December 7, 2021

Volume XI, Number 341

Advertisement
Advertisement

December 06, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Virginia Might Be the Next State to Enact a Privacy Law

The state of Virginia might be the next state to enact a privacy law. Senate Bill No. 1392 recently passed the Senate and is likely on its way to Governor Ralph Northam’s desk.  The bill adds the Consumer Data Protection Act to the Virginia Code and includes definitions of biometric data, precise geolocation data, profiling, sensitive data, and targeted advertising. The bill’s effective date is January 1, 2023.

The bill will apply to persons who conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth, and that (i) during a calendar year, control or process data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenues from the sale of personal data. The law would not apply to any state or local government agency, to financial institutions subject to the Gramm-Leach-Bliley Act, or to covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Consumer rights include the following:

  1. The right to know whether or not a controller is processing the consumer’s personal data and the right to access such personal data;

  2. The right to correct inaccuracies in the consumer’s personal data;

  3. The right to delete personal data provided by or obtained about the consumer;

  4. The right to data portability; and

  5. The right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The bill is designed to feature data controllers and data processors and organizes the rights and responsibilities of each according to those roles. There is no private right-of-action in this bill, as the Attorney General is charged with enforcing violations. The Attorney General will have the exclusive authority to enforce violations in the name of the Commonwealth or on behalf of individual persons residing in the Commonwealth.

Copyright © 2021 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 49
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer
Counsel

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...

401.709.3363
Advertisement
Advertisement
Advertisement