Press "Enter" to skip to content

In No Time At All, Virginia Consumer Data Protection Act Becomes Law

virginia data privacyOn March 2, Virginia Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act.  House Bill 2307 was introduced Jan. 20, 2021, and a substitute was passed in the House just nine days later.  Its companion, Senate Bill 1392, followed a similar trajectory and on Feb. 19, each chamber concurred in the other’s substitute.  The Act will become effective Jan. 1, 2023. 


The Act applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents and:

  1. During a calendar year, control or process personal data of at least 100,000 Virginia consumers; or
  2. Control or process personal data of at least 25,000 Virginia consumers and derive over 50 percent of gross revenue from the sale of personal data.

Personal and Sensitive Data

“Personal data” is, simply, “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and “does not include de-identified data or publicly available information.”

“Sensitive data” is any category of personal data that includes:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. The personal data collected from a known child; or
  4. Precise geolocation data.


The Act does not apply, among other things, to:

  1. Financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA);
  2. Covered entities and business associates governed by the Health Insurance Portability and Accountability Act rules related to data privacy and security;
  3. Institutions of higher education;
  4. Activity related to the use of personal information regulated by the Fair Credit Reporting Act;
  5. Data processed or maintained for certain employment purposes.

Notably, the GLBA exemption applies not only to data subject to the GLBA, similar to the California Consumer Privacy Act (CCPA), but also to financial institutions subject to the GLBA.

Consumer Rights

Consumers have the right to:

  1. Access their personal data;
  2. Correct inaccurate personal data;
  3. Delete personal data, in certain circumstances;
  4. Obtain a copy of the personal data they previously provided to a controller;
  5. Opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities;
  6. Appeal a controller’s refusal to take action on a request;
  7. Submit a complaint to the attorney general if an appeal is denied.


Controllers’ responsibilities include:

  1. Providing consumers with methods to submit requests to exercise their rights;
  2. Responding to consumers’ requests and provide an appeal process;
  3. Providing consumers with a privacy notice;
  4. Not processing sensitive data without consent;
  5. Conducting a document and data protection assessment for the processing of sensitive data or processing related to targeted advertising, sale of personal data or certain profiling activities;
  6. Limiting the collection and processing of personal data to only that which is reasonably necessary;
  7. Implementing reasonable administrative, technical and physical safeguards to protect personal data;
  8. Ensuring contracts with processors contain the elements specified in the Act.


The Act does not provide a private right of action.  If an alleged violation is not cured within 30 days, the attorney general may seek an injunction and a civil penalty up to $7,500 per violation.


Only eight pages in length, the legislation is concise and understandable, obviously having benefited from the lessons learned from the CCPA.  Businesses complying with the CCPA should have little difficulty accommodating the Virginia Act.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.