On February 5, 2021, the Virginia Senate unanimously approved the passage of Senate Act 1392, entitled the Consumer Data Protection Act, after the House of Delegates passed an identical House bill by 89-9 votes. Each bill is expected to be negotiated next week in the opposing chamber’s committee, which offers additional opportunities for changes. Minor, clarifying changes will likely be added in committee, but are not expected to change the main components of the bill. The Virginia General Assembly will adjourn Sine Die on March 1, and until then the legislature must determine the details of the legislation. Virginia Governor Ralph Northam could sign the bill later in March. In particular, the governor has a right of veto over line items, so the bill may be changed even after the General Assembly has passed it.
If effective, Virginia would be the second state to enact important data protection laws of general application under the 2018 California Consumer Privacy Act (“CCPA”). The bill would create a comprehensive framework for the control and processing of personal information of Virginia residents and would go into effect on January 1, 2023. In addition, Virginia residents would be given certain rights in relation to their personal information, including rights of access, correction, deletion, portability, the right to refuse certain processing, and the right to appeal against a controller’s decision on a legal petition . The bill would also include requirements related to data minimization, processing restrictions, data security, non-discrimination, contracting with third parties and data protection assessments, as well as placing certain requirements directly on companies that process data on behalf of a data controller.
If you are familiar with the CCPA and the EU General Data Protection Regulation (“GDPR”), some of these concepts will likely sound familiar to you. However, this law would not reflect either the CCPA or the GDPR. In particular, the law would include a number of company-level exceptions, such as: B. Exceptions for financial institutions (or data) subject to GLBA, HIPAA Covered Companies and Business Partners, and some data / context exceptions, such as an exception for HR-related data processing.
The Virginia attorney general would have exclusive enforcement powers, and the bill would not provide for private litigation. The attorney general would have to give 30 days notice of violations and allow healing. For unhealed violations, the attorney general can file a lawsuit for $ 7,500 per violation.