Virginia is poised to become the second state to adopt a data privacy law. California led the way, first with the passage in 2018 of the California Consumer Privacy Act (CCPA) and, more recently, via voter approval in the November 2020 election of Proposition 24, the California Privacy Rights Act (CPRA).The Virginia Consumer Data Protection Act (CDPA) includes the following key provisions:
- New Consumer Private Rights: The CDPA grants consumers the right to access, the right to amend, and the right to delete personal data; the right to data portability; and the right "[t]o opt out of the processing of … personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer."
- Definition of "Personal Data": The CDPA defines "personal data" as "any information that is linked or reasonably linkable to an identified or identifiable natural person. 'Personal data' does not include de-identified data or publicly available information."
- Definition of "Sensitive Data": "Sensitive data," for which consumer or parental opt-in consent must be obtained before it is processed, is defined as a subset of "personal data" that includes (1) information "revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;" (2) "[t]he processing of genetic or biometric data for the purpose of uniquely identifying a natural person;" (3) "[t]he personal data collected from a known child;" and (4) "[p]recise geolocation data."
- Covered Entities: The CDPA "applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."
- Enforcement: The CDPA exclusively authorizes the state attorney general to enforce its provisions via civil actions. There is no private right of action and covered entities are entitled to a 30-day cure period.
On February 3, the Virginia Senate unanimously passed SB 1392, identical companion legislation to HB 2307, which easily cleared the House of Delegates by a 89-9 vote on January 29. Should Governor Ralph Northam sign the bill into law, it would become effective on January 1, 2023.
I have argued in posts to the Free State Foundation Blog as well as Perspectives from FSF Scholars that what is needed is a single set of privacy rules that apply nationwide and preempt state laws. In the absence of federal legislation, however, we continue to see activity at the state level.