Support Centre

Virginia

Summary

Law: Consumer Data Protection Act ('CDPA')

Regulator: The Virginia Attorney General ('AG')

Summary: Each chamber of the Virginia General Assembly passed companion bills for the Consumer Data Protection Act ('CDPA'), each of which has been signed by the State Governor and incorporated into the Code of Virginia. The CPDA regulates privacy and data protection matters in Virginia by establishing new definitions, and conferring several rights on consumers including access, correction, deletion, portability, and opt-out rights. Furthermore, the CDPA establishes obligations on controllers and processors including rules regarding Data Protection Impact Assessments and the processing of de-identified data. The CDPA will enter into effect on 1 January 2023.

In addition to the CDPA, the Personal Information Privacy Act restricts the sale of personal information of customers by merchants as well as the use of social security numbers. Moreover, under Virginia's personal information breach notification law (§18.2-186.6 of the Code of Virginia), a personal data breach must be notified to affected consumers and to the AG and nationwide consumer reporting agencies, when the notification is provided to more than 1,000 persons. Specific protections are applicable in relation to health, employment, and financial information. Additionally, the Virginia Telephone Privacy Protection Act outlines prohibitions for solicitation calls when a person has previously stated that they do not wish to receive the call.

Insights

Virginia continues to emerge as a leader on privacy legislation passing a new genetic data privacy law which goes into effect on 1 July 2023. Beth Waller, from Woods Rogers Vandeventer Black, and Scott Bauer dissect the genetic data privacy law, covering its main definitions, scope, and provisions, as well as highlighting how it fits within the broader privacy legislation landscape.

Virginia's Consumer Data Protection Act ('CDPA') is unique in the current US state law privacy patchwork both for its simplicity and direct approach to privacy. Beth Waller and John Pilch, from Woods Rogers PLC, compare the CDPA with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the California Consumer Privacy Act as amended by the California Consumer Rights Act ('CCPA').

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

House Bill ('HB') 2307 to Amend the Code of Virginia by adding in Title 59.1 a Chapter Numbered 52, Consisting of Sections Numbered 59.1-571 - 59.1-581, relating to the Consumer Data Protection Act ('CDPA'), and its State Senate companion bill 1392 were both signed, on 2 March 2021, by the Virginia State Governor.

With Governor Northam having signed the CDPA, Virginia is the second state behind California to create sweeping consumer data privacy protections. The CDPA will enter into effect on 1 January 2023.

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.

Utah recently became the fourth U.S. State to pass comprehensive data privacy legislation, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act ('UCPA') was signed into law on 24 March 2022. The UCPA will enter into force in December 2023, at the same time as California's second comprehensive privacy law - the California Privacy Rights Act of 2020 ('CPRA'), Colorado's privacy legislation - the Colorado Privacy Act ('CPA'), and Virginia's privacy law - the Virginia Consumer Data Protection Act ('CDPA'). Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, compare the enforcement provisions of these four States' privacy statutes.

On 24 March 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act ('UCPA') into law, making Utah the latest State to adopt comprehensive privacy legislation. The UCPA - along with the California Privacy Rights Act of 2020 ('CPRA'), the Colorado Privacy Act ('CPA'), and the Virginia Consumer Data Protection Act ('CDPA') - make up a new wave of laws going into effect in 2023 ('the 2023 Laws') that will reshape the privacy landscape in the US.

The UCPA tracks closely with the CDPA, and it is unlikely to drastically impact the compliance regime for businesses subject to the other 2023 Laws or the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the UCPA does include certain differences, largely in ways that narrow its application and lessen the burdens on controllers. In this sense, the UCPA may become a new model for more States that tend to lean more conservative and pro-business. In this article, Gregory Szewczyk, Partner at Ballard Spahr LLP, explores some of these differences.

Virginia's Consumer Data Protection Act ('CDPA'), which takes effect from 1 January 2023, is both brief and direct. Controllers, defined in the CDPA as 'the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data', play a central role in protecting consumer data. John Pilch, Cybersecurity/Privacy Analyst at Woods Rogers, describes the obligations of controllers under the CDPA, including adherence to basic principles, providing notices to consumers, enabling the exercise of consumer rights, establishing appropriate contracts with processors, and preparing data protection assessments.

Feedback