Virginia Set To Pass Major Consumer Privacy Legislation
On February 5, 2021, the Virginia Senate voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act (the “CDPA”), after the House of Delegates approved an identical House bill. Lawmakers must reconcile the two bills before the end of the session on February 27, 2021, and, assuming a reconciled bill passes both houses, it will be sent to Gov. Ralph Northam to either sign into law or veto.
If signed by the governor, Virginia would be the second state to enact major consumer privacy legislation of general applicability. The CDPA would establish a comprehensive framework for controlling and processing personal data of Virginia residents and would become effective January 1, 2023. It also would provide Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. The bill includes requirements relating to data minimization, processing limitations, data security, non-discrimination, third-party contracting, and data protection assessments, as well as imposing certain requirements directly on entities that process data on behalf of a controller.
The CDPA would apply to people and businesses that “conduct business in the Commonwealth” or “produce products or services that are targeted to” Virginia residents and (a) control or process personal data of at least 100,000 Virginia residents during a calendar year, or (b) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data. As we’ve seen with other proposed privacy legislation, the CDPA contains a number of exemptions. It will not apply to any Virginia political subdivisions, financial institutions subject to the Gramm-Leach-Bliley Act, non-profit organizations, higher education institutions, or entities otherwise covered by HIPAA.
The CDPA defines “personal data” broadly to include any information that is linked to or could reasonably be linked to an individual (de-identified or publicly available information is excluded from the definition of personal data). Covered businesses must obtain consent before processing or using consumer personal data. Additionally, consumers must be informed of the purpose for which their personal data is being collected, and covered businesses will be prohibited from using personal data for any undisclosed purpose.
The Virginia Attorney General would have exclusive enforcement authority. The Attorney General’s office would need to provide 30 days’ notice of any violation and allow an opportunity to cure. For uncured violations, the Attorney General would be able to file an action seeking $7,500 per violation. Notably, the CDPA does not provide a private right of action.