On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023.

But first, you need to determine whether the law applies to your business. The law begins:

This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Importantly, note the new law’s definition of consumer: “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.” (As context for our international readers, the U.S. Census Bureau reported that the population of Virginia in 2019 was approximately 8.5 million people.)

The new law also expressly does not apply to any:

  • financial institution or data subject to Gramm- Leach-Bliley Act);
  • covered entity or business associate governed by HIPAA;
  • nonprofit organization; or
  • institution of higher education.

The new law also exempts 14 types of information and data, including:

  • Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law;
  • Data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as the emergency contact information of an individual under this chapter used for emergency contact purposes; or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits.The new law also includes requirements relating to privacy policies and agreements with processors. It also requires that controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.”

Similar to CCPA, there is no private right of action. Unlike CCPA, there are no statutory damages for a breach of security standards, and the new law states that “Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law.” Only the Virginia Attorney General can enforce the law. After a 30-day notice and cure period, the Attorney General can bring an action for an injunction or civil penalties of up to $7,500 for each violation.

The new law applies to “personal data,” broadly defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Personal data” does not include de-identified data or publicly available information. The new law also uses the GDPR concepts of “controller” and “processor.” Consumers will have rights similar to GDPR and CCPA: the right to access personal data that the controller is processing, the right to correct data; the right to delete information provided by the consumer or about the consumer; the right to obtain a readily portable copy of the data; and the right to “opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”