The Current State of Privacy Laws

The following article was produced by David Swetnam-Burland and Stacy O. Stitham of Brann & Isaacson, exclusively for Mailers Hub.

The privacy of personal information – online and elsewhere – is in the news as tech giants like Facebook, Google, and Apple are facing questions (and lawsuits) seemingly from all directions – probing what personal information they collect; how they get it; what they do with it; and whether they are being honest when they say they are committed to personal privacy.

In response, state legislatures across the country, led (as usual) by California, have drafted legislation designed to protect consumers and curb the worst abuses.  As a consequence, industries and businesses far removed from Silicon Valley find themselves confronted with complex, often confusing, state laws that weren’t written with them in mind, but which may impose substantial and burdensome obligations on them all the same.  In this article, and on our July 21 webinar, we’ll try to help you sort out where state privacy laws are now, and where they seem to be headed.

In particular, we’ll focus on the three states that have enacted substantive privacy legislation: Nevada, California, and Virginia.  Before too many other states strike off in their own direction, one can only hope for a single standard for privacy protection that can apply nationwide.


The earliest and narrowest state statute is the Nevada State Privacy Law, which went into effect on October 1, 2019.  Businesses that provide goods or services to Nevadans and operate a website are potentially subject to this law if they also collect and maintain personal information about Nevada citizens.  If they “sell” any of the personal information they collect, they are required to post a privacy notice on their website; designate a contact method for opting out of the sale of their information; and provide a mechanism for authenticating, responding to, and complying with opt-out requests.

What makes the Nevada law different from and narrower than its out-of-state cousins is that it defines a “sale” of personal information as an exchange of information for “monetary consideration.”  That means disclosures that do not result in a return of money are not within the scope of the law.


California continues to be in the vanguard of consumer privacy regulation in the United States.  On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect, and enforcement began on July 1, 2020.

Without even letting the dust settle, Californians then voted in November to adopt another consumer privacy law, the California Privacy Rights Act (CPRA). Businesses must therefore comply with the CCPA, while preparing for the CPRA, which will take effect on January 1, 2023.  The CPRA is designed to bolster the CCPA, “further protect[ing] consumers’ rights” and potentially clarifying some of the muddier compliance questions.  Consider it CCPA 2.0.

The CPRA will apply to businesses which collect or share personal information from about 100,000 or more households annually – double the threshold under the CCPA – or which generate more than 50% of their annual revenue from sharing personal information.  The CCPA was previously limited to companies that sell personal information (albeit broadly defined to include exchanges for any form of consideration).

The CCPA provides California consumers with a right to access personal information that a covered business has collected about them, a right to request that personal information be deleted, and a right to opt-out of the “sale” of their personal information.  The CPRA adds a consumer right to correct inaccurate personal information held by a business, and, for information collected on or after January 1, 2022, expands consumers’ right-to-know.  Under current law, a business only needs to provide a consumer, upon request, with the most recent twelve months of personal information in their possession; under the CPRA, this period may be extended further back in time.

The CPRA also introduces the concept of “sensitive personal information” as a separate category subject to heightened protections, including usage limitations and transparency requirements.  “Sensitive information” includes social security numbers, drivers’ licenses, passport numbers, and financial information, as well as precise location, racial and ethnic origin, information pertaining to religious beliefs, genetic or health information, and sex life or sexual orientation information.  Given the myriad ways in which such information can potentially be gathered and associated with an individual – if I search for or buy eyeglasses, am I disclosing health information? – there could be many hard compliance issues to address. 

The CCPA already requires companies to allow consumers to opt out of the “sale” of their personal information.  There has been debate about whether the common practice of using cookies, scripts, and other technology from third-party advertising networks to serve personalized ads constitutes a “sale” subject to a California consumer’s opt-out.  The CPRA seeks to resolve that debate, making a distinction between “cross-context behavioral advertising” (targeting advertising to individuals based on personal information obtained from their activity with respect to other activities or businesses) and “non-personalized advertising” (targeting advertising based solely on information obtained during a customer’s current interaction with a business).  Under the CPRA, California consumers will be expressly entitled to opt-out of the sharing of their personal information for cross-context behavioral advertising.


Virginia’s new Consumer Data Protection Act (CDPA) will also start on January 1, 2023.  Enforcement is only through the state attorney general’s office – only California so far has permitted individual consumers to police privacy protections through privacy lawsuits in the context of data breaches.

Virginia’s law applies to companies that “conduct business” in the Commonwealth and either (1) control or process the personal data of 100,000 or more consumers or (2) derive more than 50 percent of their gross revenue from selling or processing the personal data of 25,000 or more consumers.

Under the CDPA, Virginia consumers have the right to:

  • confirm whether the “controller” of personal information is processing their personal data and if so, have the ability to access such personal data;
  • correct inaccuracies in the personal data;
  • delete personal data;
  • request that the “controller” port the consumer’s personal data in a readily usable format;
  • opt-out of the processing of personal data for purposes of targeted advertising;
  • opt-out of the sale of personal data; and opt-out of profiling that results in legal or significant effects concerning the consumer (such as, decisions that result in the denial of financial or lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, healthcare services or access to basic necessities).

Consent is required before processing “sensitive data,” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocation data.  This opt-in requirement for certain personal data marks an area in which Virginia’s protections extend beyond those currently in force in California.


While we have focused on the three states that have successfully enacted state privacy legislation – Nevada, California, and Virginia – a number of other states have considered or are considering such legislation – including New York, Florida, and Washington.  Absent federal legislation, the list of state privacy laws appears destined to grow, possibly even before the January 1, 2023 start date of the newest California and new Virginia statutes.

Everyone – consumers, businesses, legislators, and regulators – is committed to consumer privacy.  Yet the current situation, with a growing number of state privacy laws with different, confusing, possibly conflicting requirements, makes it difficult and expensive for businesses to know how to do the right thing.  Comprehensive federal legislation could create a clear national privacy standard, but the issue does not appear to be front-of-mind in Congress right now.  That makes it all the more vital to keep track of new laws coming online in January 2023 in California and Virginia – and very possibly other states as well.

Brann & Isaacson is a boutique law firm that represents large and small online and multichannel companies, printers, commercial mail producers, and IT service providers located across the country.  The firm advises companies of all sizes, including many in the Internet Retailer’s Top 500 Guide.

The firm is the Mailers Hub recommended legal counsel for mail producers on legal issues, including tax, privacy, consumer protection, intellectual property, vendor contracts, and employment matters. 

Mailers Hub subscribers click here to contact a member of the Brann & Isaacson team. (Requires sign-in - Mailers Hub subscribers enjoy preferred services and rates, with subscription verification.)

Share this post:

Comments on "The Current State of Privacy Laws"

Comments 0-5 of 0

Please login to comment