Virginia Approves Consumer Data Privacy Law, with Other States Soon to Follow
Virginia is now the second state (behind California) to enact legislation that grants data privacy rights to consumers. On Tuesday, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (“CDPA”), which creates new guidelines for how businesses collect and use consumer personal data. The CDPA grants the Virginia Attorney General the authority to impose penalties up to $7,500 per violation on noncompliant businesses. The CDPA will go into effect on January 1, 2023.
The CDPA applies only to certain organizations that collect Virginia residents’ personal data. In particular, the new law applies to for-profit organizations conducting business in Virginia or producing products or services that target Virginia residents, and (i) control or process the personal data of at least 100,000 consumers or (ii) control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The CDPA defines personal data broadly as “any information that is linked or reasonably linked to” an identifiable person. The CDPA does not apply to personal data concerning an individual acting in a commercial or employment context.
In comparing the CDPA to its California counterpart, the California Consumer Privacy Act (“CCPA”), it is important to note that while the two laws are similar in their establishment of data privacy rights, they differ in several substantial ways, resulting in the next piece of what is likely to be a complicated patchwork of conflicting state privacy legislation. For example, Virginia’s CDPA differs from the CCPA in that the CDPA adopts language and data assessment requirements that are more on par with the European Union’s General Data Protection Regulation (“GDPR”).
The CDPA also leaves enforcement of the law completely up to the state attorney general, whereas the CCPA provides a private cause of action for consumers to seek enforcement directly. Additionally, while the CCPA limits data requests to what the company has collected from consumers in the past 12 months, the CDPA does not restrict how far back in time consumers can go when asking for a copy of their personal data. Virginia-based businesses should begin reevaluating their mechanisms for collecting and retaining consumer data to ensure that they will be compliant with the CDPA once it goes into effect.
In the coming weeks, Florida, Minnesota, and Washington are also likely to codify legislation related to the protection of consumer data and privacy rights. Each of these proposed bills is different, with Florida modeled along the lines of the CCPA, and Minnesota and Washington looking more like the CDPA. For businesses with nationwide operations, it will be increasingly important to have a strong privacy and data security compliance program in place to address overlapping, and potentially conflicting, state-specific obligations.
We will continue to monitor developments regarding cybersecurity and data protection and provide updates as available.