Photo of Chris Nolen

In addition to being an attorney with McGuireWoods LLP, Chris is an executive vice president in McGuireWoods Consulting. His government affairs practice consists of representing clients before the Virginia legislature, executive branch and state and local agencies.

Once again, the Virginia legislature is set to consider comprehensive data privacy legislation.  In the 2020 regular session of the Virginia General Assembly, the House of Delegates referred several bills dealing with privacy issues, including a proposed data privacy law, to the Virginia Joint Commission on Science and Technology for study.

This year, it appears Virginia is poised to seriously consider adoption of a broad consumer data privacy framework.  Senate Bill 1392 , sponsored by Senator David Marsden (D-Fairfax), was introduced on January 13, 2021. House Bill 2307, sponsored by Delegate Cliff Hayes, Jr. (D-Chesapeake), was introduced on January 20, 2021. The bills create the “Consumer Data Protection Act.”

Virginia does not currently have a comprehensive data privacy law governing consumer data.  Like most states, it has a data breach notification law and various protections for specific types of data in certain contexts.Continue Reading Virginia Legislature Is Set to Consider Comprehensive Data Privacy Legislation

Earlier this year, several pieces of privacy related legislation pending in the 2020 General Assembly session were referred by a standing committee of the Virginia House of Delegates to the Joint Commission on Technology and Science (JCOTS) for study outside of the regular legislative session.  JCOTS has taken its first steps toward establishing study committees to look at several issues prior to the 2021 regular legislative session.

Specifically, JCOTS established the following study committees:

  • Data Protection & Privacy Advisory Committee
  • Children’s Online Protection Advisory Committee
  • Facial Recognition within Law Enforcement Advisory Committee

Continue Reading Virginia Legislative Commission Set to Begin Look at Data Protection, Privacy and Children’s Online Privacy Protection Issues

Last week a committee of the Virginia House of Delegates voted to send several privacy-related bills to a legislative commission for study after the current legislative session. Among those bills is the Virginia Privacy Act, proposed as a less onerous version of the California Consumer Privacy Act. Other bills referred for study address topics such as requirements for the destruction of records, online advertising and digital services directed to minors, and safe keeping of biometric data.

The Communications, Technology and Innovation Committee voted to “continue” the these privacy-related bills and directed the chairman of the committee to request the Joint Commission on Technology and Science (JCOTS) to study the legislation in advance of the 2021 legislative session. JCOTS consists of 13 legislators and its purpose is to evaluate emerging technology and science with the goal of promoting the development of sound public policies on those topics.Continue Reading Virginia Punts Several Privacy-Related Bills to Out of Session Study

On January 8, 2020, the Virginia General Assembly will begin its 60 calendar day legislative session. Legislation relating to privacy will be on the agenda, including HB 473, titled the “Virginia Privacy Act,” that proposes to strengthen the data privacy rights of Virginians.

Scope of the Proposed Legislation

The provisions of the legislation apply to “any legal entity (i) that conducts business in the Commonwealth or produces products or services that are intentionally targeted to residents of the Commonwealth and (ii) that (1) controls or processes personal data of not fewer than 100,000 consumers; or (2) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.” The bill has exceptions to its scope applicable to, among others, local and state governments, credit reporting agencies and financial institutions governed by other privacy laws, and also exempts certain health care related information governed by federal law and employment records.

The legislation focuses on the responsibilities of data controllers, who are primarily responsible for complying with the provisions of the legislation, and data processors, who must adhere to the instructions of the controller and assist a controller in meeting the requirements of the proposed act.Continue Reading Will Virginia Follow California’s Lead on Consumer Privacy Legislation?

Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet.
Continue Reading Virginia General Assembly to Consider Minimum Security Standards for Care and Disposal Consumer Information and Security of Connected Devices

The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.

Tax Return Data

As highlighted in January, the General Assembly this year continued its efforts to address the

The Virginia General Assembly is underway and several privacy related bills are on the legislative agenda for 2018. The Virginia legislature will consider approximately 3,000 bills during its 60-day session that will end in early March. Several of these pending bills have privacy implications in a variety of substantive areas.

Tax Return Data

In an

As previously written about in this blog, student privacy figured prominently in a few campaigns for the Virginia House of Delegates this past Fall. A progressive special interest group utilized Virginia’s Freedom of Information Act to request and receive student identifying information, including cell numbers, from numerous public colleges and universities in Virginia (

Combine several hotly contested elections for state office, traditional voter registration and mobilization tactics, a progressive special interest group and the use of an existing law to gain access to tens of thousands of individual student phone numbers and email addresses and you get a mini-firestorm of debate over personal privacy rights.

As reported recently in the The Roanoke Times, a progressive special interest group requested student contact information from all of Virginia’s publicly supported colleges and universities. According to The Roanoke Times, 18 public institutions of higher education produced the requested information. That information was then used by various political campaigns to contact students about registering to vote. Presumably, campaigns in possession of the information will use it to further in their voter identification and political advocacy efforts.

Two Virginia legislators recently announced they will introduce legislation to make it harder for third-parties to obtain such information in the future.

Unless a student affirmatively “opts-out,” The Family Education Rights and Privacy Act of 1974 does not prohibit universities and colleges from releasing student directory information, provided proper notice was given to the student. Interestingly, current Virginia law prohibits public institutions of higher education from selling a student’s personal information.  See Va. Code Ann. § 23.1-405(C). The statute delineates personal information as name, address, phone number and email address. Id. While Virginia law prohibits the selling of such information, it does not explicitly prohibit releasing the information through Virginia’s Freedom of Information Act.  While some may argue the information is a “scholastic record” under the Virginia Freedom of Information Act, which would have allowed the schools to withhold the information, 18 public colleges and universities took a different view.
Continue Reading The Politics of Access to Student Data

Privacy professionals have long lamented the myriad of approaches each state takes when it comes to data breach notification requirements. According to the National Conference of State Legislatures, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring covered companies to make certain notifications to affected consumers and