Last week a committee of the Virginia House of Delegates voted to send several privacy-related bills to a legislative commission for study after the current legislative session. Among those bills is the Virginia Privacy Act, proposed as a less onerous version of the California Consumer Privacy Act. Other bills referred for study address topics such as requirements for the destruction of records, online advertising and digital services directed to minors, and safe keeping of biometric data.

The Communications, Technology and Innovation Committee voted to “continue” the these privacy-related bills and directed the chairman of the committee to request the Joint Commission on Technology and Science (JCOTS) to study the legislation in advance of the 2021 legislative session. JCOTS consists of 13 legislators and its purpose is to evaluate emerging technology and science with the goal of promoting the development of sound public policies on those topics.


Continue Reading

On January 8, 2020, the Virginia General Assembly will begin its 60 calendar day legislative session. Legislation relating to privacy will be on the agenda, including HB 473, titled the “Virginia Privacy Act,” that proposes to strengthen the data privacy rights of Virginians.

Scope of the Proposed Legislation

The provisions of the legislation apply to “any legal entity (i) that conducts business in the Commonwealth or produces products or services that are intentionally targeted to residents of the Commonwealth and (ii) that (1) controls or processes personal data of not fewer than 100,000 consumers; or (2) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.” The bill has exceptions to its scope applicable to, among others, local and state governments, credit reporting agencies and financial institutions governed by other privacy laws, and also exempts certain health care related information governed by federal law and employment records.

The legislation focuses on the responsibilities of data controllers, who are primarily responsible for complying with the provisions of the legislation, and data processors, who must adhere to the instructions of the controller and assist a controller in meeting the requirements of the proposed act.


Continue Reading