DOJ Aggressively Targeting PPP Loan Recipients for Fraud: What Businesses Need to Know

More than five million businesses applied for emergency loans under the Paycheck Protection Program (PPP), and with a hurried implementation that prevented a full diligence process, it’s not surprising the program became a target for fraud. The government is now aggressively conducting investigations, employing both criminal and civil enforcement actions. On the civil lawsuit front, companies that received PPP loans should be aware of actions brought under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). This advisory details some of the key points of these enforcement tools and what the government looks for when prosecuting fraudulent conduct.

How will PPP Loan Fraud Enforcement Under the FCA Work?

A company can be liable under the FCA if it knowingly presents a false or fraudulent claim for payment or approval to the government or uses a falsified record in the course of making a false claim. 31 U.S.C. § 3729(a)(1)(A), (B). The FCA allows the government to recover up to three times the amount of the damages caused by the false claims in addition to financial penalties of not less than (as adjusted for inflation) $12,537, and not more than $25,076 for each claim.

The FCA can be enforced by individuals through qui tam lawsuits. This means a private individual, known as a relator, can file a lawsuit on behalf of the government. When a qui tam case is filed, it remains confidential (under seal) while the government reviews the claim and decides whether to intervene in the case. If the lawsuit is successful, the relator is entitled to a portion of the reward.

The False Claims Act has been used to pursue fraud claims in connection with PPP loan applications. Any company that participated in the PPP by applying for a loan should retain documentation justifying all statements made on the loan application and evidencing how any funds obtained through the loans were utilized.

How will PPP Loan Fraud Enforcement Under FIRREA Work?

The government is also utilizing FIRREA in response to fraudulent conduct related to PPP loans. FIRREA is a “hybrid” statute, predicating civil liability on the government’s ability to prove criminal violations. The statute allows the government to recover penalties against a person who violates specifically enumerated criminal statutes such as bank fraud, making false statements to a bank, or mail or wire fraud “affecting a federally insured financial institution.” 12 U.S.C. §1833a.

To establish liability under FIRREA, the government does not have to prove any additional element beyond the violation of that offense and that the violation “affect[ed] a federally insured financial institution.” The government has invoked FIRREA in the context of PPP loan fraud by stating the fraud related to obtaining the loan falls under one or more of the predicate offenses set forth in the statute.

What Factors Determine PPP Loan Fraud Penalties Under FIRREA?

While the assessment of a penalty is mandatory under FIRREA, the amount of the penalty is left to the discretion of the court but may not exceed $1.1 million per offense. There is an exception to this maximum penalty, however, if the person against which the action is brought profited from the violation by more than $1.1 million. FIRREA then allows the government to collect the entire amount gained by the perpetrator through the fraud. The actual amount of the penalty is determined by the court after weighing several factors including:

  • The good or bad faith of the defendant and the degree of his/her knowledge of wrongdoing;
  • The injury to the public, and whether the defendant’s conduct created substantial loss or the risk of substantial loss to other persons;
  • The egregiousness of the violation;
  • The isolated or repeated nature of the violation;
  • The defendant’s financial condition and ability to pay;
  • The criminal fine that could be levied for this conduct;
  • The amount the defendant sought to profit through his fraud;
  • The penalty range available under FIRREA; and
  • The appropriateness of the amount considering the relevant factors.

The government favors utilizing FIRREA penalties to pursue fraud claims for several reasons. The statute of limitations provided in 12 U.S.C. §1833a(h) is 10 years, which is much longer than most civil statutes of limitations. The standard of proof required to impose penalties is preponderance of the evidence, rather than the higher “beyond a reasonable doubt” standard that must be met in a criminal prosecution.

Checklist for PPP Loan Recipients

A company that applied for COVID relief funds, such as PPP loans, should ensure they satisfy the eligibility requirements for obtaining the loan, confirm false statements were not made during the application, and review the rules set forth by the SBA for applying for PPP. The government has shown it is willing to pursue remedies under the FCA and FIRREA for fraudulent statements made regarding a PPP loan application.

