On March 2, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), becoming the second U.S. state to enact a comprehensive privacy law (Nevada has enacted an online privacy law, albeit with a narrower scope).  As we have previously explained, the VCDPA follows the framework established by the Washington Privacy Act.  We recently compared Virginia’s law against other key state privacy frameworks.

In sum, the VCDPA provides consumers with certain rights in their personal data: access, correction, deletion, data portability, opt out (of targeted advertising, sale, or certain profiling).  The law also imposes a series of obligations on data controllers and processors, including notice requirements, limits on collection and use, and requirements related to data subject requests, data protection assessments, and data processing agreements.

However, the VCDPA includes several potentially relevant exemptions, including for entities subject to federal laws such as HIPAA and GLBA.  In addition, the law’s scope has some important limitations.  For example, the VCDPA does not apply to individuals “acting in a commercial or employment context”—meaning employee and business-to-business data appear to fall outside the law’s scope.

The VCDPA’s substantive provisions will not go into effect until January 1, 2023, and the law clarifies that its requirements related to data protection assessments are not retroactive.  The law explicitly states that it does not provide a private right of action.  Instead, the Virginia Attorney General has exclusive authority to enforce its provisions by seeking injunctive relief and civil penalties of up to $7,500 per violation, subject to a 30-day cure period.  The law does not provide the Attorney General with express rulemaking authority.

Consideration of comprehensive privacy laws continues in other state legislatures, although some are nearing the end of the legislative session.  For example, in Utah SB 200, titled the Consumer Privacy Act, passed out of Senate committee but has yet to be voted on by the whole Senate.  The legislative session is scheduled to end on March 5.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.