The Virginia bill would take effect on January 1, 2023. It would allow consumers to opt out of letting companies use their online data for various purposes, including marketing, as Virginia Business explains. Consumers would also be able to get copies of their online data and change or erase that information. The bill applies only to two groups of corporations: those that hold personal data for 100,000 or more consumers in Virginia and those that earn more than 50% of their income from selling the personal data of 25,000 or more consumers in Virginia.
Virginia’s Consumer Data Protection Act arrives more than two years after California passed its sweeping California Consumer Privacy Act (CCPA).
Cillian Kieran, CEO and founder of privacy compliance startup Ethyca, told AdExchanger that the Virginia law would probably apply to fewer businesses than its California predecessor. As other states and Congress mull their own privacy laws, one development to note is that Virginia’s law moved fast through the General Assembly, with broad-based bipartisan support. That’s according to WilmerHale attorneys Kirk Nahra and Ali Jessani, writing in Bloomberg.
The law isn’t ironclad. Indeed, it “includes an extraordinary number of exemptions,” write Nahra and Jessani. Banks, hospitals or even data analyst firms working for such institutions may be exempt under the law as written, according to the attorneys.
The Virginia measure’s definition of “sensitive data,” substantially borrowed from Europe’s General Data Protection Regulation, includes data revealing ethnic origin, sexual orientation, health and other sensitive facts, as well as genetic data, biometric data, and exact geolocation data. Nahra and Jessani write that many data elements treated as sensitive under the law are not currently treated that way in America. The law’s requirement of “consent” for processing “any” of this data, the attorneys add, “likely creates an untenable situation.”
As Ars Technica points out, Virginia would also not allow private citizens to sue for alleged violations of the law—only the attorney general would be able to advance claims.
Alabama, Arizona, Connecticut, Florida, and Kentucky have all begun moving forward on data privacy bills, notes Mintz attorney Cynthia Larose, writing in JD Supra. Plus, Consumer Reports has drafted a “Model State Privacy Act,” which is like CPRA, except with tougher restrictions on data sharing.