Virginia Passes Broad Consumer Data Protection Law

Much like other states that have followed California in passing data privacy legislation, Virginia has passed and signed into law the Virginia Consumer Data Protection Act.  Similar to California’s CCPA, Virginia’s law builds upon fair information privacy principles.

The law is intended to provide consumers with increased control over how their personal data is used.

It does not contain a revenue threshold.  Rather, it applies to all persons that conduct business in Virginia and either control or process data for at least 100,000 Virginians; or that make 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Similar to CCPA, Virginia’s law defines “personal information” quite broadly.  It includes “any information that is linked or reasonably linkable to an identified or identifiable person,”  There are limited exceptions for specific types of data.  Importantly, unlike CCPA a “sale” is limited to  exchanges of personal data for monetary consideration.

Notably, the Virginia law imposes a number of changes regarding how Virginia consumer data is used.  For example, the law provides Virginians with a right to modify inaccurate information and to delete information.  Virginians will also have a right to know how their information is used or disseminated, and a right to opt-out of the utilization of their personal information for  targeted advertising purposes.

Also, targeted advertising must be disclosed “clearly and conspicuously.”  In the event that a consumer opts-out of targeted advertising, reasonable efforts must be made to communicate that to any third party recipients of the information.

The Virginia law also imposes various obligations on data controllers, similar to those set forth in the recently passed California Privacy Rights Act.  For example, data controllers are required to limit the collection of personal data to only what is reasonably required; are prohibited, without consumer consent, from processing “sensitive data;” and are required to provide  reasonably accessible and clear privacy notices describing how the organization collects, uses and disseminates personal information.

The new Virginia law also imposes various data security requirements upon data controllers, such as, without limitation, the implementation of “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”  Data controllers must also implement and document data protection assessments for specific types of processing, including, but not limited to, for targeted advertising.

Virginia’s new law becomes effective January 1, 2023.  There is no private right of action for consumers.  The new law shall be enforced by the Virginia Attorney General.  The law provides for a thirty day cure period for any violations.  Continuing violations shall be subject to maximum damages of $7,500 per violation, as well as civil penalties of up to $7,500 per violation.

Consult an experienced FTC defense lawyer to conduct data mapping and assessment regarding how your business collects, uses and disseminates personal information.

Richard B. Newman is an advertising practices attorney at Hinch Newman LLP.  Follow FTC defense attorney on National Law Review.

Informational purposes only. Not legal advice. May be considered attorney advertising.