VA Enacts Comprehensive Privacy Law. Seems Like Floodgates Now Open.
As we predicted, Virginia's governor signed the Consumer Data Protection Act ("VCDPA") making it the second state in the nation (after California) to enact comprehensive consumer privacy legislation. Although there were reports of push-back from consumer rights groups as the Virginia bills were going through the legislature's reconciliation process, the final bills that make up the VCDPA didn't change much from the previous versions (see House Bill No. 2307 and Senate Bill No. 1392). Through the process, the legislature did decide to place into the law the creation of a working group to review VCDPA's provisions and issues related to implementation. The working group will submit its findings, recommendations and best practices to specific legislative committees by November 1 of this year. Hopefully this working group will truly clarify open issues, so that businesses have some predictability on how to comply with the VCDPA.
For the time being, though, as discussed in more detail in our post a few weeks ago, businesses should be aware that the VCDPA creates its own unique compliance obligations. For example, VCDPA's threshold requirements are different from California's privacy laws (the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA")), so businesses should conduct an independent analysis of whether the VCDPA applies to their operations. In addition, the VDCPA grants consumers' the right to opt out of the sale of personal data, like the CCPA. However, the VDCPA's definition of such sale is limited to "monetary compensation," which is narrower than the CCPA. The VDCPA then adds a right to opt out of targeted advertising specifically. In addition, the VDCPA provides another opt-out right of personal data used for profiling (which may be different than the CPRA's opt out right of automated decision making) and is a new concept here in the U.S. (but is familiar to those who have complied with the EU's General Data Protection Regulation ("GDPR")). Other concepts new to the U.S. include the VCDPA's specific requirements for "sensitive data" and data protection assessments (both addressed in the CPRA in its own way).
This is probably just the beginning, as privacy legislation is being considered in many states across the country. InfoLawGroup has been tracking this for some time, and it seems that the next comprehensive consumer privacy law may be coming out of New York (see our previous article from late last year). Other states that we are watching include Oklahoma, Washington, and Utah. With so much legislation that could potentially become law, it is possible that at least one of these other states will enact a statute that becomes effective before the VDCPA and CPRA are fully in effect (on January 1, 2023). So, the time is now for businesses to assess their capability to comply with more stringent privacy laws and rights, and, if a business hasn't already, to figure out whether they need to comply with the CCPA that continues to be in effect (and other less comprehensive privacy laws such as Nevada's privacy law - see InfoLawGroup's previous post).
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.