Virginia Becomes 2nd State to Enact a Comprehensive Consumer Privacy Law
On Tuesday, March 2nd, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (CDPA), officially joining California as the second state with a comprehensive consumer privacy law, intended to enhance privacy rights and consumer protection for state residents. We provide an in-depth analysis of the CDPA here, along with legislative activity in several other states that seem likely to pass, including in Florida. The CDPA will take effect January 1, 2023, the same day as the California Privacy Rights Act (CPRA), which expanded the protections provided by the California Consumer Privacy Act (CCPA) and was approved by California voters under Proposition 24 in the November election.
Originally introducing the CDPA in the Virginia Senate, State Senator David Marsden highlighted,
It is time that we find a meaningful way of protecting the citizens of the Commonwealth of Virginia’s data .… Virginia is in a unique position to be a leader on this issue. There’s a huge amount of the data on the internet that flows through the commonwealth. Privacy is not a new issue.
Unsurprisingly, Virginia’s CPDA was modeled on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). Key features of the CPDA include expansive consumer privacy rights (right to access, right of rectification, right to delete, right to opt out, right of portability, right against automatic decision making), a broad definition of “personal information”, the inclusion of a “sensitive data” category, and data protection assessment obligations for data controllers.
Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. As the International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” Since the start of 2021, at least 10 states have already introduced consumer privacy bills similar in kind to Virginia’s CDPA and the CCPA. And while some bills will likely fail to become law, this legislative activity is an indication of the priority states are placing on privacy and security matters as we move into 2021.
For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.