Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider: Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

The Cyprus Presidency of the Council of the European Union has made clear its objective to achieve a general partial approach on certain articles of the new legislative package on data protection by December 2012, with a view to having the whole legislative package adopted in 2013 or early in 2014. 

The Cyprus Presidency has so far achieved agreement within the Justice and Home Affairs (JHA) Council (a body that brings together the justice and interior ministers of the EU Member States and whose remit includes civil protection) on three principal issues: (i) to avoid creating additional and disproportionate costs for small and medium-sized businesses, (ii) to implement a common set of data protection regulations for the private and public sector, with some flexibility for public-sector organizations and (iii) to limit the enhanced powers proposed in the new legislative package so that the EU Commission is not able to regulate through delegated acts without the approval of the European Parliament.

While the Cyprus Presidency has been praised by Viviane Reding, Vice President of the EU Commission, for supporting the new reform package, it is clear that there is still a lot of work to be done to bring the package into law.

For more information, see:



In late December 2023, the Federal Communications Commission (“FCC”) published a Report and Order (“Order”) expanding the scope of the data breach notification rules (“Rules”) applicable to telecommunications carriers and interconnected VoIP (“iVoIP”) providers.  The Order makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements.  The Rules are expected to become effective sometime in 2024, after they are reviewed by the Office of Management and Budget and the FCC’s Wireline Competition Bureau (“Bureau”) announces the effective dates by subsequent public notice.

Continue Reading The FCC Expands Scope of Data Breach Notification Rules

Digital health apps are increasingly used in practice. They raise various questions under regulatory and data protection and data security laws. On November 6, 2023, the German Conference of the Independent Data Protection Supervisory Authorities (Datenschutzkonferenz, DSK), a national body which brings together Germany’s federal and regional data protection authorities, issued a paper about the GDPR’s application to cloud-based digital health applications (“health apps”) that are not subject to the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, the “DiGA Regulation”).

Continue Reading German Data Protection Authorities Publish Paper on Cloud-Based Digital Health Applications

On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.  

Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases

EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.

Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold

On October 10, 2023, California Governor Gavin Newsom signed S.B. 362, the Delete Act (the “Act”), into law.  The new law represents a substantive overhaul of California’s existing data broker statute, which requires data brokers to register with the California Attorney General annually.  The passage of the Act follows a renewed interest in data broker activity nationwide, including a request for comments from the Consumer Financial Protection Bureau and the introduction of similar legislation at the federal level.   Below, we outline a number of key provisions:

Continue Reading California Amends Data Broker Law

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European Strategy for Data (see our previous blogpost here). The Data Act will sit alongside the EU’s General Data Protection Regulation (“GDPR”), Data Governance Act, Digital Services Act, and the Digital Markets Act.

Continue Reading Political Agreement Reached on the European Data Act

The Connecticut legislature passed Connecticut SB 3 on June 2, 2023.  If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.

The health-related provisions would take effect on July 1, 2023.  Most provisions related to minors’ data would take effect on October 1, 2024.  However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.

As reflected in this bill, state legislatures appear increasingly focused on health privacy.  Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data.  Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope.  For additional detail on Washington’s My Health My Data Act, please review our blog post here

Continue Reading Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act

On May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act, making it the sixth state to pass a comprehensive data privacy law this year.  The Act shares many similarities with Virginia, although there are some distinctions.  If signed into law, the Act would take effect on July 1, 2024.  This blog post summarizes the Act’s key takeaways.

  • Scope: The Act applies to a person that (1) conducts business in Texas or produces products or services consumed by Texas residents, and (2) processes or engages in the sale of personal data (“sale” means a disclosure of personal data to a third party for “monetary or other valuable consideration”).  The second prong of this language is not found in other comprehensive state privacy laws and so does not have a well-settled interpretation.   The scope of the Act also excludes a small business as defined by the United States Small Business Administration, except with respect to the provision that requires small businesses to obtain consumer consent prior to selling sensitive data.
  • Consumer Rights:  Consumers have rights to: (1) confirm whether a controller is processing their personal data and access such personal data; (2) correct inaccuracies in the consumer ’s personal data; (3) delete personal data provided by or obtained about the consumer; (4) obtain a portable copy of the consumer’s personal data and (5) opt-out of processing for purposes of (a) targeted advertising (defined as displaying advertisements that are selected based on the consumer’s activities over time and across nonaffiliated websites), (b) the sale of personal data; or (c) profiling (definition is limited to “solely automated processing”) in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  The Act also requires controllers to implement opt-out preference signals by January 1, 2025.
  • Sensitive Data: Controllers must obtain consent before processing a consumer’s sensitive data.  Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to identify individuals; personal data collected from a known child; and precise geolocation data (i.e., identifies a consumer within a radius of 1,750 ft.).  If a controller sells sensitive data or biometric data, it must post a specific notice (i.e., “NOTICE: We may sell your [sensitive/biometric] personal data.”) in its privacy notice.
  • Controller & Processor Contracts:  The Act uses the terms “controller” and “processor.”  Under the Act, processors must assist controllers in meeting their obligations, including responding to consumer requests and conducting data protection assessments.  The Act would require certain contractual terms between controllers and processors, including those requiring the processor to maintain a duty of confidentiality.
  • Data Protection Assessments: The Act requires controllers to conduct data protection assessments of processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), sensitive data, or otherwise present a heightened risk of harm to consumers. 
  • Enforcement & Cure: The Texas Attorney General has the exclusive authority to enforce the Act.  The Act provides controllers and processors with a 30-day cure period, which would not expire.