Virginia Enacts Second State Data Privacy Law

On March 2, 2021, Virginia became the second state, joining California, to enact a comprehensive consumer data privacy law. Scheduled to take effect on January 1, 2023, the Virginia Consumer Data Protection Act (CDPA) borrows concepts from both the California law and the European Union General Data Protection Regulation.
Like most American privacy laws, the CDPA primarily takes a notice and choice approach. Much of it will be familiar to those acquainted with the California (the initial law, and as further revised and enhanced by 2020 referendum) and European laws, but the Virginia law contains several unique provisions. Entities that already comply with the California or EU laws should be able to comply more easily than companies not currently subject to such laws.

Highlights of the Virginia law include:

• It applies only to “consumer” personal information. Information about someone in their role as an employee or business contact is not subject to the CDPA.
• The law applies to for-profit businesses or persons doing business in Virginia or that produce products or services targeted to Virginia residents that meet one of two thresholds: they control or process personal data of either: (1) 100,000 consumers or (2) of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of that data. Like the California law, the CDPA law does not specify that only in-state residents count towards the threshold.
• Certain categories of personal data, and certain types of entities, are exempt, typically those covered by other laws.
• A right to “opt-out” of processing of personal data for targeted advertising, for profiling in furtherance of decisions have legal or similar significant effects, and of sales of personal data. This is broader than the “opt-out” right under California law;
• “Opt-in” consent to sales of “sensitive’ personal data;
• Special requirements appliable to “sales” of consumer data to unaffiliated third parties, including a consumer’s right to opt-out.
• A requirement for data protection assessments before certain processing;

The CDPA assigns enforcement responsibility to the state Attorney General. There is no private right of action. Violations are subject to fines of up to $7,500 per violation, and thus far, what constitutes a “violation” is undefined. However, as under the California law, entities will have an opportunity to cure a violation within 30 days after being notified of a violation by the Attorney General and, if so, it will not be subject to a damages action.

As noted above, the law takes effect on January 1, 2023. Entities not already subject to the GDPR or the California law may find coming into compliance requires considerable effort, and should not wait until late 2022 to do so.

For more information, please contact William Baker at wbaker@potomaclaw.com or Douglas G. Bonner at dbonner@potomaclaw.com.

Note: This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.