On March 2, 2021, Virginia Gov. Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law, making Virginia the second state to have comprehensive data privacy legislation on the books. The CDPA is similar to the privacy regime enacted under the California Consumer Privacy Act (CCPA) and expanded under the California Privacy Rights

The California Attorney General was asked to clarify whether the use of “website cookies shared with third parties” constituted the sale of personal information. The Attorney General declined to answer, stating only that whether a particular situation constitutes the sale of information “raises specific legal questions that would require a fact-specific determination, including whether or

Virginia is poised to be the second state, after California, to pass comprehensive data privacy legislation. The Virginia Consumer Data Protection Act passed the Senate and the House of Delegates on Feb. 24, 2021, and now awaits the approval of Governor Northam.

Although the Virginia statute will not take effect until Jan. 1, 2023, companies

In late January, California’s Attorney General (AG) tweeted about the use of the new Global Privacy Control (GPC), informing California consumers that on certain browsers they can use GPC as a “stop selling my data switch” to exercise their right to opt out of the sale of their personal information (PI) in one step –


The regulations implementing the CCPA only require that a business utilize reasonable security in the context of personal information collected or processed for specific purposes – i.e., consumer requests and information provided in response to access requests. The Office of the Attorney General (OAG) has stated that what constitutes “reasonable security measures” in these

On Feb. 15, Gov. Ron DeSantis and House Speaker Chris Sprowls held a press conference to announce their support for legislation that would significantly increase data privacy and security regulation and create new rights for Florida consumers with respect to their personal information (PI).

House Bill 969 by Rep. Fiona McFarland (R-Sarasota) would apply to


The CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure.” [1] The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to disclose to

During the rulemaking process, the Office of the Attorney General was requested to clarify that a business is not required to search for, and produce, “unstructured data” such as paper records in response to an access request.1 The Attorney General declined the request, stating that the exclusion of “all unstructured data is not as

While the CPRA deferred a majority of the CCPA’s employee-related substantive requirements until Jan. 1, 2023, employers are still required to provide employees with a notice at collection.[1] As a result, since Jan. 1, 2020, a notice at collection, which must be provided “at or before the point at which” the collection of information