March 10, 2021

Virginia Enacts Second Privacy Law in the Nation

Burr & Forman

+ Follow Contact

Send

Embed

Burr & Forman

On March 2, 2021, Virginia’s Governor signed into law the Consumer Data Protection Act (“CDPA”). Virginia is the second state in the nation, after California, to enact a privacy law protecting the rights of individual consumers in Virginia to control their personal information. The CDPA goes into effect on January 1, 2023.

The CDPA does not apply to all businesses that serve or market to Virginia consumers. It applies to businesses that conduct business in Virginia or produce products or services that are targeted to Virginia residents, and that (a) during a calendar year, control or process personal data of at least 100,000 consumers or (b) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. CDPA § 59.1-572(A).

The CDPA shares a number of features with the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights and Enforcement Act of 2020 (“CPRA”), as well as the EU’s General Data Protection Regulation (“GDPR”), including providing consumers the general rights to:

Confirm whether a controller is processing a consumer’s personal data and to access such personal data;
Correct inaccuracies in the consumer’s personal data;
Delete personal data;
Obtain a copy of the consumer’s personal data in a portable form; and
Opt out of further processing of personal data for the purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

CDPA § 59.1-573(A)(1)-(5).

Additionally, the CDPA is similar to GDPR in that it creates a class of sensitive personal data, which includes:

Personal data revealing racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
The personal data collected from a known child; or
Precise geolocation data.

A business shall not process sensitive data concerning a consumer without the consumer’s consent. Also similar to GDPR, the CDPA requires data protection assessments of its processing activities involving personal data.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Burr & Forman

Contact + Follow

Elizabeth Shirley, CIPP/US, CIPM

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

CDPA

+ Follow

Consumer Privacy Rights

+ Follow

Cybersecurity

+ Follow

Data Collection

+ Follow

Data Management

+ Follow

Data Privacy

+ Follow

Data Protection

+ Follow

Information Governance

+ Follow

New Legislation

+ Follow

Personal Data

+ Follow

Personally Identifiable Information

+ Follow

State and Local Government

+ Follow

Virginia

+ Follow

Communications & Media

+ Follow

Consumer Protection

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Burr & Forman on:

Virginia Enacts Second Privacy Law in the Nation

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Burr & Forman on:

"My best business intelligence, in one easy email…"