Privacy Moves to the East Coast: Virginia Set to Enact Comprehensive Consumer Data Protection LawVirginia is primed to become the next U.S. state to pass comprehensive data-privacy legislation with striking similarities to the California Consumers Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the E.U.’s General Data Protection Regulation (GDPR).

The legislation, known as the Consumer Data Protection Act, passed the Virginia House of Delegates on January 29 by a vote of 89-9. On February 3, the Virginia Senate unanimously approved an identical bill 39-0. All that is left now is for Gov. Ralph Northam to sign the bill into law. If passed, the law will become effective alongside CPRA, on January 1, 2023.

Key Provisions of the Consumer Data Protection Bill

Applicability

This legislation is applicable to businesses that either conduct business in Virginia or “produce products or services that are targeted to” Virginia and “during a calendar year, (1) control or process personal data of at least 100,000” Virginians or that (2) “control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data.”

Interestingly, “consumer” is defined more narrowly than CCPA or CPRA, and only includes a natural person acting in an individual or household context. The definition of consumer affirmatively excepts any natural person acting in a commercial or employment context.

Additionally, there are broad exemptions for financial institutions subject to the federal Gramm-Leach-Bliley Act and covered entities and business associates governed by HIPAA or HITECH. Non-profit organizations and institutions of higher education are also exempt under the proposed legislation.

Personal Data

The legislation broadly defines “personal data” to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Privacy Rights

The legislation gives consumers an opt-out right regarding “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” It also provides consumers with the right to confirm if their data is being processed, to correct inaccuracies, to data deletion, and to data portability. A similarity between this legislation and the newly enacted CPRA is that both provide an explicit opt-out right extended to targeted advertising and profiling.

Data Protection Assessments

The legislation imposes new obligations, not currently required under any U.S. privacy law, including a new requirement for data controllers to conduct data protection assessments of any processing activities that involve personal data used in any of the following: (a) targeted advertising, (b) sale of personal data, (c) for purposes of profiling, (d) sensitive data, and (e) data that presents a heightened risk of harm to consumers.

The Virginia attorney general can request that a controller disclose data protection assessments, and the attorney general is specifically tasked with evaluating data protection assessments for compliance with the responsibilities set out in the proposed legislation. There is also a specific provision that prevents the waiver of attorney-client privilege or work product protection when the assessment is requested or turned over to the attorney general for review.

Consent

The legislation defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” This is a very high standard and similar to the consent standard established by the GDPR.

Enforcement

Markedly, the legislation does not provide for a private right of action, rather the attorney general will have the exclusive right to enforce the law. The attorney general may seek up to $7,500 per violation of the law.

Conclusion

It is anticipated that the law will continue to move quickly through the legislative process and could be signed into law by the governor by the end of February. With what looks to be at least two new comprehensive state laws on the horizon, first in California with CPRA and likely in Virginia, companies need to start planning now for implementation of these laws in 2023. Bradley’s Cybersecurity and Privacy team is here to help. Stay tuned for further updates and alerts from Bradley on state privacy law developments, including Virginia’s privacy rights and obligations by subscribing to Bradley’s privacy blog, Online and OnPoint.

Print:
EmailTweetLikeLinkedIn
Photo of Erin Jane Illman Erin Jane Illman

Recognized as a Board Certified Specialist in Privacy and Data Security Law by the State of North Carolina, Erin Illman is an experienced thought leader in privacy, security, and the integration of technology into business practices. Erin is co-chair of Bradley’s Cybersecurity and…

Recognized as a Board Certified Specialist in Privacy and Data Security Law by the State of North Carolina, Erin Illman is an experienced thought leader in privacy, security, and the integration of technology into business practices. Erin is co-chair of Bradley’s Cybersecurity and Privacy Practice Group and leads the Firm’s Fintech team. After practicing in Silicon Valley and the San Francisco Bay Area for over a decade, Erin uses her deep experience with California state regulations to help clients navigate privacy and security concerns, consumer protection laws, as well other challenging legal matters that arise in the privacy space. She regularly advises clients on CCPA, GLBA, GDPR, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws.

Photo of Junaid Odubeko Junaid Odubeko

Junaid Odubeko is a litigator whose practice focuses on advising and representing clients in complex commercial and business disputes and real estate litigation. Businesses turn to Junaid for assistance with matters involving contract disputes and business torts. Junaid also represents clients in litigation…

Junaid Odubeko is a litigator whose practice focuses on advising and representing clients in complex commercial and business disputes and real estate litigation. Businesses turn to Junaid for assistance with matters involving contract disputes and business torts. Junaid also represents clients in litigation involving real estate contracts and condemnation actions. He is known as a hard working and dedicated attorney, and his clients rely on him for his thoughtful, effective, and efficient resolution of their legal needs. Junaid has represented clients in many industries, including healthcare, financial services, transportation, lodging and entertainment and insurance.

Photo of Lissette C. Payne Lissette C. Payne

Lissette Payne is an attorney in Bradley’s Banking and Financial Services Practice Group. She is designated as a Certified Information Privacy Professional by the International Association of Privacy Professionals, with U.S. Private Sector (CIPP/US) and European (CIPP/E) concentrations.

Lissette received a J.D. from…

Lissette Payne is an attorney in Bradley’s Banking and Financial Services Practice Group. She is designated as a Certified Information Privacy Professional by the International Association of Privacy Professionals, with U.S. Private Sector (CIPP/US) and European (CIPP/E) concentrations.

Lissette received a J.D. from the University of North Carolina School of Law, where she was president of the Hispanic/Latino Law Student Association, co-chair of the Student Bar Association’s Multicultural and Diversity Committee and a member of the Hispanic/Latino Law Student Association Moot Court Team. She received her B.A. in Political Science from the University of North Carolina at Chapel Hill.