⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

2021 Privacy Legislative Update

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


November 19, 2021
Privacy Law
Sean Cox

In 2018 the European Union’s General Data Protection Regulation (GDPR) ushered in a new era of comprehensive privacy legislation. Privacy concerns seem to have reached a crescendo first among the citizens of the European Union. At the time of the GDPR, data privacy was still a nascent fear in many other areas of the world. 

However, even before its effective date, most privacy professionals considered it only a matter of time before comprehensive privacy regulation spread worldwide. Those predictions have been proven correct. The GDPR has been followed by privacy legislation in several other countries. 

Lacking a uniform comprehensive privacy regulation at the national level, states in the United States are left to go their own way. In 2020, the California Consumer Privacy Act (CCPA) took effect, becoming America’s first important foray into comprehensive privacy legislation. 

As expected, 2021 has seen more states and countries enact their own comprehensive privacy legislation. Domestically, Virginia and Colorado have passed legislation to regulate consumer privacy. The most important foreign law is the Personal Information Protection Law (PIPL),  slated for enforcement beginning Nov. 1, 2021, and is a law passed by China’s National People’s Congress Standing Committee, which aims to establish a personal information protection system with Chinese features that are also in line with international standards.  Each of these laws contains important nuances well beyond the scope of this article. This article is intended to provide a general overview of the 2021 laws – specifically whom each piece of legislation is intended to control, whom and what it’s intended to protect – and some of the most important requirements. The need for detailed analysis can’t be overstated.

Virginia – Consumer Data Protection Act (CDPA)
Already enacted into law, the Consumer Data Protection Act (CDPA) will take effect Jan. 1, 2023. The CDPA applies to companies that conduct business in Virginia or target Virginia residents for the sale of goods or services, and either: 

  • Control or process data of at least 100,000 Virginia residents.
  • Derive at least 50% of their revenue from the sale of personal data and control or processes data of at least 25,000 Virginia residents. 

The CDPA defines personal data as any information linked or reasonably linkable to an identified or identifiable person. A second category –  sensitive data –  includes data revealing: 

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Geolocation data

Virginia consumers have the right to 

  • Know if a company is processing their data.
  • Access their data.
  • Correct any inaccuracies.
  • Data portability. 

Consumers also have the right to opt out of: the sale of personal information, targeted advertising and  profiling decisions based upon their personal information. The CDPA also mandates data minimization practices, technical safeguards and data processing agreements.  The CDPA doesn’t create private right of action, but it does empower the Virginia attorney general to seek fines up to $7,500 per violation and injunctive relief.

Colorado – Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) passed into law July 7, 2021. It’s similar to Virginia's CDPA in many ways. It applies to companies that conduct business in Colorado or target Colorado residents for goods or services, and either: 

  • Control or process data of 100,000 or more Colorado residents.
  • Derive revenue from the sale of personal data and control or process data of at least 25,000 Colorado residents. 

The CPA also recognizes two types of data. Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. Sensitive data is similar to that in the CDPA, but doesn’t include geolocation data.

Companies subject to the CPA are required to provide privacy notices, implement a universal opt-out process, fulfill consumer requests regarding their personal information and perform data protection assessments.

Colorado residents have the right to access, correct, delete or transfer their personal information. They also can opt out of the processing of their personal data for any of the following:  

  • The sale of personal information. 
  • Targeted advertising.
  • Profiling decisions based upon their personal information.

The CPA also requires data minimization and contractual oversight of downstream processors.

It doesn’t create private right of action, but does empower the Colorado attorney general and district attorneys to enforce its provisions with the possibility of $20,000 fines per violation.

China – Personal Information Protection Law (PIPL)
Beginning Nov. 1, 2021, China will begin enforcing the Personal Information Protection Law (PIPL), which is similar to much of the GDPR. It applies to personal information processing activities by personal information processing entities, which are defined as an organization or individual that independently determines the purposes and means for processing of personal information. 

The PIPL applies to processing activities inside China and also those outside China if the processing is: 

  • To provide products or services to individuals in China. 
  • Analyze or assess the behavior of individuals in China.
  • Or for other purposes specified by law, which are, as yet, undefined. 

Any company outside of China to which the PIPL applies must appoint a designated representative in China for PIPL compliance. 

The PIPL requires a lawful basis for all personal information processing. It describes several categories of activities that meet this standard, many of which are similar to the GDPR. The most important categories are: 

  • Processing after obtaining the individual’s revocable, voluntary and informed consent. 
  • Processing necessary to perform a contract where the individual is a party.

Lastly, PIPL also limits cross-border transfers of personal data. It mandates that some entities maintain personal information in China. Those entities may be limited from transferring it outside of China without government approval. This mandate applies to entities that are critical information infrastructure operators or those that process a certain volume of personal information. Both categories are, at present, loosely defined.

Proposed Legislation
As these new laws join and build off the GDPR and CCPA, so will laws from other states and countries. At press time, several other states, including Massachusetts, New York, North Carolina, Ohio and Pennsylvania, have some form of proposed comprehensive data privacy legislation. 

The next several years will see increasing numbers of enacted and proposed privacy legislation. More citizens will be protected by data privacy regulation and more companies will be governed by it. Unfortunately, the proliferation of these regulations will inevitably lead to conflict between the laws, especially for U.S. companies which may be subject to the laws of several states. 

Until there’s comprehensive data privacy legislation at the federal level, it will be up to the states to legislate for their own citizens. While the U.S. Congress has considered several data privacy bills, none has come close to passing so far. Ultimately, it may be the industry itself, yearning for a uniform set of standards, that leads to comprehensive privacy legislation at the federal level.

Sean Cox, CIPP/US, is an attorney in the Atlanta office of Hall Booth Smith. His practice involves both domestic and global data privacy and security regulation.

©2021 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent. For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.