Virginia Could be Next State to Add Major Consumer Privacy Bill


Following California’s lead with its California Consumer Privacy Act (CCPA), Virginia has unveiled two bills in its House of Delegates and Senate that were approved in their respective congressional branch and sent to the other for approval.  

Both bills “establish( ) a framework for controlling and processing personal data” in Virginia. Accordingly, the bills “appl(y) to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.” The bills specifically detail responsibilities and standards for privacy protection for data controllers and processors. The bills also give consumers the “rights to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for the purposes of targeted advertising.”

The proposed bills do not apply to state or local government entities and have exceptions for certain types of data and information ruled by federal law. Additionally, through the bills the Attorney General is given the exclusive authority to enforce violations and will provide 30 days’ notice of violation for the controller/processor to remedy the violation and the Consumer Privacy Fund is created to further this effort. If enacted, the bills would not go into effect until January 1, 2023.

The proposed changes define “consumer” as “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.” Additionally, “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person”; it “does not include de-identified data or publicly available information.” Lastly, “Sale of personal data” is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” The bills note that “Sale of personal data” excludes:

  • “The disclosure of personal data to a processor that processes the personal data on behalf of the controller”;
  • “The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer”;
  • “The disclosure or transfer of personal data to an affiliate of the controller”;
  • “The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience”; or
  • “The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.”

Other entities exempt from the proposed bill include financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; “covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services” pursuant to HIPAA; as well as non-profit organizations and higher education institutions. The proposed bills also exempt some data like HIPAA personal health data, FERPA data, employment-related data, and certain FCRA regulated data, among others. The proposed bills also provide other exemptions.

The bills mandate controllers to limit data collection to the data that is relevant and reasonably necessary, to use reasonable security practices to protect the data, not to discriminate against consumers, and to obtain consumer consent and to provide consumers with privacy notices for data collection, disclosure, etc. Controllers must also enter specified data processing agreements with data processors and perform data protection assessments.

HB 2307 passed the House on January 29 in an 89-9 vote; it is currently before the Senate. Meanwhile, SB 1392 passed the Senate in a 36-0-1 vote on Friday and was referred on Sunday to the House Committee on Communications, Technology and Innovation.