September 22, 2021

Volume XI, Number 265

Advertisement

September 22, 2021

Subscribe to Latest Legal News and Analysis

September 21, 2021

Subscribe to Latest Legal News and Analysis

September 20, 2021

Subscribe to Latest Legal News and Analysis

Will Virginia Be the Second State to Enact Major Privacy Legislation?

On February 5, 2021, the state Senate of Virginia voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act, after the House of Delegates approved an identical House bill by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. Minor, clarifying amendments will likely be added in committee, but they are not expected to alter the main components of the bill. Virginia’s General Assembly will adjourn Sine Die on March 1, and legislators have until then to finalize the details of the legislation. Virginia’s Governor Ralph Northam would be in a position to sign the bill later in March. Notably, the Governor has line item veto authority, so the bill could also possibly be amended after it passes the General Assembly.

If enacted, Virginia would be the second state to enact major privacy legislation of general applicability, following the California Consumer Privacy Act (“CCPA”), which was enacted in 2018. The bill would establish a comprehensive framework for controlling and processing personal data of Virginia residents and would become effective January 1, 2023. It also would provide Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. The bill also would include requirements relating to data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments, as well as impose certain requirements directly on entities who process data on behalf of a controller.

If you are familiar with the CCPA and the EU General Data Protection Regulation (“GDPR”), some of these concepts likely sound familiar; however, this law would not mirror either the CCPA or the GDPR. Notably, the law would include a number of “entity-level” exemptions, such as exemptions for financial institutions (or data) subject to GLBA, HIPAA-covered entities and business associates, and would also include some “data/context” specific exemptions, such as an exemption for HR-related data processing.

The Virginia Attorney General would have exclusive enforcement authority and the bill would not provide a private right of action. The Attorney General’s office would need to provide 30 days’ notice of any violation and allow an opportunity to cure. For uncured violations, the Attorney General would be able to file an action seeking $7,500 per violation.

 

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 44
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement