Skip to main content

Key Themes Emerging from Federal and State Privacy Law Discussions

Elizabeth Canter, Esq.

Covington & Burling LLP

Kristin Madigan, Esq. CIPP

Crowell & Moring LLP

The California Consumer Privacy Act of 2018 (CCPA) has received significant attention for the new rights that it creates for California residents. On the heels of the CCPA, federal lawmakers and state lawmakers outside of California are considering, and in some cases have already enacted, their own comprehensive privacy laws. These proposals often include familiar elements seen in the CCPA and international privacy laws, including:

  • Transparency: Companies must provide consumers with clear information about how their data is collected, used, and shared.

  • Consumer Rights: Individuals have certain rights with respect to their data, such as rights to access, port, delete, and correct their data.

  • Disclosure and Processing Limitations: Companies are limited in the extent to which they can disclose data to third parties, and the purposes for which they can process data.

  • Accountability: Some bills require privacy assessments or other accountability requirements.

However, there also are important differences.

Virginia Consumer Data Privacy Act. Earlier this month, Virginia’s Governor signed the Virginia Consumer Data Privacy Act (CDPA) into law, although its provisions will not go into effect until January 1, 2023. The CDPA differs from the CCPA in several important respects. The CDPA expressly defines a “consumer” to “not include a natural person acting in a commercial or employment context.” Compared to the CCPA, the CDPA’s employment-context exception is accordingly both broader and not drafted to sunset.

The CDPA also applies to a narrower category of entities than the CCPA. It applies only to “persons that conduct business in the Commonwealth or that produce products or services that are targeted to residents of the Commonwealth” who “control or process personal data of at least 100,000 consumers,” or to those who “control or process the data of at least 25,000 consumers” and “derive at least 50% of their gross revenue from the sale of personal data.” The CDPA also adopts the “controller”/“processor” distinction from the European Union’s General Data Protection Regulation (GDPR).

Another important difference between the CDPA and CCPA is the issue of a private right of action. The CCPA creates a duty for businesses to “implement and maintain reasonable security” for personal information collected about California residents with a corresponding civil cause of action should a Californian’s data be exposed as a result of a business’ failure to do so. The CDPA does not create any private right of action, and instead leaves enforcement solely in the hands of the Virginia Attorney General, who must first “provide a controller or processor 30 days’ written notice” of any alleged current or past violation.

The CPDA also establishes a set of consumer rights increasingly familiar in the privacy world, some of which are similar to those afforded under the CCPA. Consumers may, via authenticated request to a controller: (1) confirm whether their personal data is being processed by a controller; (2) correct inaccuracies in their data; (3) delete personal data obtained from or about the consumer; (4) obtain a copy of the data the consumer previously provided the controller in a portable and “readily usable” format; and (5) opt out of data collection if the data is collected “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” In addition, the timeframes and considerations for addressing data subject requests are similar to those set forth under the CCPA, although the CDPA contemplates that consumers will have the right to appeal denied requests in some circumstances and also requires privacy impact assessments for certain kinds of processing activities.

Nevada Privacy Law. Nevada also passed a general privacy law, which went into effect on October 1, 2019. Like Virginia’s CDPA, the Nevada privacy law expressly excludes from its purview information obtained within an employment context; more narrowly defines the category of applicable businesses than the CCPA; and does not contain a private right of action. Moreover, unlike the CCPA, Nevada’s privacy law includes no requirement to provide notice to consumers of their right to opt out of the sale of their information. Also in contrast to the CCPA, the Nevada law excludes from its definition of “sale” the disclosure of information for purposes that are consistent with a consumer’s reasonable expectations.

Other State Proposals. No other state has passed a general privacy law like California, Virginia, and Nevada. However, almost two dozen other states have introduced similar privacy bills into the legislative process, and it’s plausible that more states will pass their own general privacy laws in the near future.

Many of these state proposals mirror the CCPA. For example, a number of proposals reflect the CCPA’s principles of transparency, limitations on the sale of data, and individual rights. Other states have broader rights for consumers to opt out of any disclosure of their personal information. A proposed Washington Privacy Act, SB 5062, that was considered in 2021 bore many similarities to the new Virginia CPDA. This bill featured consumer opt-out rights allowing consumers to opt out of targeted advertising and profiling. It also would have enabled consumers to access, delete, and correct data, and provides for an appeals process in the event such a request is denied. It would have required covered entities to communicate correction, deletion, and opt-out requests to third parties under certain circumstances. Further, the bill would have imposed data minimization and consent requirements on covered entities that go beyond those in the CCPA.

Other states have considered proposals that are unique from those discussed above. One example is New York’s AB 680, which introduces a data fiduciary obligation on covered entities. More broadly, the Uniform Law Commission is seeking to draft a general model privacy law that reflects many of the themes that states are considering.

Federal Proposals. Member of Congress also have introduced a number of federal privacy proposals that reflect many of the same themes that are captured in state privacy proposals.

