On February 18, 2021, the Virginia House of Delegates passed Senate Bill 1392, the Consumer Data Protection Act (CDPA), a comprehensive privacy bill that creates many of the same consumer rights afforded by the California Consumer Privacy Act (CCPA). This is the first state to pass comprehensive privacy legislation since California enacted its privacy measure.
The bill grants consumer rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill also details certain obligations for data processors, such as requiring data protection assessments.
The law would be enforced exclusively by the attorney general, and would go into effect on January 1, 2023.
Update: On Tuesday, March 2, 2021, Virginia Governor Ralph Northam signed the Consumer Data Protection Act, making Virginia the second state in the U.S. to pass a comprehensive data privacy law.
On February 18, 2021, Virginia became the first state legislature to pass comprehensive data privacy legislation since California passed its landmark privacy measure.
Like the California law, the Virginia Consumer Data Protection Act (CDPA) would grant consumers rights over their own personal data, but it differs in certain other key ways, such as who and what would be covered. The California Consumer Privacy Act (CCPA) applies to businesses that bring in at least $25 million in annual revenues, possess personal data of more than 50,000 consumers, or earn more than half their revenues from selling personal data. Virginia’s CDPA would apply to any business with at least 100,000 consumers, or at least 25,000 consumers with over half of revenues derived from the sale of personal data, with no annual revenue threshold. Unlike California's expansive definition of "consumer", the CDPA defines consumers as those residents "acting only in an individual or household context", carving out exceptions for business-to-business communications and employee data. The bill also exempts certain health information protected under HIPAA.
The Virginia CDPA would also impose obligations on data controllers, requiring them to:
Limit the collection of personal data to what is reasonably necessary for the purpose for which such data is processed;
Establish and maintain data security practices;
Provide consumers with a clear privacy notice;
Conduct and document a data protection assessment of certain processing activities; and
Ensure de-identified data cannot be associated with a natural person, commit to not re-identify data, and contractually obligate recipients of the de-identified data to comply.
Data processors would be required to adhere to instructions from a controller to comply with the law. There would be no private right of action to enforce the law, although the state attorney general is expected to create a new office to enforce compliance with a budget of $400,000 per year that will be supplemented by fines for noncompliance. Last week the bill was amended to create a working group to review the implementation of the law. Governor Ralph Northam (D) has until 30 days after the end of the special session, which ends March 1, to take action on the bill, and is expected to sign it.
The Virginia law could put more pressure on Congress to pass a federal privacy law, and with the current political landscape, some in the advocacy community think this could be the best year for that to happen. Washington state already has two major comprehensive bills in the works after nearly passing legislation in 2020, and 14 additional states have introduced legislation this session. Supporters of a federal solution continue to be wary of a patchwork of state laws which could make issues like preemption a more challenging political issue