For more information about PPP loan eligibility and enforcement issues, contact a member of Varnum’s government investigations team.

Thinking of Establishing Florida Residency? What to Consider Before Changing Your Legal Residence

Our knowledge of sophisticated tax and planning techniques permits us to offer a broad range of services. At Varnum, our Estate Planning Practice Team works continuously to ensure you have an opportunity to explore the most creative and effective techniques in use today to achieve your vision.

Many clients whose family circumstances and employment situation permit them to spend in excess of six months every year in Florida may elect to become Florida residents. The biggest advantage, compared to being Michigan residents, is that Florida has no state income tax. So-called earned income, such as salaries, will continue to be taxed in the state in which they are earned, but “unearned” income such as dividends, interest, rents and retirement benefits will not be subject to state income tax if the recipient is a Florida resident.

Property and Local Tax Considerations

The biggest perceived disadvantage to changing legal residence to Florida is that Michigan and Florida only permit residents to claim a homestead exemption (referred to as the “Principal Residence Exemption” or “PRE” in Michigan); accordingly, a change in residence from Michigan to Florida results in the loss of the Michigan PRE. The PRE exempts your principal residence from the local school district tax of up to 18 mills. Mills are the taxes per each $1,000 of assessed value of your home. Therefore, if the assessed value of your Michigan residence is $300,000 (i.e. an assumed fair market value of approximately $600,000) and your local school millage is the maximum of 18 mills, the principal residence exemption would save you $5,400 annually in property taxes.

It should be noted that changing your residence and rescinding your PRE does not result in a change of the taxable value of your Michigan property (“uncapping”) as long as you continue to own it. If you have owned your Michigan home long enough to have an artificially low real estate tax value (i.e. the cap on annual reassessment of your home’s value on which your property taxes are based means that your taxable property value is lower than it would otherwise be if reassessed annually), that cap on reassessment of the taxable value will not change. The PRE only relates to the local school district tax, so rescinding your PRE means you lose the ability to avoid the local school district tax.

Becoming a Florida resident does permit you to qualify for the Florida homestead exemption, which reduces your assessed value by $25,000 plus an additional $25,000 for non-school taxes on assessed values between $50,000 and $75,000. It also limits future annual increases in assessed value to the lesser of three percent or the percentage change in the Consumer Price Index.

Planning for the Homestead Exemption

There are numerous steps you should take even if you are changing your residence for income tax purposes and do not have a Florida residence that qualifies for the Florida homestead exemption. Be aware, however, that if you become a Florida resident you will lose your PRE in Michigan even if you do not claim a homestead exemption in Florida. You cannot elect to preserve a more valuable Michigan exemption by simply forgoing a claim of homestead exemption in Florida. 

Before turning to the rather intricate steps involved in claiming a homestead exemption in Florida, you should plan to:

  • File a Declaration of Domicile provided by the County Clerk of the county to which you are moving. Each county generally makes the form available on its website.
  • Rescind your personal residence exemption in the Michigan county you formerly claimed as your residence.
  • Register to vote in your new Florida county.
  • File your tax returns with the IRS Service Center in Atlanta as a Florida resident. Remember to file a Michigan return as a partial year resident if you change your residence mid-year or as a non-resident if you continue to have earned income in Michigan.
  • If you plan to apply for a driver’s license in Florida, you should do so within 30 days of filing your Declaration of Domicile. You should also be sure to register your vehicles and insure them with a company doing business in Florida within 10 days of establishing residency.
  • Consider making other less critical changes like updating the address on your passport, maintaining a Florida bank account and using your Florida address on your credit cards.

Reviewing Your Existing Estate Plan

In addition to these important recommendations, nearly every Florida attorney who addresses the topic of changing your residence suggests reviewing your existing estate plan. While an estate plan that is valid where it was signed is valid anywhere, Florida has specific requirements that may warrant an update. For example, Florida law is stringent with regard to who may serve as the personal representative of a decedent’s estate. The personal representative must be one of the following: a Florida resident, certain non-resident family members or entities qualified to do business in Florida.