For example, during the last session of Congress, key members of the Senate Commerce Committee drafted two separate proposals: the Consumer Online Privacy Rights Act (COPRA) (introduced by Senator Maria Cantwell (D-WA) and other Democrats) and the U.S. Consumer Data Privacy Act (USCDPA) (introduced by Senate Commerce Committee Chairman Roger Wicker (R-MS)). The two bills were similar in many ways:

  • Transparency: Both bills require covered entities to provide consumers with a privacy policy that explains (1) what information the entity collects; (2) how that information is used; and (3) to whom that information is transferred;

  • Consumer Rights: Both provide consumers rights to access, delete, correct, and port their data;

  • Disclosure and Processing Limitations: Both bills enable consumers to restrict the processing and/or transfer of their data. Specifically, COPRA allows individuals to opt out of having their data transferred to third parties, and USCDPA allows individuals to object to both the processing and transferring of their data. Further, under both bills, consumers must give affirmative express consent before covered entities can process or transfer sensitive data; and

  • Applicability: Both bills impose the same requirements on third-party data recipients as they impose on entities that collect data directly from individuals. They also include provisions intended to hold senior officers accountable for privacy compliance, and allow enforcement actions to be brought by both the FTC and state attorneys general.

However, despite the aforementioned similarities, the bills are not identical. For example, COPRA imposes CEO and officer certification requirements on large entities, whereas the USCDPA contains no such requirements. In addition, COPRA requires privacy impact assessments for all organizations, whereas the USCDPA’s similar requirement only applies to certain large entities.

Importantly, whereas COPRA would preempt state laws only to the extent they directly conflict with COPRA, the USCDPA generally would preempt all state privacy laws (however, USCDPA would leave state breach notification laws intact). In addition, COPRA provides a private right of action, but the USCDPA does not.

Also in the last session of Congress, a bipartisan group of House Energy & Commerce Committee staffers released a discussion draft of a bill that would grant consumers the rights to access, delete, and correct their data; limit businesses’ ability to retain, process, and share data; and impose baseline security requirements on covered entities. The draft contained placeholders for three critical issues—preemption, private right of action, and civil penalties for noncompliance.

While there is a lot of convergence in the above-described proposals, others took different approaches on key issues, including with respect to enforcement and on some key substantive points.

For example, Senator Kirsten Gillibrand (D-NY) introduced a Data Protection Act of 2020 (S. 3300) that would create a new federal Data Protection Agency to oversee “high-risk data practices,” including automated decision-making, the processing of biometric information, and “sensitive data uses.”

In addition, there also are federal proposals that would impose fiduciary duties of care, loyalty, and confidentiality on certain entities involved in the processing of personal data, including a Data Care Act (S. 3744) introduced by Senator Brian Schatz (D-HI).

Members of Congress have started to reintroduce many of their proposals from the 116th session of Congress for consideration in the recently commenced 117th session of Congress. For example, Representative Suzan DelBene (D-WA) recently reintroduced the “Information Transparency and Personal Data Control Act,” which includes provisions on transparency, the right to opt out of personal data processing, and privacy audits. Her bill preempts state privacy proposals, affords the FTC rulemaking authority, and does not include a private right of action.

Conclusion. A number of federal and state proposals would build on the CCPA model, at least with respect to consumer data, and California itself also has done so with the adoption of a ballot initiative to amend and strengthen the CCPA. The weight of these proposals would build on the CCPA framework with additional data subject rights, including rights to opt out of profiling and to correct personal data; enhanced protections for sensitive personal information; and accountability measures, such as requirements to assess privacy activities. However, there are also are outlier proposals, including those that would import fiduciary or other similar duties to the data processing context.

For more information about new developments and trends in state privacy and data security laws, register now for the Twenty-Second Annual Institute on Privacy and Cybersecurity Law program. The program features Elizabeth and Kristin’s panel, “Beyond California – What’s Happening in Privacy and Data Security Law in the Rest of the US?”

Libbie Canter is a partner in Covington & Burling LLP’s Washington office. She represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws.

Kristin Madigan is a partner in Crowell & Moring LLP’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups. Kristin focuses her practice on representing clients in high-stakes complex litigation with a focus on technology, as well as privacy and consumer protection matters including product counseling, compliance, investigations, enforcement, and litigation that typically involves existing and emerging technologies.

Also available from PLI Programs:

Also available from PLI Press:

Disclaimer: The viewpoints expressed by the authors are their own and do not necessarily reflect the opinions, viewpoints and official policies of Practising Law Institute.

To submit an article for consideration, please contact the editor at:

This article is published on PLI PLUS, the online research database of PLI. The entirety of the PLI Press print collection is available on PLI PLUS—including PLI's authoritative treatises, answer books, course handbooks and transcripts from our original and highly acclaimed CLE programs.

Sign up for a free trial of PLI PLUS at