Data Privacy Fraud
Image credit: Piqsels

Data Privacy Law in Virginia Enhances Consumer Protections

As elsewhere, in Virginia there is growing public concern about the use of personal data online. In response to this concern, the state of Virginia passed a law enhancing data privacy rights for consumers. On March 2, 2021, Governor Northam signed into law the Virginia Consumer Data Protection Act (CDPA). The Act incorporates concepts from the EU’s General Data Protection Regulation (GDPR) and California’s two data privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It also could be a precursor to data privacy laws passed by other U.S. states in the near future.

Legislative Background of Data Privacy Law

The Virginia General Assembly voted to send the bill to Governor Northam’s desk for signing in March 2021. Although the newly signed law will not go into effect until January 1, 2023, companies should make preparations to get into compliance with Virginia’s privacy legislation and similar laws that are likely to follow.

Applicability and Key Data Privacy Provisions

Consistent with other data privacy laws, the Virginia Consumer Data Protection Act grants individuals certain rights. These include the right to access their personal data, correct misstatements, and request deletion of information. Consumers also have the right to opt out of the processing of personal data for use in targeted advertising.

Data Privacy Guy Hawkes
Data Privacy Guy Hawkes
Photo by Bermix Studio on Unsplash

Controllers, or the entities that determine the purpose and means of processing data, have obligations to consumer. They include the obligation to inform consumers of their security measures and privacy practices. Aside from the data privacy focus, Virginia’ CDPA also imposes cybersecurity obligations and data protection assessments on controllers to enhance transparency. The law does not provide clear guidance beyond stating that companies must adopt “reasonable administrative, technical, and physical data security practices.”

Similarities to EU’s GDPR and California’s Legislation

The conceptual framework and certain language of the Virginia CDPA closely mirrors the GDPR. For example, it utilizes the terms “controllers” and “processors” from the GDPR. The Virginia CDPA, like the GDPR and California legislation, also requires controllers to obtain consent from consumers before processing their “sensitive data”. Sensitive data includes categories such as precise geolocation data, genetic or biometric data, and sexual orientation.

Differences from EU’s GDPR and California’s Legislation

The legislature drafted the Virginia CDPA to have a narrower scope than that of the GDPR and CDPA. The definitions more explicitly prevent small businesses and non-profits from inadvertently being subject to the regulations.

Under the CDPA, personal data does not include “publicly available information” or other de-identified data. The new Virginia law also casts a wider net in defining what constitutes “publicly available information”. The CDPA’s definition encompasses not only government records but also “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” This broader definition of “publicly available information” could exclude some information posted on social media platforms.

Additionally, unlike California’s legislation, the Virginia law does not have a private right of action. David Marsden, a sponsor of the bill in the Virginia Senate, noted that the lack of private lawsuit opportunities helps prevent “turning this law into another business.” This means that only the Attorney General in the state of Virginia can enforce violations of the CDPA. An entity must cure a violation of the law within 30 days. Otherwise, the Attorney General can issue injunctions and impose civil penalties of up to $7,500 per violation.

Ryan Carpenter serves as Attorney and Managing Director of Carpenter Wellington. Ryan advises clients across a broad set of corporate and commercial matters.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store