Virginia amendment impacts third-party treatment of deletion requests

Julie Rubash, Chief Privacy Counsel
April 18, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Virginia amendment impacts third-party treatment of deletion requests

Virginia’s Governor signed two amendments to the Virginia Consumer Data Protection Act, one of which, H 381, will impact controllers that receive personal data indirectly from a third party (as opposed to directly from the consumer).

Such controllers may choose to either retain a record of the deletion and the minimal data necessary to ensure the data remains deleted or retain the data entirely but opt the consumer out of the processing of personal data for any purpose except those explicitly exempted in the law. They may not use the retained the data for any other purposes.


The purpose of this amendment was to prevent companies that receive data indirectly from other businesses from deleting consumer data in response to a request and then re-collecting data about the same consumer from an indirect business source. Previously there was no way to track existing deletion requests from consumers if their entire record had been deleted.

This will impact data brokers and other downstream participants in the digital advertising industry.

The other amendment will add political organizations to nonprofits exempted from the law, authorize the Attorney General to pursue actual damages under the law if a violation continues after a 30-day cure period, and change the state fund where damage awards will be deposited.     

Connecticut Bill Progress, While Louisiana and Michigan Bills Make a Late Entrance

Connecticut’s SB 6 resembling the Colorado CPA took several steps forward over the past week, passing out of the Committee on Judiciary and the Legislative Commissioner’s Office and getting referred by the Senate to the Committee on Appropriations.

Meanwhile, Michigan and Louisiana both introduced new privacy bills, resembling Virginia’s and Utah’s privacy laws, respectively.


Connecticut’s legislative session adjourns May 4, so SB 6 will need to be on the fast track (as it seems to be) to pass before sine die.

Louisiana’s session adjourns June 6, which is not a lot of time for a newly introduced bill.

Michigan, on the other hand, has more time with a legislature in session for the remainder of the year.

There are still several other states with active privacy legislation and with a few exceptions, most legislative sessions adjourn within the next couple of months.

Other states to keep an eye on are Oklahoma (session adjourns May 27, but bill must receive a third reading in the Senate by April 28 to survive) and Ohio (full year legislative calendar). 

Colorado AG Announces Topics for Pre-Rulemaking Feedback

 The Colorado Attorney General released a document titled “Pre-Rulemaking Considerations for the Colorado Privacy Act.”

The document outlines the rulemaking process and invites informal input on several topics, including Universal Opt-Out, Consent (including obtaining consent after a consumer has opted out), Dark Patterns, Data Protection Assessments, and Profiling.


The Colorado Privacy Act, which goes into effect July 1, 2023, contains several provisions specific to targeted advertising, including a right for consumers to opt out of the processing of personal data for targeted advertising.

During the first year of the law, this right may be extended either by recognizing universal opt-out mechanisms or by providing a clear and conspicuous opt-out method in any privacy notice.

Starting in 2024, recognition of universal opt-out mechanisms will be mandatory.

However, the law allows consent to targeted advertising obtained by a controller to take precedence over a consumer’s opt out through a universal opt-out mechanism.

Attorney General rulemaking regarding the technical specifications for universal opt-out mechanisms and the requirements for adequate consent will play a crucial role in how the digital advertising industry adapts to these rights and requirements. 

CPPA to Hold Stakeholder Input Sessions

The California Privacy Protection Agency (CPPA) announced that it would hold stakeholder sessions starting May 4, 2022 to aid the Agency in developing regulations under the California Privacy Rights Act.

Stakeholders may sign up in advance or participate during a general public comment period without advance sign-up


The CPPA requested written public comments from September to November 2021 and held public informational sessions on March 29 and March 30, 2022 during which it heard from experts on such topics as dark patterns, opt-out preference signals and automated decision-making.

These stakeholder sessions will be the third phase of the CPPA’s preliminary rulemaking activities before it initiates formal rulemaking activities.

Final regulations are not expected to be issued until the latter half of 2022, with the CPRA going into effect on January 1, 2023. 


Stephen Bonner, the Executive Director of the UK Information Commissioner’s Office, issued a statement welcoming Google’s addition of a “reject all” option to cookie consent banners and adding that the ICO expects to see the online advertising industry follow Google’s lead.


 Google’s change to its approach to cookie consent came in response to sanctions from the French Data Protection Authority (CNIL) earlier this year and a notice from the Hamburg Data Protection Authority earlier this month, citing that consent and reject options on Google’s search engine and YouTube consent banners were not equally quickly and easily accessible, thus violating the GDPR.

According to the Hamburg DPA’s statement, similar notifications were sent to other media houses as well, indicating an expectation (similar to the ICO’s statement) of change across the industry. 

EU Reportedly Nears Compromise on DSA

A compromise text of the Digital Services Act (DSA) was reportedly proposed by the French EU presidency that could be the final text.

According to EURACTIV, member states “raised no redlines” in response to the latest text.

The compromise would prohibit advertising based on profiling when platforms are “aware” that the user is a minor or when the profiles are based on certain sensitive data such as religious beliefs, sexual orientation and political views, and it would prohibit use of dark patterns that purposefully or in effect deceive or manipulate recipients of a service by impairing their autonomy, decision-making or choices. 


The European Commission, the European Council and the European Commission have held four trilogues to debate remaining issues in the Digital Services Act since an initial draft was passed by the European Parliament.

The fifth (and perhaps final) trilogue will occur April 22, which may result in a final draft of the DSA.

Targeted advertising to minors and based on sensitive data have been hot topics throughout negotiations, and restrictions have become milder with each proposal. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]