On March 2, Virginia Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act. House Bill 2307 was introduced Jan. 20, 2021, and a substitute was passed in the House just nine days later. Its companion, Senate Bill 1392, followed a similar trajectory and on Feb. 19, each chamber concurred in the other’s substitute. The Act will become effective Jan. 1, 2023.
The Act applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents and:
- During a calendar year, control or process personal data of at least 100,000 Virginia consumers; or
- Control or process personal data of at least 25,000 Virginia consumers and derive over 50 percent of gross revenue from the sale of personal data.
Personal and Sensitive Data
“Personal data” is, simply, “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and “does not include de-identified data or publicly available information.”
“Sensitive data” is any category of personal data that includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal data collected from a known child; or
- Precise geolocation data.
The Act does not apply, among other things, to:
- Financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA);
- Covered entities and business associates governed by the Health Insurance Portability and Accountability Act rules related to data privacy and security;
- Institutions of higher education;
- Activity related to the use of personal information regulated by the Fair Credit Reporting Act;
- Data processed or maintained for certain employment purposes.
Notably, the GLBA exemption applies not only to data subject to the GLBA, similar to the California Consumer Privacy Act (CCPA), but also to financial institutions subject to the GLBA.
Consumers have the right to:
- Access their personal data;
- Correct inaccurate personal data;
- Delete personal data, in certain circumstances;
- Obtain a copy of the personal data they previously provided to a controller;
- Opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities;
- Appeal a controller’s refusal to take action on a request;
- Submit a complaint to the attorney general if an appeal is denied.
Controllers’ responsibilities include:
- Providing consumers with methods to submit requests to exercise their rights;
- Responding to consumers’ requests and provide an appeal process;
- Providing consumers with a privacy notice;
- Not processing sensitive data without consent;
- Conducting a document and data protection assessment for the processing of sensitive data or processing related to targeted advertising, sale of personal data or certain profiling activities;
- Limiting the collection and processing of personal data to only that which is reasonably necessary;
- Implementing reasonable administrative, technical and physical safeguards to protect personal data;
- Ensuring contracts with processors contain the elements specified in the Act.
The Act does not provide a private right of action. If an alleged violation is not cured within 30 days, the attorney general may seek an injunction and a civil penalty up to $7,500 per violation.
Only eight pages in length, the legislation is concise and understandable, obviously having benefited from the lessons learned from the CCPA. Businesses complying with the CCPA should have little difficulty accommodating the Virginia Act.