Once again, the Virginia legislature is set to consider comprehensive data privacy legislation.  In the 2020 regular session of the Virginia General Assembly, the House of Delegates referred several bills dealing with privacy issues, including a proposed data privacy law, to the Virginia Joint Commission on Science and Technology for study.

This year, it appears Virginia is poised to seriously consider adoption of a broad consumer data privacy framework.  Senate Bill 1392 , sponsored by Senator David Marsden (D-Fairfax), was introduced on January 13, 2021. House Bill 2307, sponsored by Delegate Cliff Hayes, Jr. (D-Chesapeake), was introduced on January 20, 2021. The bills create the “Consumer Data Protection Act.”

Virginia does not currently have a comprehensive data privacy law governing consumer data.  Like most states, it has a data breach notification law and various protections for specific types of data in certain contexts.

Description of the Legislation

  • Both bills establish a framework for consumers to more control over their data. Under the bills, consumers are given the right to access their data, correct inaccuracies, request deletion, obtain a copy and the ability to opt out of collection and use of data “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” (See proposed 59.1-573).
  • The bills apply to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
  • The legislation would be effective as of January 1, 2023.
  • Importantly, the legislation does not contain a private right of action for consumers. Instead, the bill gives the Attorney General of the Commonwealth the exclusive authority to enforce violations of the act and creates a “Consumer Privacy Fund” to support the work of the Attorney General’s office to enforce the Act.

Current Status

Senate Bill 1392 is pending in the Senate General Laws and Technology Committee.  It is anticipated that the House bill will likely be referred to the House Communications, Technology and Innovation Committee, chaired by Delegate Hayes, or possibly to the House Labor and Commerce Committee.

What’s Next?

The Virginia legislature convened on January 13 and is scheduled to only meet for 30 calendar days.  That places “crossover,” the deadline by which each house must act on its own legislation prior to sending to the other body, on February 5, 2021.  Consequently, things will move quickly given that there are only a few anticipated committee meetings remaining prior to the crossover date.  For example, the Senate General Laws and Technology Committee is only scheduled to meet three times between now and February 5, 2021, and House committees may only have three more meetings prior to the crossover date.

Stay tuned for a follow-up blog post by McGuireWoods’ Janet Peyton that gives an in-depth evaluation of the proposed bills and possible implications for privacy professionals and businesses.