Cybersecurity Analysis: State privacy laws beyond CCPA: Virginia, Colorado, and Connecticut

State Privacy Laws Beyond CCPA: Virginia, Colorado, and Connecticut

While California's Consumer Privacy Act (CCPA) pioneered comprehensive state-level privacy legislation in the United States, several other states have followed suit with their own robust privacy frameworks. Virginia, Colorado, and Connecticut have emerged as leaders in this second wave of state privacy laws, each implementing unique approaches while maintaining core privacy principles. These laws reflect a growing consensus that consumers deserve greater control over their personal data and that businesses must be held accountable for their data practices.

Virginia Consumer Data Protection Act (VCDPA)

Virginia became the second state to enact comprehensive privacy legislation when Governor Ralph Northam signed the Virginia Consumer Data Protection Act into law in March 2021. The VCDPA, which took effect on January 1, 2023, applies to businesses that conduct operations in Virginia or produce products or services targeted to Virginia residents and either control or process personal data of at least 100,000 consumers annually, or derive over 50% of gross revenue from selling personal data while controlling or processing data of at least 25,000 consumers.

The VCDPA grants Virginia residents several fundamental rights regarding their personal data:

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to obtain a portable copy of personal data
• Right to opt out of the sale of personal data
• Right to opt out of targeted advertising
• Right to opt out of profiling for decisions with legal or significant effects

Unlike the CCPA, the VCDPA does not include a private right of action, meaning consumers cannot sue companies directly for violations. Instead, enforcement authority rests exclusively with the Virginia Attorney General's office. The law also provides a 30-day cure period, allowing businesses to remedy violations before facing penalties of up to $7,500 per violation.

Colorado Privacy Act (CPA)

Colorado's Privacy Act, signed into law in July 2021 and effective July 1, 2023, closely resembles Virginia's approach while introducing several distinctive features. The CPA applies to controllers that conduct business in Colorado or deliver commercial products or services intentionally targeted to Colorado residents and either control or process personal data of 100,000 or more consumers annually, or derive revenue from selling personal data while controlling or processing data of 25,000 or more consumers.

The Colorado law provides consumers with rights similar to those in Virginia, including access, correction, deletion, portability, and opt-out rights. However, Colorado goes further in several areas. The CPA explicitly requires controllers to conduct and document data protection assessments for processing activities that present heightened risk to consumers, including targeted advertising, sale of personal data, and certain types of profiling.

Colorado also mandates that controllers implement appropriate technical and organizational measures to ensure security appropriate to the risk level. The law introduces the concept of "universal opt-out mechanisms," requiring controllers to recognize browser-based or device-based signals as valid consumer opt-out requests for targeted advertising and data sales. This provision represents a significant step toward automated privacy preferences.

Enforcement of the CPA falls under the jurisdiction of the Colorado Attorney General and district attorneys. Like Virginia, Colorado provides a cure period until January 1, 2025, after which violations may result in fines of up to $20,000 per violation, with a maximum of $500,000 for related violations.

Connecticut Data Privacy Act (CTDPA)

Connecticut joined the state privacy law landscape with the Connecticut Data Privacy Act, signed in May 2022 and effective July 1, 2023. The CTDPA largely mirrors the Virginia and Colorado frameworks while incorporating elements from both. The law applies to businesses that conduct operations in Connecticut or produce products or services targeted to Connecticut residents and either control or process personal data of at least 100,000 consumers annually (excluding payment transaction data), or control or process data of at least 25,000 consumers while deriving over 25% of gross revenue from selling personal data.

Connecticut's law provides the standard set of consumer rights found in other state privacy laws, but with some notable additions. The CTDPA explicitly addresses the protection of minors, requiring controllers to obtain consent from parents or guardians before processing personal data of consumers under 13 years old. For consumers between 13 and 16, controllers cannot process sensitive data without obtaining consent directly from the minor.

The Connecticut law also requires comprehensive privacy notices that clearly describe data processing purposes, consumer rights, and the categories of personal data processed. Controllers must provide a clear and conspicuous method for consumers to revoke consent that is as easy as the method used to provide consent initially.

Common Themes and Key Differences

While these three state laws share fundamental privacy principles, important distinctions exist in their scope, requirements, and enforcement mechanisms. All three laws exempt certain entities and data types, including government entities, nonprofits, institutions of higher education, and data covered by federal laws like HIPAA and the Gramm-Leach-Bliley Act.

The definition of "sale" varies across these laws, with implications for business practices. Virginia and Connecticut define sale as the exchange of personal data for monetary consideration, while Colorado includes both monetary and other valuable consideration, aligning more closely with California's broader interpretation.

These states have also taken different approaches to sensitive data. All three laws include special protections for sensitive personal data, such as racial or ethnic origin, religious beliefs, health information, sexual orientation, and genetic or biometric data. However, they differ in their consent requirements and processing restrictions for such data.

Looking Forward

The privacy laws in Virginia, Colorado, and Connecticut represent a maturing of state-level privacy regulation in the United States. While they lack some of the more aggressive enforcement mechanisms of the CCPA, such as a private right of action, they provide clearer compliance frameworks and more predictable requirements for businesses. As more states consider similar legislation, these three laws are likely to serve as templates, potentially leading to greater harmonization of privacy requirements across states. Organizations operating across multiple states must now navigate this evolving patchwork of regulations, making comprehensive privacy compliance programs essential for modern business operations.

---

Related Articles

• Cybersecurity Analysis: The impact of GDPR and CCPA on multinational corporations
• Cybersecurity Analysis: Implementing secure coding practices for legal technology applications
• Privacy Laws And Regulations