The Virginia Consumer Data Protection Act Will Go Into Effect in 2023 – Businesses Must Be Prepared to Comply

Virginia is poised to become the second state in the United States to pass a comprehensive privacy law that can rival the European Union and California’s privacy laws.  The new privacy law in Virginia does not take effect until January 1, 2023, which will give companies operating out of Virginia plenty of time to comply or decide whether they want to move out-of-state.  

New Virginia Law Compares to California’s CCPA  

The Virginia Consumer Data Protection Act protects consumer privacy rights in much the same manner that the California Consumer Privacy Act (“CCPA”) passed in California in 2018 does.  For instance, it grants consumers in Virginia new rights in regard to their personal and sensitive information, which includes for example, the right to know, the right to delete, the right to correct, and the right to opt-out.  It also requires companies to disclose information and responds to consumer-inquiries regarding their personal information.  Under the Virginia Consumer Data Protection Act, consumers have the right to know whether their personal data is being processed by a controller.  Likewise, consumers will be able to request a copy of their personal data under the new law.  

The new privacy law applies to any business that produces “products or services that are targeted to Virginia residents,” or that “derive at least 50% of their revenues from the sale and processing of consumer data of at least 25,000 customers.”

Scope of the Virginia Consumer Data Protection Act

While the scope of the Virginia Consumer Data Protection Act is quite far-reaching, some critics of the law find, however, that the new privacy law is a bit too friendly to businesses and industry in comparison to the CCPA.  For example, the Virginia Consumer Data Protection Act completely precludes private right of actions from being filed.  Moreover, industry-friendly exemptions are issued to companies for a wide variety of reasons.  The exemption may be based on data, meeting certain revenue thresholds, financial institutions subject to GLBA, because they are HIPAA-covered entities and business associates, or because they are human resources related data-processing companies.  The law also exempts not-for-profit and higher education institutes, although this is not surprising. 

Lastly, the new law will require that controllers conduct and document a data protection assessment of: (1) the processing of personal data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for purposes of profiling; (4) the processing of sensitive data; and (5) any processing activities involving a heighted risk of “harm” to consumers.  The new law also adopts the European Union’s GDPR’s definition of consent, which must be a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.”

Key Takeaways About the Virginia Consumer Data Protection Act

Virginia is poised to pass the second most comprehensive consumer privacy law in America.  This means that:

• companies can expect GDPR-like restrictions to come into effect in Virginia;

• Virginians will be granted numerous new rights when it comes to controlling their personal data; and

• companies should evaluate whether they want to continue to conduct business in Virginia under these new laws.

For more information on data privacy, see our Technology & Data Legal Services and Industry Focused Legal Solutions pages.

You may also be interested in: