New State Privacy Laws in Florida and Virginia Will Be Modeled after GDPR and CCPA

A full three years after the passage of the California Consumer Privacy Act of 2018, more state legislatures have finally begun to work on their respective versions of privacy laws. Currently, as of 2021, Virginia and Florida lead the way by authoring their own legislative acts that address consumer privacy.

New State Privacy Laws Use GDPR and CCPA as Models

Virginia and Florida’s proposed privacy laws, slated for 2023 and 2022 respectively, model themselves after the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”), signaling that Virginia and Florida are both willing to take a stricter stance on consumer privacy than the protections that currently exist at the federal level. Both state laws will apply to companies conducting business within their respective state borders or businesses that process or control the personal data of a significant number of state residents. 

Exemptions in New State Privacy Laws

There still exists, however, notable exemptions for companies that meet certain qualifications. For example, Virginia exempts non-profits, institutions of higher-education, financial institutions, data that is subject to the Gramm-Leach-Bliley Act (“GLBA”), and entities that would be subject to HIPAA. Florida, by contrast, exempts employers that collect or disclose employee personal information within the context of employment, HIPAA-covered entities and related business associates, data sold or shared by a consumer reporting agency when used to generate compliant credit reports, data collected for research in the public interest, GLBA data, and data covered by two specific laws: the Driver’s Privacy Protection Act and the Family Educational Rights and Privacy Act.

Key Takeaways on New State Privacy Laws

Virginia and Florida are the newest states to introduce state privacy laws that address:

• The personal data of residents within their respective states;

• Businesses that control or access personal data of their respective states’ residents; and

• Exemptions to the law that are available under specific circumstances for qualifying companies.

For more information on data privacy, see our Technology & Data Legal Services and Industry Focused Legal Solutions pages.