Privacy Moves to the East Coast: Virginia Set to Enact Comprehensive Consumer Data Protection LawVirginia is primed to become the next U.S. state to pass comprehensive data-privacy legislation with striking similarities to the California Consumers Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the E.U.’s General Data Protection Regulation (GDPR).

The legislation, known as the Consumer Data Protection Act, passed the Virginia House of Delegates on January 29 by a vote of 89-9. On February 3, the Virginia Senate unanimously approved an identical bill 39-0. All that is left now is for Gov. Ralph Northam to sign the bill into law. If passed, the law will become effective alongside CPRA, on January 1, 2023.

Key Provisions of the Consumer Data Protection Bill

Applicability

This legislation is applicable to businesses that either conduct business in Virginia or “produce products or services that are targeted to” Virginia and “during a calendar year, (1) control or process personal data of at least 100,000” Virginians or that (2) “control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data.”

Interestingly, “consumer” is defined more narrowly than CCPA or CPRA, and only includes a natural person acting in an individual or household context. The definition of consumer affirmatively excepts any natural person acting in a commercial or employment context.

Additionally, there are broad exemptions for financial institutions subject to the federal Gramm-Leach-Bliley Act and covered entities and business associates governed by HIPAA or HITECH. Non-profit organizations and institutions of higher education are also exempt under the proposed legislation.

Personal Data

The legislation broadly defines “personal data” to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Privacy Rights

The legislation gives consumers an opt-out right regarding “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” It also provides consumers with the right to confirm if their data is being processed, to correct inaccuracies, to data deletion, and to data portability. A similarity between this legislation and the newly enacted CPRA is that both provide an explicit opt-out right extended to targeted advertising and profiling.

Data Protection Assessments

The legislation imposes new obligations, not currently required under any U.S. privacy law, including a new requirement for data controllers to conduct data protection assessments of any processing activities that involve personal data used in any of the following: (a) targeted advertising, (b) sale of personal data, (c) for purposes of profiling, (d) sensitive data, and (e) data that presents a heightened risk of harm to consumers.

The Virginia attorney general can request that a controller disclose data protection assessments, and the attorney general is specifically tasked with evaluating data protection assessments for compliance with the responsibilities set out in the proposed legislation. There is also a specific provision that prevents the waiver of attorney-client privilege or work product protection when the assessment is requested or turned over to the attorney general for review.

Consent

The legislation defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” This is a very high standard and similar to the consent standard established by the GDPR.

Enforcement

Markedly, the legislation does not provide for a private right of action, rather the attorney general will have the exclusive right to enforce the law. The attorney general may seek up to $7,500 per violation of the law.

Conclusion

It is anticipated that the law will continue to move quickly through the legislative process and could be signed into law by the governor by the end of February. With what looks to be at least two new comprehensive state laws on the horizon, first in California with CPRA and likely in Virginia, companies need to start planning now for implementation of these laws in 2023. Bradley’s Cybersecurity and Privacy team is here to help. Stay tuned for further updates and alerts from Bradley on state privacy law developments, including Virginia’s privacy rights and obligations by subscribing to Bradley’s privacy blog, Online and OnPoint.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Photo of Junaid Odubeko Junaid Odubeko

Junaid Odubeko is a litigator whose practice focuses on advising and representing clients in complex commercial and business disputes and real estate litigation. Businesses turn to Junaid for assistance with matters involving contract disputes and business torts. Junaid also represents clients in litigation…

Junaid Odubeko is a litigator whose practice focuses on advising and representing clients in complex commercial and business disputes and real estate litigation. Businesses turn to Junaid for assistance with matters involving contract disputes and business torts. Junaid also represents clients in litigation involving real estate contracts and condemnation actions. He is known as a hard working and dedicated attorney, and his clients rely on him for his thoughtful, effective, and efficient resolution of their legal needs. Junaid has represented clients in many industries, including healthcare, financial services, transportation, lodging and entertainment and insurance.