In the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act, which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the United States to enact a holistic data privacy law that purports to regulate the collection, use, and disclosure of the personal data of its residents generally.
Overview and Quick Take
In many ways, the act is similar to the California Consumer Privacy Act (CCPA), the first holistic data privacy law in the U.S., and to the California Privacy Rights Act (CPRA), which was enacted by ballot referendum in November 2020. It also shares some concepts with the European Union’s General Data Protection Regulation (GDPR). However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the act will not be able to rely solely on its previous compliance efforts in complying with the act.
It is clear that in drafting the act, Virginia legislators wanted to avoid some of the ambiguous provisions of the CCPA and CPRA. For instance, the act defines the sale of personal data as occurring only when monetary consideration is exchanged for personal data, which makes the analysis of when a “sale” occurs a lot simpler than under the CCPA or CPRA, which considers a sale to occur when the exchange of personal information is for “money or other valuable consideration.”
However, the instances in which the act is clearer than the CCPA and CPRA are more than offset by the lack of detail regarding many of its key requirements. As an example, the act provides consumers with a right to access their personal data held by a controller. Similarly, the CCPA requires a business to provide a consumer with his or her personal information that the business has collected during the previous 12 months. The CPRA allows consumers to request the disclosure of personal information collected more than 12 months prior to the request, but a business only has to disclose personal information collected after January 1, 2022. The act provides for no limitations on the “look-back” period, which effectively puts the onus on controllers to weigh the benefits of continuing to retain aging personal data against the burdens of having to produce such personal data upon request.
We discuss below the key provisions of the act and note where they differ from requirements under similar laws, such as the CCPA and CPRA. It is unclear whether any clarifying regulations or rules will be promulgated in connection with the act.