Martin Tully discusses state level consumer data privacy laws and their impact on how retail companies deal with consumer data in the Modern Retail article, “Unpacked: How retailers can keep up with CPRA and other data privacy laws.”

Martin Tully, a privacy lawyer and partner with Redgrave LLP, said there’s a renewed interest in reviewing privacy policies because of CPRA and other state laws.  The Virginia Consumer Data Protection Act, signed into law in March 2021, goes into effect on January 1.

Similar to CCPA, it will allow consumers to access their personal data from companies, or opt out of having their data sold.  Unlike CCPA, it’s not based on revenue figures; the law will apply to companies that control or process personal data of at least 100,000 Virginia consumers, or control data of at least 25,000 Virginia consumers and make at least 50% of their gross revenue from the sale of data.  Ultimately the attorney general will be charged with enforcement.

Other data privacy laws go into effect in Colorado and Connecticut in July 2023. Utah’s Consumer Privacy Act will go into effect on December 31, 2023.

“One of the things that we’re doing right now is trying to remind clients if they haven’t already acted that they don’t have much time left,” Tully said.

Redgrave LLP’s Tully said ensuring compliance begins with looking at what data is being collected, why and where it’s held. He said this is particularly important for retailers that may have loyalty programs or rewards programs.

“What you don’t know can and will hurt you,” he said.

Tully said companies also have to be aware of what third-party contractors and service providers who handle personal data may be doing on a company’s behalf. That can be a massive undertaking for national or global companies that may have hundreds or even thousands of contractors.

“It absolutely is a bigger challenge for bigger companies who have more service providers,” Tully said.

For an e-commerce client, Tully said, that might mean examining the data protocols of third-party marketplaces where its products are sold.

“If you don’t actively monitor them and audit them, you may not be in a position to take the defense, should there be an issue down the road where, say, a service provider is breached,” Tully said.


Tully said companies that want to improve data privacy practices should ensure that they’re using simple language to explain the rules to customers, and ensure that policies are factually correct. He also advised companies to review data privacy rules any time there’s a new site update or third-party tool because that could affect data capture or storage.

“It’s a question of doing that data mapping exercise, and then doing it periodically. And particularly anytime there’s some new tool or function that’s introduced into your website, or your e-commerce platform, or even your workflows within an organization,” Tully said.

Read the full Modern Retail article here.