The Virginia state House of Delegates and Senate voted to approve data privacy legislation, titled the Consumer Data Protection Act (”CDPA”). Now, legislators are working to send the bill to Virginia Governor Ralph Northam, before March 1, 2021.
If enacted, the CDPA would go into effect on January 1, 2023 and would apply to all businesses that: (1) control or process personal data of at least 100,000 Virginia residents or (2) derive over 50% of gross revenue from the sale and processing of personal data of at least 25,000 Virginia residents. The CDPA has exemptions for certain financial institutions, health care institutions, non-profit organizations, and higher education institutions.
The CDPA would make Virginia the second state, behind California, to pass data privacy legislation. However, the Virginia CDPA is different than the California privacy law in a few ways:
- Revenue Threshold
The California privacy law applies only to businesses that have an annual gross revenue of $25 million, however the Virginia law does not a revenue threshold.
- No Time Limit
The CDPA does not restrict how far back consumers can go in asking for a copy of their personal data. In other words, businesses would have to produce any data they hold about an individual. In California, however, for now, consumers are restricted to requesting information for the past 12 months.
3. The Right to Sue
Unlike Californians, pursuant to the CDPA, Virginians cannot sue for any violations of the law. The Attorney General will be responsible for enforcing the CDPA.
Ward & Berry will continue to monitor the CDPA and will post updates as they become available.