Press "Enter" to skip to content

In No Time At All, Virginia Consumer Data Protection Act Becomes Law

virginia data privacyOn March 2, Virginia Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act.  House Bill 2307 was introduced Jan. 20, 2021, and a substitute was passed in the House just nine days later.  Its companion, Senate Bill 1392, followed a similar trajectory and on Feb. 19, each chamber concurred in the other’s substitute.  The Act will become effective Jan. 1, 2023. 

Applicability

The Act applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents and:

  1. During a calendar year, control or process personal data of at least 100,000 Virginia consumers; or
  2. Control or process personal data of at least 25,000 Virginia consumers and derive over 50 percent of gross revenue from the sale of personal data.

Personal and Sensitive Data

“Personal data” is, simply, “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and “does not include de-identified data or publicly available information.”

“Sensitive data” is any category of personal data that includes:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. The personal data collected from a known child; or
  4. Precise geolocation data.

Exemptions

The Act does not apply, among other things, to:

  1. Financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA);
  2. Covered entities and business associates governed by the Health Insurance Portability and Accountability Act rules related to data privacy and security;
  3. Institutions of higher education;
  4. Activity related to the use of personal information regulated by the Fair Credit Reporting Act;
  5. Data processed or maintained for certain employment purposes.

Notably, the GLBA exemption applies not only to data subject to the GLBA, similar to the California Consumer Privacy Act (CCPA), but also to financial institutions subject to the GLBA.

Consumer Rights

Consumers have the right to:

  1. Access their personal data;
  2. Correct inaccurate personal data;
  3. Delete personal data, in certain circumstances;
  4. Obtain a copy of the personal data they previously provided to a controller;
  5. Opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities;
  6. Appeal a controller’s refusal to take action on a request;
  7. Submit a complaint to the attorney general if an appeal is denied.

Controllers

Controllers’ responsibilities include:

  1. Providing consumers with methods to submit requests to exercise their rights;
  2. Responding to consumers’ requests and provide an appeal process;
  3. Providing consumers with a privacy notice;
  4. Not processing sensitive data without consent;
  5. Conducting a document and data protection assessment for the processing of sensitive data or processing related to targeted advertising, sale of personal data or certain profiling activities;
  6. Limiting the collection and processing of personal data to only that which is reasonably necessary;
  7. Implementing reasonable administrative, technical and physical safeguards to protect personal data;
  8. Ensuring contracts with processors contain the elements specified in the Act.

Enforcement

The Act does not provide a private right of action.  If an alleged violation is not cured within 30 days, the attorney general may seek an injunction and a civil penalty up to $7,500 per violation.

Impression

Only eight pages in length, the legislation is concise and understandable, obviously having benefited from the lessons learned from the CCPA.  Businesses complying with the CCPA should have little difficulty accommodating the Virginia Act.

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.