminent. If enacted, the VCDPA would become effective on January 1, 2023. The WAPA and Florida’s proposed bill are currently pending review by their respective legislatures, but momentum appears strong for passage in 2021.