Additionally, all powers of attorney are given immediate effect in Florida; Florida does not permit springing powers of attorney that are only effective upon incapacity. Florida law does not recognize handwritten or “holographic” wills. Florida does not recognize no-contest or “in terrorem” clauses, which states someone contesting a decedent’s will or trust receives nothing pursuant to the will or trust as a result of their legal challenge. Finally, you may need to incorporate language in your trust to qualify for Florida’s homestead exemption, whereas special language is not required to obtain Michigan’s PRE.  

Our Estate Planning Practice Team includes several attorneys licensed to practice in Florida, as well as attorneys dually licensed in Florida and Michigan who can help with your residency transition. Please contact one of our Estate Planning Attorneys if you have any questions about changing your residency or reviewing your estate plan.

New Rules for Data Transfers Out of the United Kingdom

New rules for personal data transfers to countries outside the United Kingdom enter into force on March 21, 2022. Businesses transferring personal data from the U.K. to countries outside the European Economic Area (EEA) need to analyze their international data flows and potentially update their transfer mechanisms to reflect these new provisions.

Under the U.K. General Data Protection Regulation (GDPR) and the U.K. Data Protection Act 2018 (collectively the “U.K. Data Protection Laws”), companies are required to, among other things, implement valid data transfer mechanisms when transferring personal data outside the U.K. to countries without an adequate level of data protection. Standard contractual clauses (SCCs) are a commonly used mechanism to validate these transfers. Once the Brexit transition period ended on December 31, 2020, the EU-GDPR no longer applied to the U.K. but rather the UK-GDPR. Therefore, when the European Union published revised SCCs in June 2021, they did not automatically apply in the U.K., and U.K. companies continued to rely on the old EU-SCCs to validate data transfers.  

To sort out this complexity, the U.K.’s Information Commissioner’s Office (ICO) recently issued a new toolkit of standardized clauses in the form of two documents. The first is the International Data Transfer Agreement (IDTA). The IDTA may be executed as a standalone agreement to accompany a main contract to ensure compliance with U.K. Data Protection Laws. The second is an addendum to the EU’s 2021 standard contractual clauses (UK Addendum). As noted above, many companies operating internationally already have the EU SCCs in place. The U.K. Addendum to the EU SCCs allows companies subject to both the U.K. Data Protection Laws and the EU-GDPR to secure international data transfers without the need to execute a completely new, separate mechanism such as the IDTA.

For some U.S.-based companies, the new U.K. SCCs could create more complexity in contract negotiations and data transfer activities generally. Companies importing data will need to ensure their internal processes align with both the EU SCCs and U.K. SCCs, including which contract modules apply to each unique relationship. This added complexity may require companies to reassess and potentially revise their methods for executing contracts requiring cross border data transfers.

If the U.K. Parliament makes no further changes, the U.K. SCCs will be effective March 21, 2022. U.K. companies must fully implement the U.K. SCCs by March 21, 2024 and have up to this deadline to update existing contracts with these new clauses. In the meantime, for existing contracts, companies have three options: (1) continue using the older EU SCCs (2) implement the new IDTA, or (3) implement the new U.K. Addendum along with the EU SCCs. These same options exist for contracts executed between March 21, 2022 and September 21, 2022. For contracts entered into on or after September 21, 2022, companies must use the new U.K. SCCs. This means (1) executing the IDTA in full, or (2) executing the U.K. Addendum with the EU SCCs.

While these new clauses create more legal certainty in the area of data transfers out of the U.K., the numerous contracting options available create additional complexity for U.K. companies and data importers in countries deemed inadequate, such as the U.S. We expect the ICO to issue further guidance on specific IDTA and U.K. Addendum clauses in the coming months.


Featuring a high concentration of CIPP-certified privacy professionals, Varnum attorneys guide businesses through all aspects of data privacy and cybersecurity, from compliance and policy issues to breach preparedness and response.

