Virginia passes consumer protection law

Virginia governor Ralph Norton recently passed the Virginia Consumer Data Protection Act, (VCDPA)becoming the second state after California to pass a consumer protection law.

The law, similar in scope to California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR), the VCDPA makes any business that does business in Virginia to be required to protect their data. This act applies to those who handle more than 100,000 people annually or if they handle at least 25,000 consumers and from those numbers at least half of their gross revenue deals with consumer data.

The Act though similar in scale to the CCPA, has several exemptions that are much broader than the California law. The act exempts from this regulation any state bodies, financial institutions that are covered by the Gramm-Leach-Bliely Act which forces them to report how they share their information, [1]HIPAA connected businesses and medical centers, nonprofits, and universities.

Like the CCPA and GDPR, the VCDPA provides consumers specific rights to access their personal data, correct inaccuracies, delete personal data, obtain a copy of their data in a portable format, and opt-out of targeted advertising and sales of such data. The VCDPA imposes several obligations on businesses including:

  • Limitations on the collection and use of personal data to what is adequate, relevant, and reasonably necessary for the purpose of such data being processed.
  • Maintaining reasonable administrative, technical, and physical data security practices to protect personal data.
  • Restrictions on discriminating against consumers for exercising any of their consumer rights.
  • Obtaining consent before processing sensitive data concerning a consumer Consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer [and] may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”[2]

Companies have close to two years to comply with this regulation in Virginia as it takes effect January 1st, 2023. But companies should prepare to comply with this law and California’s laws as they are similar in scope. As more states pass laws like this, businesses will have to adapt to how each state handles their customers data.




Your blog post content here…

economic, cyber risk

Recent Posts


See all