Rarely do Virginia and California fall into the same camp on legislation, but that may change with Virginia’s Consumer Data Privacy Act (the “Act”). The Virginia House of Delegates overwhelmingly passed the Act on January 29th, and the Virginia Senate passed an identical companion bill on February 3rd. If signed into law by Governor Northam, the Act would make Virginia the second state in the U.S. to enact sweeping consumer data privacy legislation.

The Act adopts consumer privacy concepts from the California Consumer Privacy Act (CCPA), the new California Privacy Rights Act (CPRA), and Europe’s General Data Protection Regulation (GDPR), including:

  • Definitions of “personal data”, “sensitive data,” and “consent”
  • Collecting personal data only for specific, legitimate purposes
  • Collecting only the data actually needed for the purpose
  • Privacy notice requirements
  • Rights of consumers to access, update, and delete their personal data, and to opt-out of certain data processing activities
  • Definitions of data controllers and data processors, their responsibilities, and the requirement that a contract be put in place between the two, governing privacy-related aspects of the relationship
  • Data Protection Assessment requirements

The Act continues the effort led by California to establish a uniquely American approach to privacy. This approach is seen in the Act’s:

  • Resistance to broad, overarching principles
  • Resistance to a comprehensive approach; instead, exempting personal data governed by other laws (HIPAA, GLBA, etc.)
  • Exempting business contact information and other personal data related to employees and contractors in their role as employees and contractors
  • Exempting photographs, videos, and audio recordings, and specifically stating that these are not “biometric data”
  • Exempting publicly available information

If signed into law, the Act will come into effect on January 1, 2023. Notably, it does not contain a private cause of action for a violation and instead leaves enforcement to be led by the Virginia Office of the Attorney General.

Passage of the Act in Virginia may be the tipping point for a federal privacy law. Other states, including Washington, Minnesota, New York, and Maryland have bills working through their legislatures but have not been able to move as fast as Virginia. Commonalities between the Act and the California laws may help resolve legislative disputes in those states.

The Woods Rogers Cybersecurity & Data Privacy Practice is monitoring this legislation and will provide updates on its progress. Regardless of geographic location, there is no question all businesses must be prepared to grapple with emerging and significant privacy legislation.