Utah Likely Next State to Pass Consumer Privacy Law

Featuring a high concentration of CIPP-certified privacy professionals, Varnum attorneys guide businesses through all aspects of data privacy and cybersecurity, from compliance and policy issues to breach preparedness and response.

The Utah Consumer Privacy Act unanimously passed the Utah Senate on February 25 and, with a few minor wording changes, passed unanimously in the Utah House on March 2. The final version is awaiting Governor Spencer Cox’s signature. If signed by the March 24 deadline, the law will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law.

The law applies to controllers or processors that do business in the state or produce a product or service targeted to consumers who are Utah residents, have annual revenue of $25 million or more; and either a) control or process personal data of 100,000 or more consumers during a calendar year; or b) derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

Under the new law, consumers have the right to confirm whether a controller is processing their personal data, obtain a copy of their personal data in a format that is portable and readily usable, and request deletion. Utah’s law most closely resembles Virginia’s Consumer Data Protection Act and does not include a private right of action. This means consumers won’t be able to sue for alleged violations, as the law is only enforceable by the Utah Attorney General (including a 30-day cure period). The law includes broad exemptions for entities regulated under certain federal laws, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), information governed by HIPAA, financial institutions and information governed by the Gramm-Leach-Bliley Act (GLBA), and personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Unlike California, the law does not provide rulemaking authority for the Utah Attorney General’s Office.

Companies are required to publish privacy notices, providing:

  • the categories or personal data processed;
  • the purpose for the processing;
  • how consumers may exercise a right;
  • the categories of personal data the controller shares with third parties; and
  • the categories of third parties with whom the controller shares personal data.

The Utah Consumer Privacy Act also creates requirements for the processing of “sensitive data,” including requiring that controllers first present consumers with clear notice and an opportunity to opt out of the processing.

It is unlikely the addition of a privacy law in Utah will tip the balance in favor of a federal data privacy law during the current legislative session. We are monitoring state legislative activity and could see at least two more states pass similarly comprehensive consumer privacy laws this session.

U.S. Supreme Court to Review Constitutionality of ICWA

The Indian Child Welfare Act of 1978 (ICWA) was enacted to address the high rates of Indian children being separated from their Indian families and Indian communities. The stated intent of Congress under ICWA was to “protect the best interests of Indian children and to promote stability and security of Indian tribes and families” (25 USC § 1902). Recent years have seen an increased number of challenges to various provisions of ICWA and parallel state statutes in both Federal and state court lawsuits, with opponents alleging the statutory provisions are unconstitutionally race-based.

Today, February 28, 2022, the U.S. Supreme Court agreed to review four petitions arising from an en banc decision of the U.S. Fifth Circuit Court of Appeals from April 6, 2021, in Haaland v Brackeen. In that case, a Federal district judge in Northern Texas invalidated ICWA. The decision was then overruled by a three-member Fifth Circuit panel before consideration by the entire Fifth Circuit bench ultimately upheld key provisions of ICWA.  

The Supreme Court’s decision to review Brackeen is not surprising considering the ongoing dispute impacts not only ICWA and related rules promulgated by the Bureau of Indian Affairs, but also impacts similar statutory mechanisms and procedural standards in a number of states such as the Michigan Indian Family Preservation Act (MIFPA). A date for argument before the Supreme Court has not yet been set.

Don’t Forget About Early Retirement Benefits in DRO Drafting

The ongoing COVID-19 pandemic has and continues to contribute to a spike in early retirements. Related benefits must be considered when domestic relations orders (DROs) are prepared to complete division of divorcing parties’ retirement benefits. Benefits related to early retirement include the following:

  • Buy-outs are typically one-time benefit enhancements offered by an employer. An example is an increased employee service period for purposes of calculating pension payments. They are generally considered to be a marital asset.
  • An early retirement supplement is usually an additional pension payment paid from the employee’s date of retirement until the employee reaches age 62 and becomes eligible for social security. Care must be given to address such supplements to avoid an unintended penalty on the employee party.
  • An early retirement subsidy is a benefit intended to induce early retirement for employees meeting certain requirements, such as a specified number of years of service. If the alternate payee takes early payment of his/her share of the pension, he or she may miss a significant benefit if the DRO does not allocate such a subsidy and the employee retires early.

