Both houses of the General Assembly of Virginia recently passed versions of the Consumer Data Privacy Act ("CDPA" or "Virginia Privacy Law"). Both the House Bill and Senate Bill would impose strict new requirements on businesses that share the personal information of Virginia State residents. Although Virginia is one of many states to have introduced privacy legislation in recent months, only California has actually enacted privacy legislation into law. If the Virginia Privacy Law passes, Virginia will become the second state in the nation with a comprehensive privacy law.

What Does the CDPA Require? 

Compliance with the CDPA

The CDPA would apply to people and businesses that "conduct business in the Commonwealth or "produce products or services that are targeted to" Virginia State residents and: 1) "control or process personal data of at least 100,000" Virginians during a calendar year; or 2) "control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data." Importantly, the CDPA contains a number of exemptions, and will not apply to the State or any of its political subdivisions, financial institutions subject to the Gramm-Leach-Bliley Act, non-profit organizations, institutes of higher education, or entities otherwise covered by HIPAA. Despite these exemptions, the proposed Virginia Privacy Law will still apply broadly and cover many businesses that deal with large amount of consumer data, specifically marketers. 

Under the proposed Virginia Privacy Law, covered businesses must obtain consumer consent before processing or using consumer personal data. Moreover, consumers must be informed of the purpose for which their personal data is being collected, and businesses will be prohibited from using personal data for any undisclosed purpose. The CDPA defines "personal data" broadly to include any information that is linked to or could reasonably be linked to an individual. Importantly, de-identified or publicly available information is excluded from the definition of personal data.

The CDPA includes a number of consumer privacy rights that mimic those found in the California Consumer Privacy Act ("CCPA") and the EU's General Data Privacy Regulation ("GDPR"). For example, the Virginia Privacy Law affords consumers the right to access their personal data, correct any inaccuracies, and request complete copies of their personal data from businesses. In addition, consumers can direct companies to delete their personal data. Lastly, the CDPA grants consumers the right to opt out of: 1) the processing their personal data for targeted advertising; 2) the sale of their personal data; and 3) data profiling. 

Virginia Privacy Law Enforcement

Once businesses receive a consumer's CDPA request, businesses must respond to the consumer within forty-five (45) days. Businesses are also required to establish a process for consumers to appeal responses that they disagree with. If a business denies an appeal, the Virginia Privacy Law also contains a mechanism for consumers to submit complaints to the Virginia Attorney General's Office. 

Unlike other proposed state privacy laws that we have written about, the CDPA does not include a private right of action for consumers. Rather, exclusive enforcement authority is vested in the Office of the Attorney General. The CDPA requires that thirty (30) days prior to initiating any action against a business, the Attorney General must provide written notice identifying the business's alleged violation(s). If the business does not cure the violation(s) within this thirty (30) day period, the Attorney General may commence an action seeking up to $7,500 in statutory damages per violation. 

Virginia is the latest in a growing number of states to introduce consumer privacy legislation. Many commentators expect that the Virginia Privacy Law is likely to pass in short order. Once signed into law by Virginia's governor, the CDPA would become effective on January 1, 2023. 

Businesses should monitor the CDPA and similar laws closely, as such measures will significantly impact how businesses are able to process and monetize consumer data in the future. 

Similar Blog Posts:

New York Privacy Law Could be Strictest in the Country

Consumer Privacy Compliance Primer

How Does the CPRA Compare to the GDPR? Ask a CPRA Lawyer

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.