March 25, 2023

Volume XIII, Number 84


March 24, 2023

Subscribe to Latest Legal News and Analysis

March 23, 2023

Subscribe to Latest Legal News and Analysis

Virginia Work Group Report Leads to Proposed CDPA Amendments

The Virginia legislature has introduced several bills that would amend Virginia’s Consumer Data Protection Act (“CDPA”) that was enacted last year. These bills are largely in response to the November 1, 2021 Virginia Consumer Data Protection Act Work Group report (the “Report”), which outlined 17 “points of emphasis” related to the CDPA. The Report includes recommendations regarding administrative items, permitting the Attorney General to seek actual damages based on consumer harm, implementing a right (that would sunset) to cure violations of the CDPA, amending the right to delete, amending the definition of sensitive data, implementing global privacy control, and providing resources to consumers and small business, among other topics.

The following is a high-level summary of the relationship between the introduced bills and the Report:

  1. HB 381 and SB 393

In the Report, the work group specifically called for the “right to delete” provision in the CDPA to be a “right to opt out of sale” as well. This change is meant to address the scenario where the benefit of deleting data may be undone if there is indirect collection at a later date. These bills would permit a business to satisfy a consumer’s request to delete by opting the consumer out of processing of their data for targeting advertising, sale, or profiling. Note that the opt out in HB 381 is more broad and would opt the consumer out of processing for any purpose (with certain exceptions).

  1. HB 714 and SB 534

The work group also outlined that there is a need to employ an “ability to cure” option for violations, should a potential cure exist, as well as permitting the Office of the Attorney General to pursue actual damages based on consumer harm.

Accordingly, these bills add a 30-day cure period that would only apply to violations that the Attorney General deems curable. Additionally, these bills would allow the Attorney General to seek actual damages in addition to existing remedies (injunctive relief and statutory damages of $7,500.00 per violation).

  1. HB 1259

The Report also mentioned the need to consider whether the definition of “sensitive data” should exclude general demographic data used to promote diversity and outreach to underserved populations.

This bill proposes to address this by removing consent requirements for processing sensitive data when such processing involves “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status” if the data is used solely for marketing, advertising, fundraising, or similar outreach, communications or information sharing that does not result in decisions that could produce legal or similarly significant effects concerning the consumer.

Virginia is not the only state working to change its existing privacy framework. Colorado’s Office of the Attorney General will begin rulemaking activities shortly and the California Privacy Protection Agency recently held a public meeting to discuss updates to its rulemaking process.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 70

About this Author

Glenn Brown Data Privacy & Cybersecurity Attorney Squire Patton Boggs Atlanta., GA
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

Elizabeth A. Spencer Berthiaume Attorney Cybersecurity Squire Patton Boggs Dallas

Elizabeth Spencer Berthiaume is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice. She focuses her practice on data privacy and protection, cybersecurity and data breach preparedness and response.

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...