Virginia Enacts Consumer Data Protection Act
In March 2021, Virginia enacted the Consumer Data Protection Act (Virginia Act), making Virginia the only state other than California to enact comprehensive data privacy laws. Businesses operating in Virginia should review their current privacy policies and protocols to comply with the Virginia Act. Businesses will have time to prepare, as the new law will take effect on January 1, 2023.
The Virginia law includes many components similar to the California Consumer Privacy Act (CCPA), but also some notable differences.
Some Notable Similarities of the Virginia Act to the CCPA include:
Companies are required to give notice to consumers about how and why their data is collected.
Companies must provide consumers the option to 'opt out' of having their data used for marketing purposes.
A privacy notice to consumers is required that includes:
categories of personal data collected;
the purposes for which the personal data are used and disclosed to third parties;
the rights that consumers may exercise under the new law;
the categories of personal data that will be shared with third parties; and
the categories of third parties, if any, with whom the personal data will be shared.
Some Notable Differences of the Virginia Act with CCPA include:
Organizations must undertake data protection and privacy impact assessments to determine if and where data security may be improved, although the Act does not specify how often they need to take place.
There is no revenue threshold imposing obligations as in the CCPA, but instead, the Virginia Act applies to entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents that either: (1) control or process the personal data of at least 100,000 consumers in one year, or (2) control or process the personal data of at least 25,000 consumers and derive at least 50% of gross revenue from the sale of personal data. Large corporations that do not meet either of these criteria will not be required to comply with the Virginia Act.
Unlike the CCPA, the Virginia Act excludes employees in its definition of consumer, and therefore does not apply to employee personal data.
Notably also, the Virginia Act does not include a private right of action, and enforcement falls solely to the Attorney General of Virginia. Businesses in violation are allowed a 30-day period to cure any violation before the Virginia Attorney General can initiate an action.