Both houses of Virginia’s legislature recently passed the Virginia Consumer Data Protection Act (S.B. 1392; H.B. 2307) (the “VCDPA”). If approved by the state governor, the VCDPA would become the United States’ second comprehensive state privacy law behind the California Consumer Privacy Act (CCPA).
The VCDPA is similar to the CCPA and the European Union’s General Data Protection Regulation in a number of ways. For instance, the act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, delete, and take other actions in respect to their personal data.
The VCDPA does not provide a private right of action. The act vests enforcement exclusively with Virginia Office of the Attorney General. Any business that violates the act would be liable for a maximum civil penalty of $7,500 per violation.
If signed, the VCDPA would become effective January 1, 2023.