April 14, 2022
Virginia Governor Signs 3 CDPA Amendments into Law
2 Min Read
On April 11th, 2022, Virginia Governor Glenn Youngkin signed three bills amending the Virginia Consumer Data Protection Act into law.
The main stipulations these bills add to the existing state privacy law are:
- Adding a new exemption to the CDPA’s right to delete
- Repealing the Consumer Privacy Fund provision, and instead, direct penalties, expenses and attorney fees recovered enforcing the CDPA to a different fund
- Modifying the CDPA’s definition of a nonprofit
As the second state to pass comprehensive consumer data privacy protection legislation, Virginia has now finalized the CDPA coming into effect on January 1, 2023.
What do these amendments change in the Virginia CDPA?
Bill HB 381, covering the exemption to the right to delete, is expanded upon as follows:
Under this amendment, controllers that get personal data about a consumer from a source other than the consumer can fulfill a consumer’s request to delete in two new ways.
The first involves keeping a record of the request for deletion and retaining the minimum amount of information needed to ensure that the data remains deleted from controller’s records. Notably, this information cannot be used for any business purpose.
The second option has the controller opting the consumer out of the processing of this personal information for any purpose other than the relevant exceptions to deletion. These exemptions include maintaining information for legal or compliance purposes, and to protect against security and fraud issues.
The other two bills, SB 534 and HB 714, repeal the Consumer Privacy Fund.
They then state that the penalties, expenses, and fees collected from enforcing the Virginia CDPA should be paid to the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.
These bills also modify the definition of a nonprofit under the CPDA.
Nonprofits are now expanded to include political organizations and any organization exempt from taxation under the Internal Revenue Code.
What do the CDPA amendments mean for businesses?
With the signing of these amendments the CDPA is now finalized, allowing business to get a head start on compliance with a clear direction in mind.
As organizations map out their data policies and processes with the CDPA regulations in mind, the amendments regarding the exemption to delete and the modified definition of nonprofit are ones to note for businesses to maintain compliance from the start of 2023.