A related pitfall can occur where the alternate payee elects to take his/her portion of a pension early based on an expected early retirement subsidy, but the employee works until full retirement age and the subsidy “ages out” or lapses, penalizing the alternate payee. Careful consideration of these issues must be given in DRO drafting.

Filing Tax Returns and Making Tax Payments: Best Practices During the Pandemic and Beyond

With staffing shortages and service center closures, it should come as no surprise that the IRS has faced a number of challenges during the pandemic. A couple of the biggest challenges have been in the opening and processing of taxpayer correspondence and in the processing of tax returns. As National Taxpayer Advocate, Erin Collins, stated in her Annual Report to Congress, “Paper is the IRS’s Kryptonite, and the IRS is buried in it.”

Going into 2022, the IRS has a significant backlog of unprocessed taxpayer correspondence and unprocessed returns. The estimates are staggering.

  • Five million pieces of unprocessed taxpayer correspondence
  • Over 11 million unprocessed tax returns, including:
    • Six million individual income tax returns
    • 2.3 million amended individual tax returns
    • 2.8 million business returns (income tax and employment tax returns)

The 2022 tax filing season, which opened on Thursday, January 24, for individual income tax returns, has the potential to create even more challenges for the IRS. Below is a list of best practices taxpayers can follow to ensure timely processing of their payments, tax returns, and claims for refund. These practices apply to individuals and required filing for businesses.

  • File returns and make payments electronically.
  • If you must file a paper return or mail in a payment to the IRS, send the return or payment to the proper address via USPS Certified Mail, Return Receipt Requested. Using this method will assist in resolving timely filing and/or timely payment penalties assessed by the IRS.
  • Properly notate your tax payment and include the form number, tax period and your social security number or employer identification number.
  • Respond to notices from the IRS in a timely manner. 

In addition to the above, the IRS has offered a few filing tips for individuals.

  • Fastest refunds by e-filing, avoiding paper returns: Filing electronically with direct deposit and avoiding a paper tax return is more important than ever to avoid refund delays. If you need a tax refund quickly, do not file on paper – use software, a trusted tax professional or IRS Free File.
  • Filing 2021 tax return with 2020 tax return still in process: For those whose tax returns from 2020 have not yet been processed, 2021 tax returns can still be filed. For those in this group filing electronically, here’s a critical point: taxpayers need their Adjusted Gross Income, or AGI, from their most recent tax return at time of filing. For those waiting on their 2020 tax return to be processed, make sure to enter $0 (zero dollars) for last year’s AGI on the 2021 tax return. Visit Validating Your Electronically Filed Tax Return for more details.

More individual filing tips from the IRS can be found here.

If you have unpaid taxes or unfiled returns, you need an experienced tax attorney to represent you in your dealings with the IRS or the Department of Justice. An accountant or enrolled agent is not protected by attorney-client privilege. Please contact Eric Nemeth of Varnum’s Tax Practice Team with any questions.

Data Privacy Day: When Was The Last Time You Had a Privacy Check?

Every year on January 28, Data Privacy Day is observed as part of an international effort to raise awareness about the importance of data privacy and security. Whether you are an individual interested in protection of your own personal data or a business trying to protect your clients, employees, or other personal information, we hope this article can serve as a reminder to review how you are protecting your valued personal data.

Here are some of our top data privacy and data protection reminders for businesses for the upcoming year.

Know What Type of Personal Data Your Business Collects

Personal data is defined by the European Commission as “any information that relates to an identified or identifiable living individual.”[1] Multiple pieces of personal information which, when put together, would identify an individual, is also personal data. Whether a country, state, or locality uses the term “personal data” or “personal information” in their laws or regulations, the general concept remains the same.

