This post was written by Jessica Mozingo.
On March 2, 2021, Virginia became the second state in the United States to enact major privacy legislation, following California. The governor signed the Consumer Data Protection Act into law, which will become effective on January 1, 2023.
The new privacy law will apply to all persons that conduct business in Virginia and either:
- control or process personal data of at least 100,000 consumers, or
- derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
The omnibus law provides a comprehensive framework for controlling and processing personal data of Virginia residents. It provides Virginia residents the right to access, correct, delete, obtain a copy of personal data, and opt out of processing of personal data for the purposes of targeted advertising. It also includes requirements relating to data minimization, processing limitations, data security, non-discrimination, third-party contracting and requirements for data processors.
Though similar in many ways to the California Consumer Protection Act (CCPA) and the EU General Data Protection Regulation (EU GDPR), the Virginia privacy law has notable differences from both. For instance, it does not apply to state or local governmental entities and exempts certain types of entities, data and information governed by federal law, including financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities and business associates covered under the Health Insurance Portability and Accountability Act (HIPAA), nonprofits, institutions of higher learning and certain data or context specific exemptions. In addition, there is no private right of action for violations. The Attorney General has the sole authority to enforce violations, which could subject entities to fines of $7,500 per violation, following a 30-day cure period.