Virginia Contemplates Sweeping New Data Protection Law

February 4, 2021
Hinshaw Privacy & Cyber Bytes

* Update, March 2, 2021: Governor Ralph Northam today signed the Customer Data Protection Act into law, making Virginia the second state in the nation to pass a comprehensive privacy regulation after California. The Act goes into effect on January 1, 2023.

* Update, February 5, 2021: Senate Bill 1392 has been passed in the Virginia Senate. As noted, an identical companion bill previously was passed by the House of Delegates. If Governor Northam signs off, the Virginia Consumer Data Protection Act will go into effect on January 1, 2023.

A comprehensive data protection and privacy bill, titled the Consumer Data Protection Act, has been introduced in the Virginia state senate. With notable exceptions the proposal contains privacy and cybersecurity provisions similar to those contained in the California Consumer Privacy Act, the California Privacy Rights Act, and the E.U.'s General Data Protection Regulation.

The bill would create a number of personal data rights for consumers. Under the bill, “consumer” is defined as "a natural person who is a resident of the Commonwealth acting only in an individual or household context," excluding persons "acting in a commercial or employment context." Personal data means "any information that is linked or reasonably linkable to an identified or identifiable person."

The proposed law would give consumers the right to:

Among other obligations, data controllers would be required to:

Controllers also would be required to implement "reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data" and to conduct and document a "data processing assessment" for certain types of processing activities, including the processing of personal data for targeting advertising, the sale of personal data, and the processing of sensitive data.

Importantly, unlike California law, there is no private right of action in the proposed Virginia law; only the Attorney General would be empowered bring an enforcement action. The bill provides for a 30 day cure period for violations identified by the Attorney General. Continuing violations would be subject to maximum damages of $7,500 per violation, as well as a civil penalty up to $7,500 per violation, in a civil action brought by the Attorney General. All collected civil penalties would be paid into a new Consumer Privacy Fund, which would be used to support the Attorney General's enforcement work.

The bill has moved through the Senate Committee on General Laws and Technology and was referred to the Senate Finance Committee on January 27, 2021. A companion bill was passed in the House of Delegates on January 29, 2021. If enacted, the law would go into effect on January 1, 2023.