On February 5, 2021, the state Senate of Virginia voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act, after the House of Delegates approved an identical House bill by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. Minor, clarifying amendments will likely be added in committee, but they are not expected to alter the main components of the bill. Virginia’s General Assembly will adjourn Sine Die on March 1, and legislators have until then to finalize the details of the legislation. Virginia’s Governor Ralph Northam would be in a position to sign the bill later in March. Notably, the Governor has line item veto authority, so the bill could also possibly be amended after it passes the General Assembly.

If enacted, Virginia would be the second state to enact major privacy legislation of general applicability, following the California Consumer Privacy Act (“CCPA”), which was enacted in 2018. The bill would establish a comprehensive framework for controlling and processing personal data of Virginia residents and would become effective January 1, 2023. It also would provide Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. The bill also would include requirements relating to data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments, as well as impose certain requirements directly on entities who process data on behalf of a controller.

If you are familiar with the CCPA and the EU General Data Protection Regulation (“GDPR”), some of these concepts likely sound familiar; however, this law would not mirror either the CCPA or the GDPR. Notably, the law would include a number of “entity-level” exemptions, such as exemptions for financial institutions (or data) subject to GLBA, HIPAA-covered entities and business associates, and would also include some “data/context” specific exemptions, such as an exemption for HR-related data processing.

The Virginia Attorney General would have exclusive enforcement authority and the bill would not provide a private right of action. The Attorney General’s office would need to provide 30 days’ notice of any violation and allow an opportunity to cure. For uncured violations, the Attorney General would be able to file an action seeking $7,500 per violation.