Home > Insights > Blogs > Cybersecurity Bits and Bytes > A wave of new state privacy legislation may be on the horizon

A wave of new state privacy legislation may be on the horizon

Elizabeth Casale March 12, 2021

A number of states have proposed new privacy legislation this year. One state, Virginia, has passed a statute that now makes it the second in the U.S. to enact comprehensive privacy legislation.


On March 2, 2021, the Virginia Governor signed into law the country’s second comprehensive privacy law, the Consumer Data Protection Act. The Virginia bill includes some similarities to the CCPA, but adopts more of its terminology from the European Union’s General Data Protection Regulation. The act grants consumers the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Consumers also have the right to access, delete and correct their personal information. The act does not include a private right of action, and its enforcement will be left to the Virginia state Attorney General.


In Florida, Florida House Bill 969, introduced on February 15, 2021, would, among other things:

  • Revise the definition of “personal data” to add information to data breach reporting requirements;

  • Require businesses that collect consumer personal data to disclose specified information on sale and collection to the consumer at or before collection;

  • Allow a consumer to opt out of third-party disclosure of personal information collected by a business and would prohibit businesses from selling or sharing a consumer’s information if the consumer has opted out;

  • Allow consumers to request that the business disclose the personal information collected about the consumer; and allow consumers to request that the business correct or delete the consumer’s personal information.

The Bill also includes “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access” and gives the Department of Legal Affairs authority to bring civil actions for intentional or unintentional violations and authority to adopt rules.


In Oklahoma, the Oklahoma Computer Data Privacy Act, which passed the state House of Representatives on March 4, 2021, would require prior consent before covered entities collect and sell the personal data of Oklahoma residents. The Computer Data Privacy Act would also give Oklahoma residents the ability to request disclosure of the information businesses have on the consumer as well as the ability to request that the information be deleted. The Oklahoma Computer Data Privacy Act would be enforced by the Oklahoma Corporation Commission, but a private right of action was removed before passage by the state House.


New York, Minnesota, Utah and Washington also all have proposed state privacy bills. New York also has a proposed Biometric Privacy Act, which we’ve discussed in depth here.

We will continue to monitor and provide updates on state-level privacy legislation as it is introduced.

Libby Casale is an associate in Thompson Coburn’s Business Litigation group.

Click here to subscribe to News & Insights from Thompson Coburn LLP related to our practices.