Legislative Trends: CPRA, VCDPA, CPA: The Alphabet Soup of U.S. Consumer Data Privacy

small business compliance employee handbook

A solid data privacy compliance foundation, along with agility, will be key as companies start to navigate the nuances of state consumer privacy bills.


In 2018, when the California Consumer Privacy Act ("CCPA") was adopted, many understood that this was the beginning of the change in the privacy landscape in the United States. The CCPA became the first cross-sectoral state privacy law, imposing extensive privacy and security requirements for organizations handling the data of California residents. Without a federal comprehensive privacy law, it was only a matter of time before a patchwork of individual state consumer privacy bills would be adopted, such as the Virginia Consumer Data Privacy Act ("VCDPA") and the Colorado Privacy Act ("CPA"). State security breach notification laws underscore the potential complexity that is on the horizon for organizations. A solid data privacy compliance foundation, along with agility, will be key as companies start to navigate the nuances of state consumer privacy bills.

What is the Trend?

Virginia and Colorado recently joined states like Nevada and California by adopting consumer- focused privacy laws, but they are not the only states that tried to clear this hurdle this year. At one point, there were over 20 bills being considered in state legislatures — with some, in states like Florida, Washington, and Connecticut, dying hours before the end of the legislative session.

In November 2020, California voters also decided to replace the recently enacted CCPA with Proposition 24, the California Privacy Rights Act (CPRA). CPRA will afford California residents certain rights and protections that the drafters felt were missing from the existing CCPA.

The Virginia and Colorado laws have strong European General Data Protection Regulations (GDPR) overtones, and distinguish themselves in a few key areas from the CPRA.

California Privacy Right Act

Under the California Privacy Rights Act (CPRA), many of the obligations will not be effective until January 1, 2023, including the partial exemption for employment data and business contact data, which will expire after 2022 unless a new law is adopted to address this matter. Regardless of the exemption, employers are still currently required to provide employees with notices disclosing the categories of personal data collected and the purposes for the collection.

The CPRA differs from CCPA in the following ways, as it:

  • Imposes direct obligations on service providers to assist businesses with CPRA compliance activities. This will include specific contractual provisions that obligate service providers to provide the same level of privacy protection as is required from a covered business under CPRA.
  • Carves out Sensitive Personal Data from the definition of Personal Data and imposes additional obligations.
  • Requires a business to include details regarding the retention period for each category of Personal Data or explain how retention is determined in the consumer privacy notice.
  • Expands breach liability to unauthorized access or disclosure of data elements such as email addresses, passwords or security questions that would permit access to an account if the business failed to maintain reasonable security.
  • Establishes the first data-protection authority in the United States: the California Privacy Protection Agency (CPPA). The recently appointed five-member board consists of nominees from the Governor, Attorney General and state legislative officials.

Virginia Consumer Data Privacy Act

On March 2, 2021, Virginia signed into law the Virginia Consumer Data Privacy Act ("VCDPA"). The VCDPA is the second comprehensive consumer privacy bill adopted in the United States. Many were taken by surprise at the speed at which this bill was adopted. VCDPA mirrors the EU General Data Protection Regulation ("GDPR") by requiring data protection assessments and includes terms like controller and processor. Like the CPRA, the law will go into effect on January 1, 2023, and will grant Virginia residents the right to access/know, correct, delete and opt-out of sale amongst other privacy rights. Unlike the CPRA, the law makes an employee and business contact data exemption permanent, narrowing the scope of VCDPA to Business to Consumer (B2C) businesses and excludes a private right of action.

Colorado Privacy Act

On June 8, 2021, the Colorado state legislature passed the third consumer privacy bill, the Colorado Privacy Act ("CPA") in the United States. CPA will go into effect on July 1, 2023, six months after the CPRA and VCDPA. CPA does not impose significant new obligations that are not already covered under the other state laws. Like the VCDPA, employment and business contact data are exempted from the law; there is no private right of action; data protection assessments will be required for certain activities and consent will be necessary for the processing of sensitive personal information.

Impact to Employers

If 2021 is any indication of what lies ahead, consumer privacy will continue to be on the legislative agenda as more states introduce comprehensive consumer privacy bills. Whether states choose to adopt the easy-to-understand models of Virginia and Colorado, or the more complex and sometimes ambiguous California model, or create their own, U.S. consumer data privacy is an area that employers will need to continue to monitor.

For a deeper analysis of the Virginia Consumer Data Privacy Act please see the Morrison & Foerster article, published in CPO Magazine.

With numerous states pursuing consumer-privacy legislation this year, the calls for a federal comprehensive privacy bill continue to grow. Although there is bipartisan interest to adopt a federal privacy law, it is difficult to predict if and/or when a federal law may be adopted. Inclusion of a private right of action, which has been controversial, and potential federal preemption of state laws on the subject are examples of matters that may hinder future federal legislation in this area. ADP will continue to monitor the situation and will provide updates as needed.

ADP Compliance Resources

ADP maintains a staff of dedicated professionals who carefully monitor federal and state legislative and regulatory measures affecting employment-related human resource, payroll, tax and benefits administration, and help ensure that ADP systems are updated as relevant laws evolve. For the latest on how federal and state tax law changes may impact your business, visit the ADP Eye on Washington Web page located at www.adp.com/regulatorynews.

ADP is committed to assisting businesses with increased compliance requirements resulting from rapidly evolving legislation. Our goal is to help minimize your administrative burden across the entire spectrum of employment-related payroll, tax, HR and benefits, so that you can focus on running your business. This information is provided as a courtesy to assist in your understanding of the impact of certain regulatory requirements and should not be construed as tax or legal advice. Such information is by nature subject to revision and may not be the most current information available. ADP encourages readers to consult with appropriate legal and/or tax advisors. Please be advised that calls to and from ADP may be monitored or recorded.

If you have any questions regarding our services, please call 855-466-0790.

ADP, Inc.

One ADP Boulevard, Roseland, NJ 07068


Updated on August 5, 2021

Download a PDF version of this article here.