May 12, 2021

Volume XI, Number 132

Advertisement

May 12, 2021

Subscribe to Latest Legal News and Analysis

May 11, 2021

Subscribe to Latest Legal News and Analysis

May 10, 2021

Subscribe to Latest Legal News and Analysis

Virginia’s Data Privacy Legislation Is One Step Closer To Becoming Law

Virginia took one step closer the end of last week to becoming the second state with its own comprehensive data privacy legislation, as the Virginia General Assembly voted to send the Consumer Data Protection Act (“CDPA”) to the desk of Governor Ralph Northam.  Governor Northam has previously expressed support for the measure and is expected to sign the bill into law.  It would take effect on January 1, 2023 and set a framework for collecting, controlling, and processing personal data in the Commonwealth of Virginia.

CPW previously shared Lydia de la Torre‘s fantastic write up of the CDPA and some of the key differences between the CDPA and the California Consumer Privacy Act (“CCPA”).  Similar to the CCPA, the CDPA would give Virginia consumers the right to access their data, correct inaccuracies, and request the deletion of information. Virginia residents would also be able to opt out of data collection under certain circumstances.  However, the CDPA does not include a private right of action for data breaches: violations of the Virginia law are enforceable only by the state Attorney General.

The CDPA applies to all persons that conduct business in Virginia or produce goods or services targeted at Virginia and either “(i) during a calendar year, control or process personal data of at least 100,000 consumers” or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”  However, it does not contain an independent revenue threshold–by comparison, the CCPA applies to all businesses with an annual gross revenue of over $25 million that do business in the State of California and collect personal data from California residents.  A “consumer” is defined as “natural person who is a resident of the Commonwealth acting only in an individual or household context,” excluding those acting in commercial or employment contexts.  This is unlike the CCPA, which also applies to individuals acting in those capacities.  Similar to the CCPA, the CDPA also exempts state and local governmental entities, as well as certain categories of data and information already covered by federal law, such as protected health information governed by HIPAA.

We’ll continue to monitor the development of this important legislation for you.

Advertisement
© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 53
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Christina Lamoureux Litigation Attorney Squire Patton Boggs Washington DC
Associate

Christina Lamoureux is an associate in the Litigation Practice in the Washington DC office. She represents a wide variety of clients in complex commercial matters.

Admissions

  • District of Columbia, 2020

Related Services

  • Litigation
202-457-6095
Advertisement
Advertisement