Examples of personal data include: first and last name, physical address, personal email address, location data (such as on a cell phone), IP address, driver’s license number, social security number, vehicle identification number, and even data held by a medical provider that could identify a unique individual.

Your business more than likely collects some type of personal data. Taking a first step to identify what type of personal data you collect will help your business comply with any applicable data privacy laws.

Review or Implement Your Privacy Policy

Your privacy policy is your best mechanism for communicating your data privacy practices to your customers and regulators. Besides its utility as a transparency and communication tool, several data privacy laws, including the California Consumer Privacy Act, require annual review and publishing of company privacy policies.

The annual review provides an opportunity for your business to confirm the information published in the policy is current and accurately reflects your practices. Knowing what type of personal data your business collects and why is pertinent, as you will need to disclose the type of personal data collected and scope of use for that data.

To provide the utmost transparency to customers and others interacting with your business, carve out an area of your website to house the current version of your policy, with a linked archive to versions from the past three to five years. When updating your policy, provide a summary at the top or bottom of the new document identifying what changed from the previous year.

Consider How Your Business Responds to a Data Subject Access Request

Knowing what type of personal data your business collects and being transparent about it are important steps toward compliance, but what will your business do if a data subject exercises their right of access under applicable law? What if they ask you to delete their personal data from your systems?

Jurisdictions with data privacy laws and regulations provide various rights for individuals, with an underlying right that a person can “access” the data a company holds about them. Under the EU-GDPR and CCPA, data subjects can ask a company the types of personal data collected and what specific pieces of their personal data the company holds. Both laws also provide a right of deletion: an individual can ask a company to permanently remove their personal data from their systems, and in most circumstances the company will need to comply with the request within the legal timeline.

Establishing an internal process and procedure for timely responding to these types of rights requests is vital for any business subject to a data privacy law or regulation creating these rights. The key is identifying where the distinct types of personal data are stored on your systems, understanding which individuals in your business have access to those systems in order to assist in processing these requests, and maintaining a structured workflow to ensure proper oversight and ownership of this process.

Create and Enforce a Data Retention Plan

Developing and maintaining a data retention plan for your company will help minimize the amount of personal data your business collects, facilitate internal organization to effectively respond to data subject access requests, reduce the amount of storage and personal data for which you are responsible, and overall increase your company’s strength in the area of data privacy and security.

In setting up a data retention plan, you should make sure it addresses (i) what information is covered; (ii) the timelines you are required to keep such information, which may differ under federal or state law; and (iii) how your company will destroy or remove personal data from your company’s document management system.

The timelines and requirements your data retention plan sets forth should be reasonably enforceable to ensure compliance is achieved.

Maintain Appropriate Privacy Contractual Controls

Knowing what personal data you hold and where it is stored is not enough. Your business also needs to be continuously aware of others with whom you share personal data, especially third-party sub-processors. Data sharing relationships are often spelled out in contractual provisions or addenda. If you work with entities in different countries, cross-border controls such as standard contractual clauses may also come into play. It is important for your business to understand how personal data flows through your company systems, and to keep in mind data sharing interactions throughout the course of your business functions, ensuring the proper controls are in place.

Layer Your Security Controls

An important step in ensuring your company is secure is addressing who has access to the personal data your company stores. Security controls and tools you should consider using include physical controls, digital security controls, and cloud security controls.

  • Physical security controls generally refer to traditional methods of security such as locks, guards, or access key cards that limit a person’s access to certain areas where personal data is kept, stored, or accessible.
  • Digital security controls limit a person’s access to your businesses systems through detailed password requirements, antivirus software, or multi-factor authentication (MFA). MFA is a highly-effective tool, as it has been found to prevent up to 99.9 percent of data security hacks.
  • Cloud security controls require coordination with your cloud services provider to ensure the necessary protections are in place to prevent unauthorized access to the stored data and workloads.

