On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.


Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)

On November 4, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule with Comment Period (IFC) that delays compliance dates necessary to meet certain requirements related to information blocking initially finalized in the ONC Cures Act Final Rule (Final Rule) in March of 2020. The Final Rule implemented health IT provisions enacted under the 21st Century Cures Act (the Cures Act) to achieve ubiquitous interoperability among health IT systems and to improve patient’s ability to access their electronic health information (EHI). Among these provisions is a prohibition of information blocking. This article will define information blocking, provide and explain exceptions to such practice, detail the IFC’s deadline extensions, and highlight key compliance concerns and solutions regarding these reforms.

Information Blocking

The term “Information Blocking” is broadly defined by the Cures Act as any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the entity knows (or should know) that it is likely to do so. The Cures Act specifies four types of “actors” that must comply with the information blocking rule:

  1. Healthcare Providers
  2. Health information technology companies that have a certified health IT system
  3. Health information networks (HINs)
  4. Health information exchanges (HIEs)


Continue Reading Information Blocking Compliance: What Providers Need To Know As Deadlines Approach

Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”


Continue Reading Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too

Once again, the Virginia legislature is set to consider comprehensive data privacy legislation.  In the 2020 regular session of the Virginia General Assembly, the House of Delegates referred several bills dealing with privacy issues, including a proposed data privacy law, to the Virginia Joint Commission on Science and Technology for study.

This year, it appears Virginia is poised to seriously consider adoption of a broad consumer data privacy framework.  Senate Bill 1392 , sponsored by Senator David Marsden (D-Fairfax), was introduced on January 13, 2021. House Bill 2307, sponsored by Delegate Cliff Hayes, Jr. (D-Chesapeake), was introduced on January 20, 2021. The bills create the “Consumer Data Protection Act.”

Virginia does not currently have a comprehensive data privacy law governing consumer data.  Like most states, it has a data breach notification law and various protections for specific types of data in certain contexts.


Continue Reading Virginia Legislature Is Set to Consider Comprehensive Data Privacy Legislation

A major consumer privacy law is likely this legislative session in Florida that stands to jeopardize not only technology companies, but financial services, healthcare entities, and thousands of small and medium-sized businesses that rely on digital marketing and advertising to conduct business.

Florida legislators are generally pro-business, but this year could be an exception. Talks

On September 17, 2020, four Republican Senators (Roger Wicker – Mississippi, Chairman, John Thune – South Dakota, Deb Fischer – Nebraska, and Marsha Blackburn – Tennessee) introduced sweeping federal privacy legislation entitled: Setting an American Framework to Ensure Data Access, Transparency, and Accountability (“SAFE DATA”) Act. This proposed comprehensive national privacy law has three main components:

  1. Provides consumers with more choice and control over their data
  2. Directs business to be more transparent and accountable
  3. Strengthens the FTC’s enforcement power


Continue Reading Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?

Earlier this year, U.S. Senator Sherrod Brown of Ohio released a draft discussion bill that if implemented would drastically alter corporations’ ability to collect and use personal information from consumers.

According to Sen. Brown, “We need legislation now more than ever that empowers Americans to control their personal information. No person should have to worry about being spied on, just as no one should worry about their information being bought and sold or stolen.” Brown believes that his bill would “change the fundamental framework of privacy in this country” by shifting the burden of privacy protection from consumers to corporations. Brown’s new bill is critical of the current consent-based framework that requires customers to agree to privacy policies in order to use specific online service.


Continue Reading Senator Brown Proposes New Privacy Bill

Late last week heralded two significant and highly anticipated updates to the California Consumer Privacy Act (CCPA).

On October 10, 2019, the Office of the California Attorney General issued a long-anticipated Notice of Proposed Rulemaking Action regarding the CCPA.  The full text of the proposed regulations can be found here.  The next day, Governor Gavin Newsom signed all seven amendments to the CCPA that came out of the California State Assembly.

This post will address the statutory amendments first since they modify the CCPA itself, then turn to the draft regulations (officially, the “California Consumer Privacy Act Regulations”).
Continue Reading CCPA Update: AG Issues Draft Regulations and Governor Signs Amendments

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers

Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet.
Continue Reading Virginia General Assembly to Consider Minimum Security Standards for Care and Disposal Consumer Information and Security of Connected Devices