On March 2, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), becoming the second U.S. state to enact a comprehensive privacy law (Nevada has enacted an online privacy law, albeit with a narrower scope). As we have previously explained, the VCDPA follows the framework established by the Washington Privacy Act. We recently compared Virginia’s law against other key state privacy frameworks.
In sum, the VCDPA provides consumers with certain rights in their personal data: access, correction, deletion, data portability, opt out (of targeted advertising, sale, or certain profiling). The law also imposes a series of obligations on data controllers and processors, including notice requirements, limits on collection and use, and requirements related to data subject requests, data protection assessments, and data processing agreements.
However, the VCDPA includes several potentially relevant exemptions, including for entities subject to federal laws such as HIPAA and GLBA. In addition, the law’s scope has some important limitations. For example, the VCDPA does not apply to individuals “acting in a commercial or employment context”—meaning employee and business-to-business data appear to fall outside the law’s scope.
The VCDPA’s substantive provisions will not go into effect until January 1, 2023, and the law clarifies that its requirements related to data protection assessments are not retroactive. The law explicitly states that it does not provide a private right of action. Instead, the Virginia Attorney General has exclusive authority to enforce its provisions by seeking injunctive relief and civil penalties of up to $7,500 per violation, subject to a 30-day cure period. The law does not provide the Attorney General with express rulemaking authority.
Consideration of comprehensive privacy laws continues in other state legislatures, although some are nearing the end of the legislative session. For example, in Utah SB 200, titled the Consumer Privacy Act, passed out of Senate committee but has yet to be voted on by the whole Senate. The legislative session is scheduled to end on March 5.