Educate Your Workforce

Lastly, your employees are your best defense against phishing and other cyberattacks. If you have not already done so, it should be your 2022 resolution to plan regular cybersecurity trainings for your employees. The trainings should make employees aware of what types of attacks exist and how to identify signs and risks that could expose the company to an attack.

Implementing clear and reasonable enforceable policies and procedures will help your employees know what their responsibilities are, how they can fulfill those responsibilities, and how to react promptly in the case of a data breach.

While cybersecurity and data privacy is sometimes focused on the technology itself to prevent data breaches, it’s important to account for the human element and ensure all employees understand their responsibilities in protecting your company’s security.

What’s New with U.S. State Legislation?

To date, three states – California, Colorado, and Virginia – have enacted consumer data privacy laws that cover many of the topics above.

  • California: Currently, the California Consumer Privacy Act of 2018 (CCPA)[2] governs consumer data privacy in California. On January 1, 2023, the California Consumer Privacy Rights Act (CPRA) will take effect, implementing additional consumer data privacy laws. The CPRA does not replace the CCPA but rather adds to it by expanding individual rights, introducing new governance measures, and creating the California Privacy Protection Agency.
  • Virginia: In Virginia, the Consumer Data Protection Act (CDPA)[3] also becomes effective at the beginning of next year on January 1, 2023. Similar to the CCPA/CPRA, the CDPA prescribes responsibility and privacy protection standards for businesses that handle or process personal data. Enforcement of Virginia’s CDPA will be by the Attorney General.
  • Colorado: In Colorado, the state legislature enacted the Colorado Consumer Protection Act (CPA)[4] which takes effect on July 1, 2023. The law addresses consumers’ rights and the responsibilities of businesses that handle or process personal data. Similar to Virginia, the Attorney General will be the enforcer for any violations.

In preparation for 2023, businesses will want to become more familiar with the additional requirements of the CPRA, the Colorado CPA, and the Virginia CDPA.

What’s Going On at the U.S. Federal Level?

The United States is lagging in producing a comprehensive data privacy law at the federal level. Dozens of privacy-related bills have been proposed over the past decade from both sides of the aisle and in both the House and Senate chambers. These bills deal with narrow data privacy-related issues such as facial recognition and artificial intelligence or access to records by law enforcement.

In the absence of a comprehensive federal privacy law, some suggest the U.S. Federal Trade Commission may promulgate and enforce an overarching, non-sector specific privacy rule, although any efforts in that direction have not yet been fully explored or finalized.

Please contact your Varnum attorney or any member of the firm’s Data Privacy and Cybersecurity practice team with questions on how you can best protect your or your business’s private information.

[1] There are multiple definitions of “personal data” or “personal information.” While worded slightly differently, they all promote the same understanding of what constitutes personal data. For the purposes of this article, we chose to use the definition provided by the European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
[2] Cal. Civ. Code §§ 1798.100 et seq. Note: the CCPA/CPRA has certain threshold requirements before its provisions apply. Generally, a business is subject to the CCPA/CPRA if: (1) it does business in the state of California, and (2) it meets one of the following criteria: (i) have an annual gross revenue of more than $25,000,000 in the preceding calendar year; (ii) buys or shares personal information of, 1000,000 or more consumers or households; or (iii) derive 50% or more of its annual revenue from selling consumers’ personal information.
[3] 2021 H.B. 2307/2021 S.B. 1392. The CDPA also has threshold requirements for its application. Generally speaking, CPDA applies to business that either conduct business in Virginia or target Virginia residents through their products or services, and (1) controls or processes data of at least 100,000 consumers or (2) controls or processes personal data of consumers and derives over 50% of gross revenue from the sale of personal data.
[4] Colo. Rev. Stat. § 6-1-1301 et seq. The CPA also has its own threshold for application requiring that the business conduct business in Colorado or produces or delivers commercial products or services to Colorado residents, and (i) control or process the personal data of at least 100,000 consumers during the calendar year, or (ii) derives revenue or receive a discount on the price of goods or services from the sale of personal data.