Virginia is the latest state to shape the US privacy landscape, as its Consumer Data Protection Act (CDPA) is set to pass. The bill aims to increase the protection of consumers’ data and notably aims to establish new definitions for terms including precise geolocation data, profiling, targeted advertising, and the sale of personal data. 

Check out the video: USA State Privacy Bill Developments: What You Need To Know 

At present there are two versions of the bill, one in each chamber. The bill introduced in the Senate has passed the Senate and is waiting to be passed in the House, with another having passed the House and waiting Senate approval. Once any differences in the bills are reconciled, the bill will be re-enrolled and examined before being sent to the governor to be signed into law. The governor’s signature is the final stage before the bill becomes law. The bill would enter into force January 1, 2023. 

Who Will the Virginia’s Consumer Data Protection Act Apply to?

Virginia’s Consumer Data Protection Act will apply to organizations that conduct their business in Virginia, or that produce products or services that are targeted to residents of Virginia and that meet one or more of the following requirements: 

  • Personal data of at least 100,000 consumers is processed during a calendar year 
  • Personal data of at least 25,000 consumers is controlled and processed, and the organization derives over 50% of gross revenue from the sale of personal data 

The definition of “consumer” in the bill is narrower than the definition used in the CCPA, it only extends to natural persons acting in an individual or household context. This definition excludes any natural person acting in a commercial or employment context. There are also a range of exemptions for financial institutions, businesses governed by HIPAA, non-profit organizations, and higher education institutions. 

What Does Virginia’s Consumer Data Protection Act Look Like?

Below is an outline of some of the key aspects of Virginia’s Consumer Data Protection Act: 

  • Personal Data: The bill defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” 
  • Consumer Rights: The CDPA provides consumers with the right to opt-out of “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Consumers will also have the right to confirm if their data is being processed, to amend inaccuracies, to data deletion, and to data portability. 
  • Data Protection Assessments: The bill would impose new obligations for assessments, including a requirement for data controllers to carry out data protection assessments of processing activities that involve personal data used for targeted advertising, the sale of personal data, profiling, the use of sensitive data, and the use of any data that presents a heightened risk of harm to consumers. 
  • Consent: Consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Parallels can be drawn between this definition of consent and the definition used in the GDPR. 
  • Enforcement: The Attorney General will have the exclusive right to enforce the law, as there is no provision for a private right of action. The penalty for non-compliance may be up to $7,500 per violation. 

Check out the video: USA State Privacy Bill Developments: What You Need To Know 

Virginia’s Consumer Data Protection Act is another key development in the US privacy landscape and poses a new set of compliance challenges for organizations. Stay up to date on the latest CDPA developments with the OneTrust DataGuidance What You Need To Know video, or request a demo to find out how OneTrust can support your privacy compliance. 

Further reading on Virginia’s Consumer Data Protection Act 

Next steps on Virginia’s Consumer Data Protection Act 

  • OneTrust DataGuidance webinar: Coming soon!