Virginia has become the second U.S. state to enact a comprehensive data privacy law. On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act ("the Act") into law, after the draft legislation had sailed through the Virginia legislature in a matter of weeks. The Act takes effect January 1, 2023.

The Act will apply to persons or entities that conduct business in Virginia or produce products or services targeting Virginia residents, and that (i) during a calendar year, control or process personal data of at least 100,000 Virginia consumers or (ii) control or process personal data of at least 25,000 Virginia consumers and derive more than 50% of gross revenue from the sale of personal data. 

The Act borrows many data protection principles from the California Consumer Privacy Act ("CCPA") and the General Data Protection Regulation in the European Union. For example, the Act creates obligations for "controllers" (those determining the processing of personal data) and "processors" (those processing the personal data on a controller's behalf). The Act also similarly defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable natural person."

Under the Act, controllers have obligations to, among other things:

  • Disclose in a privacy notice various processing activities;
  • Obtain specific affirmative consent before collecting and otherwise processing "sensitive data" concerning a consumer;
  • Conduct data protection assessments for certain processing activities, such as processing for targeted advertising, processing of sensitive data, and processing that presents a heightened risk of harm to consumers;
  • Maintain reasonable administrative, technical, and physical data security practices; and
  • Comply with requests from consumers to exercise the right to access personal data; the right to obtain a copy of personal data; the right to correct inaccuracies; the right to delete personal data; and the right to opt out of processing of personal data for purposes of targeted advertising, profiling for use in making significant decisions concerning the consumer, and selling personal data.

Unlike the CCPA, this Act does not provide a private right of action for certain data breaches. The Virginia Attorney General will have exclusive authority to enforce the law. The Act provides a party a 30-day period to cure any alleged violations. If an alleged violation is not cured in that time, the Attorney General may seek a civil penalty of up to $7,500 per violation in a subsequent enforcement action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.