Residents of the Commonwealth of Virginia have been given new rights over their personal data now that state Governor Ralph Norman has added his signature to the Virginia Consumer Data Protection Act (CDPA).
Virginia is the latest state to introduce new privacy legislation. 10 U.S. states introduced their own data protection laws last year, and many more are expected to follow including Minnesota, New York, Oklahoma, New York, and Washington, all of which have data protection and privacy laws pending.
The Virginia Consumer Data Protection Act is similar to the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) and gives Virginia residents equivalent rights over their personal data. The law also requires companies that do business in the state of Virginia or with Virginia residents to implement safeguards to protect the consumer data they collect or process. However, there are differences between all three of these acts, so compliance with one does not mean automatic compliance with the others.
The Virginia Consumer Data Protection Act applies to any business that controls or processes the personal data of at least 100,000 consumers in a calendar year, or the data of at least 25,000 consumers if the business derives 50% or more of its gross revenue from the sale of personal data, although there are many exceptions.
Entities required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) are exempt, as are higher educational institutions, nonprofits, and any body, authority, board, bureau, commission, district, or Virginian agency or Virginian political subdivision.
The Virginia Consumer Data Protection Act requires covered businesses to implement appropriate safeguards to protect any personal data they collect, with personal data defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The collection and processing of personal data must be consistent with a business’s privacy policy and the reasons for which consent was given. Data collection should also be limited to that necessary to complete the purpose for which the information is collected.
Consent must be obtained before collecting and processing personal data, and consumers are given rights over the personal data held by a business. Virginia residents are given the right to view their own personal data held by a company, correct any errors, obtain a copy of their personal data, have their personal data deleted, and to opt out of data processing for targeted advertising purposes. Requests must be responded to within a reasonable time and an appeal can be made by consumers if a business as not responded to their request within 45 days.
In contrast to the CCPA, Virginia residents cannot take legal action over violations of their privacy rights under the Virginia Consumer Data Protection Act as there is no private cause of action. The Virginia Attorney General can enforce compliance but must provide a business with 30 days to correct any violations, after which fines of up to $7,500 per violation can be imposed if the noncompliance is not corrected.
Businesses have a fairly lengthy run in to the compliance date, as the Virginia Consumer Data Protection Act will not take effect until January 1, 2023.