Photo of Kate M. Growley, CIPP/G, CIPP/US

The Virginia Consumer Data Protection Act (CDPA) has become the next major U.S. state privacy law, after being signed into law by Virginia Governor Ralph Northam on Tuesday, March 2, 2021. The new law amends Title 59.1 of the Code of Virginia with a new chapter 52 (creating Code of Virginia sections 59.1-571 through 59.1-581).

Who is covered?

Per Section 59.1-572, the bill applies to “persons that conduct business in the Commonwealth or that produce products or services that are targeted to residents of the Commonwealth” who “control or process personal data of at least 100,000 consumers” or those who “control or process the data of at least 25,000 consumers” AND “derive at least 50% of their gross revenue from the sale of personal data.”

As defined in Section 59.1-571 the bill, “[c]onsumers” are any “natural person who is a resident of the Commonwealth acting only in an individual or household context. [Consumer] does not include a natural person acting in a commercial or employment context.”

Both covered entities and “consumers” are defined more narrowly than under other general data privacy laws such as the California Consumer Privacy Act (CCPA). For example, in contrast to the CCPA’s application to any California business with more than $25 million in annual revenue, the CDPA does NOT apply on a blanket basis to any Virginia business above a specified revenue threshold. To be covered under the CDPA, a person must always process the data of a minimum number of Virginia residents “acting only in an individual or household context.” Additionally, the exemption for individuals acting in “commercial” or “employment” contexts is a complete one, and does not have a “sunset” date where the exemption will expire like the California law.

Notably, the CDPA follows the model established under the EU General Data Protection Regulation and categorizes relevant businesses as “controllers” and “processors.” “Controllers” are “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data,” while “processors” are “a natural or legal entity that processes personal data on behalf of a controller.” Similar to the controller/processor relationship created by the GDPR and the business/service provider relationship created under the CCPA, a CDPA processor must be engaged by a controller via a written agreement that governs the processor’s data processing and provides specific instructions for the processing of data, as well as the nature and purpose of the processing.
Continue Reading Virginia Consumer Data Protection Act (S.B. 1392)

Last week, the President signed the Internet of Things (IoT) Cybersecurity Improvement Act into law, kicking off a multi-year process that will culminate in the first-ever federal requirements for IoT devices. Under the law, the National Institute of Standards & Technology (NIST) is now charged with drafting and finalizing security requirements for IoT devices, as

On April 8, 2020, the Federal Trade Commission (FTC) published a blog post titled, “Using Artificial Intelligence and Algorithms,” that offers important lessons about the use of AI and algorithms in automated decision-making.

The post begins by noting that headlines today tout rapid improvements in AI technology, and the use of more advanced


On March 11, 2020, California’s Office of the Attorney General (OAG) released a second set of proposed revisions to the California Consumer Privacy Act (CCPA) draft regulations originally released in 2019 (Proposed Regulations).

The latest revisions, available here, are substantial and come in response to public comments submitted to the OAG during a 15-day

NIST has finalized Internet of Things (IoT) risk management guidance, which derived from a draft publication.  The guidance informs government agencies how to understand and manage IoT risks throughout device lifecycles.  Industry can anticipate government focus on three high-level goals:

  1. Device security;
  2. Data security; and
  3. Individual privacy.

The publication highlights three differences between

Kate Smartphone Keyboard

Just in time for the holiday shopping rush, “Hello Barbie” has hit the shelves.  This Barbie actually talks back to its playmates and is the latest high-tech version of the iconic doll. The secret to this innovation? The Internet. Toymaker Mattel partnered with software firm ToyTalk to equip the doll with a microphone, voice-recognition, and cloud-based intelligence to give Barbie “call-and-respond” functionality. (Think Siri talking through Barbie.) Hello Barbie is yet another example
Continue Reading Hello Barbie (and Lawsuit)

The Third Circuit’s Monday decision in FTC v. Wyndham Worldwide confirmed the Federal Trade Commission’s (FTC) statutory authority to pursue enforcement actions for allegedly “unfair” data security practices under Section 5 of the FTC Act. Many believe that the decision will embolden the FTC to continue aggressively regulating what it considers to be unreasonable data

The CapitolLast week, the Senate broke Congressional silence by passing Resolution 101 – enunciating the chamber’s position on how the country should approach the burgeoning technology of the “Internet of Things,” or what’s more commonly known as the “IoT.” Amidst a series of recent hearings in both the House and the Senate, the IoT industry and

The rise of social media for contests and marketing campaigns has captured the attention of the Federal Trade Commission (FTC), particularly campaigns that provide for contest entry based on what amounts to social media endorsements. “Like Company XYZ now to enter!” The FTC is taking stock and beginning to weigh in on this relatively recent practice. Just ask Cole Haan. Late last month, the FTC sent the popular shoemaker a letter marking the end of its investigation into a marketing campaign that turned on “pinning” Cole Haan products for entry into a contest. In it, the FTC concluded that Cole Haan needed to do more to disclose the connection between the contestants’ “pins” and the company’s contest.

It all started last year when Cole Haan launched its Wandering Sole marketing campaign. Cole Haan encouraged consumers to create Pinterest boards that included five shoe images from Cole Haan’s own Pinterest board and another five images of the contestants’ favorite places to wander. Whoever created the board that the company dubbed most creative would win a $1,000 shopping spree. To identify the contestants, Cole Haan asked that the Pinterest users include the hashtag #WanderingSole in the description of their images.

Continue Reading The FTC “Pins” Cole Haan on Pinterest Campaign: Disclosure of Contest Driving Endorsement of Products Required