Data Privacy Laws: It’s Not Just About California Anymore


In February 2020, we reported in this blog that the California Consumer Privacy Act had gone into effect the previous month—and that lawmakers in other states were reportedly pursuing similar legislation. Now it appears the rumors are, in some form or another, poised to become truths.

Data Privacy Laws: It’s Not Just About California Anymore

A CCPA Refresher

The CCPA is widely recognized as being an inspiration for other state-level privacy legislation, so let’s review it first before exploring the privacy laws that are expected to surface in the near term. Officially known as the California Consumer Privacy Act of 2018, the CCPA gives California residents the right to know what personal data is being collected about them, as well as if–and to whom–their personal data is being sold.

What’s more, in keeping with the CCPA, individuals residing in California have the right to say “no” to the sale of their personal data, as well as to access that data. They may also request that a business delete any personal information that has previously been collected from them and cannot be discriminated against for exercising their privacy rights under the CCPA umbrella.

An amendment to the Act, called the California Privacy Rights Act, clarifies the CCPA. It also gave rise to a governing body dubbed the California Privacy Protection Agency, which can bring action against businesses that violate any proviso of the CCPA.

Here are some other data protection laws now in effect or heading in that direction:

Consumer Data Protection Act (Virginia)

Virginia’s Consumer Data Protection Act was signed into law this month and slated to effect in January 2023. Once this has occurred, Virginia residents will enjoy many of the same data protection privileges afforded to Californians by the CCPA, including the ability to “access, correct, delete, and obtain a copy of personal data.” Virginians will also be able to opt-out of their personal data processing if that data is to be used for targeted advertising purposes.

Washington Data Privacy Act (WPA) 

Under review by state legislators, the Washington Privacy Act (WPA) would allow Washington state residents to request that companies delete their personal data. It would also permit them to access the categories of personal data companies collect and opt-out of the processing of their personal data.

Should it pass—which it is expected to—the WPA would take effect on July 31, 2022, with a four-year delayed effective date for higher education institutions, non-profit organizations, and air carriers. It would apply to companies that conduct business in the state of Washington or produce products or services targeted to Washington residents. Such companies include entities that control or access the personal data of 100,000 or more Washington residents in a calendar year or derive more than 25 percent of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more individuals living in the state of Washington.

State agencies would be exempt from the law. Additionally, it would not cover consumers’ personal health information (PHI) or Gramm-Leach-Bliley Act (GLBA)-regulated personal data.

New York Privacy Act (NYPA)

Under this proposed Act, companies would be required to disclose their methods of “de-identifying” personal information, implement special safeguards for data-sharing, and allow consumers to obtain the names of all entities with which any given company shares their data. Additionally, it gives consumers the right to instruct companies to delete their personal data. It creates a special account to fund an office of privacy and data protection for the State of New York.

Companies that do business in New York state or whose products or services are intentionally targeted to its residents will be required to abide by the NYPA if it is enacted. Another mandate within the Act stipulates that companies prioritize personal data protection over their duties to shareholders. Customers authorize data processing activities and disclosure of personal data to third parties.

Oklahoma Computer Data Privacy Act (OCDPA)

Being introduced under a bill known as Oklahoma HB 1602, the OCDPA would, if it takes effect, provide consumers the right to request, delete, and opt-out of the use of their personal information. Among other provisions, it also requires businesses that collect or sell consumers’ personal information to let those consumers know when they do so.

Also included in the bill is a “right of action” for state residents, permitting them to seek injunctive relief, actual damages, and statutory damages up to $7,500 for intentional violations.

Minnesota Consumer Data Privacy Act (MCDPA)

The MCDPA is an omnibus consumer data privacy law being proposed under the Minnesota HF 36 bill. In addition to yielding consumers various rights regarding their personal data, the Act would obligate businesses to practice data transparency. With the law in effect, consumers would have the private right of action—i.e., the right to initiate legal action as a plaintiff, based on a public statute or the U.S. constitution.

Like the WPA, the law would apply to companies that offer products or services to Minnesota residents, with the caveat that these companies process the personal data of at least 25,000 consumers or generate more than 25 percent of their gross revenue from selling personal data. Companies would simultaneously need to process the personal data of at least 25,000 individuals for the law to apply to them.

Other states are also enacting or attempting to enact laws that compel companies to take data privacy seriously and may make them subject to penalties if they fail to do so. At E-Complish, we believe that staying abreast of and complying with these laws—and any federal data privacy laws that come down the pike in the future—is essential to our customers’ growth and reputation, as well as to the overall health of their companies. Learn how we can help here.