The Virginia Consumer Data Protection Act (“VCDPA”) Work Group has issued its 2021 Final Report. The final report, which is based on the six Work Group meetings between June and October 2021, summarizes information presented at the meetings on topics such as enforcement, definitions and rulemaking authority, as well as consumer rights and education.  We summarize some of the comments below.

Enforcement:

• The OAG requested the authority to pursue actual damages, should they exist.
• The OAG recommended that an “ability to cure” option be available for violations where a cure is possible; whereas, consumer groups advocated for a sunset of the “right to cure” provision.

Definitions and Rulemaking:

• Commenters raised concerns with the definitions of “sale,” “personal data,” “publicly available information,” and “sensitive personal information” in the VCDPA.
• The report noted that the VA legislature could consider directing an agency to promulgate regulations, in light of the OAG’s comment that the VCDPA currently does not allow the OAG to promulgate regulations. Such a rulemaking process could cover, for example, the definitions of “sale,” “personal data,” “publicly available information,” and “sensitive data.”

Consumer Rights:

• One commenter requested that the Work Group consider requiring “companies to honor a global opt-out setting as a single-step for consumers to opt out of data collection.” (Notably, however, the VCDPA does not provide any opt out for data collection.)
• Another commenter suggested that the Work Group amend the “right to delete” provision to be a “right to opt out of sale.”

Delegate Hayes and Senator Marsden are expected to present the official recommendations of the Work Group during the upcoming session of the General Assembly. The Virginia state legislature is scheduled to reconvene on January 12, 2022.