On January 8, 2020, the Virginia General Assembly will begin its 60 calendar day legislative session. Legislation relating to privacy will be on the agenda, including HB 473, titled the “Virginia Privacy Act,” that proposes to strengthen the data privacy rights of Virginians.

Scope of the Proposed Legislation

The provisions of the legislation apply to “any legal entity (i) that conducts business in the Commonwealth or produces products or services that are intentionally targeted to residents of the Commonwealth and (ii) that (1) controls or processes personal data of not fewer than 100,000 consumers; or (2) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.” The bill has exceptions to its scope applicable to, among others, local and state governments, credit reporting agencies and financial institutions governed by other privacy laws, and also exempts certain health care related information governed by federal law and employment records.

The legislation focuses on the responsibilities of data controllers, who are primarily responsible for complying with the provisions of the legislation, and data processors, who must adhere to the instructions of the controller and assist a controller in meeting the requirements of the proposed act.

Main Consumer Protection Elements of the Legislation

The proposed legislation requires a “controller,” defined as a “person that, alone or jointly with others, determines the purposes and means of the processing of personal data” to facilitate requests by consumers to exercise newly created rights, including:

  • Confirmation whether personal data of the consumer is being processed by the controller or sold to data brokers;
  • Providing access to the consumer’s data (in cases where data is being processed by the controller) and a copy of the data concerning the consumer;
  • Correction of inaccurate or incomplete personal data of the consumer;
  • Deletion of the consumer’s personal data in certain circumstances;
  • Restricting the processing of the consumer’s personal data when the processing of such data is not consistent with the purposes for which it was collected, not consistent with the purpose disclosed at the time of collection or authorization, or when such processing is otherwise unlawful; and
  • Objecting at any time to the processing of the consumer’s personal data, with provisions related to the controller’s obligations to notify certain third-parties of the objection when the objection relates to targeted advertising.

The measure requires controllers to process such requests “without undue delay” and no later than 30 days from a verified request with an option to extend that period an additional 60 days depending on the number and complexity of requests.

The legislation also requires a controller to perform a risk assessment of each of its data processing activities that involves personal data and to refresh such assessments whenever there is a change in processing of data that will materially increase the risk to consumers.

A violation of the provisions of the legislation is considered a prohibited practice under the Virginia Consumer Protection Act.

The Legislature’s Consideration of the Legislation

This past November, Virginia’s state elections produced a historic change in control of both the Virginia House of Delegates and Senate. The Democratic Party now controls both chambers of the Virginia General Assembly as well as the Governorship. Any time there is a change in control of the legislature uncertainty is created. Legislation that historically did not receive much consideration may now find new life with a new political majority.

Businesses that possibly fall within the scope of the proposed Virginia Privacy Act should analyze the effect of the bill on operations and actively follow the General Assembly’s consideration of the legislation.