Virginia is poised to become the next US state to enact a data privacy law to protect its residents. Bill No. 1392 has already cleared the Senate, and will go into effect on January 1, 2023, if Governor Ralph Northam signs it into law.
The bill would add the Consumer Data Protection Act to the Virginia Code, and is noteworthy because it gives people much more control over their personal data. Under the Act, Virginia residents would have the right to know when a private company is storing and/or processing their personal information. They would also have the right to access and delete that information if they so desire. That remains true whether they provided that information themselves, or if the company obtained that information from another source.
Other rights include the right to amend inaccurate information, the right of data portability, and the right to opt out of profiling applications. For example, residents would be able to prevent the sale of their personal data, and block the use of that data for targeted advertising.
While the law establishes a clear set of consumer rights, it does not include a private right-of-action, which means that individual citizens will not be able to take legal action if those rights have been violated. Instead, the power of enforcement will rest solely with the state Attorney General, who will be responsible for dealing with possible violations.
In that regard, the Virginia law differs sharply from the Biometric Information Privacy Act in Illinois, which has a right-of-action clause that has led to numerous class action lawsuits in the past few years. Facebook recently reached a $650 million settlement in one of the most high-profile BIPA cases thus far.
The Virginia bill is geared toward larger businesses, and specifically applies to those that store or process the data of 100,000 or more consumers in a calendar year, or to businesses that process 25,000 or more consumers while generating at least half of their gross revenues from the sale of personal data. State and municipal government agencies would be exempt, as would select businesses that are already subject to industry-specific data protection laws. Most notably, the law would not apply to financial institutions covered by the Gramm-Leach-Bliley Act, or to healthcare providers that need to observe HIPAA and HITECH regulations.
US Senators Bernie Sanders and Jeff Merkley have proposed a data protection law at the federal level, although that law is yet to come to fruition. The California Consumer Privacy Act went into effect in January of 2020.
February 19, 2021 – by Eric Weiss