U.S. Data Privacy Legislation: Proposed & Pending Regulations

In a quest to provide a global overview of cyber-related legislation and regulation we have focused on Regulation through Global Data Protection and Security Laws, and APAC Data Protection and Security Laws.

This is an overview of the latest laws protecting PII in the United States:


On March 2, 2021, Virginia’s Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. Inspired by California’s CCPA regulations and the EU’s General Data Protection Regulation (GDPR), the VCDPA was designed to protect Virginia consumers and their personal data. As such, it grants Virginia residents the legal right to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information.

In addition to “personal data” (defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person), the VCDPA also sets out specific protections and responsibilities for the processing of “sensitive data.” Sensitive data is defined as personal data that:

  • reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • genetic or biometric data” processed “for the purpose of uniquely identifying a natural person”
  • personal data collected from a known child and precise geolocation data

Before processing sensitive data, the “controller” must obtain consent – defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

Similar to GDPR and CCPA, the VCDPA places far-reaching responsibilities on how companies access, use, store, share, disclose, or otherwise control or process their clients’ personal information. However, the it differs from these laws in 2 significant respects:

  • enforcement is left entirely up to the Attorney General 
  • it does not provide a private right of action for consumers
  • the law does not apply to employee data

Set to be enacted on January 1, 2023, the VCDPA applies to any business that “(i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”



Senate Bill 5062, known as the Washington Privacy Act, was rejected by state senators for the third time on March 12, 2021. Similar to GDPR, the law grants consumers the right to access, transfer, correct, and delete the data companies collect on them. Consumers can also opt-out of targeted advertising and the sale of their personal data under the legislation.

New York

Proposed for a second time on October 28, 2020, New York’s It’s Your Data Act, if passed, would create CCPA-like consumer privacy rights but with a broader private right of action. As summarized by JD Supra, “the bill would modify the state’s civil rights law to create a ‘right of privacy’ for New York State consumers (defined as state residents), which would require prior written consent and the exercise of reasonable care to use a consumer’s personal information for nearly any commercial reason.”

Though the legislation is, in many ways, similar to GDPR and CCPA, it takes things a step further by placing a fiduciary obligation on data controllers. As a result, the It’s Your Data Act drew significant criticism and, as it stands, is currently stalled in the New York Senate.

Leave a Reply