The bill applies to businesses processing consumers’ personal data or deriving a portion of gross revenue from the sale of personal data. It is expected to be signed by Gov. Ralph Northam in the coming weeks.
Virginia is in line to follow California’s lead with the California Consumer Privacy Act (CCPA), which is already in effect, by finalizing its own comprehensive data privacy law this year.
The Virginia Consumer Data Protection Act was passed by the Virginia House of Representatives (89-9) and Senate (39-0), and is expected to be signed by Gov. Ralph Northam after the legislative session ends March 1, according to Roll Call.
If signed by the governor, the bill will take effect Jan. 1, 2023.
The Consumer Data Protection Act would establish a framework for controlling and processing personal data in the commonwealth.
The bill “applies to all persons that conduct business in the commonwealth and either control or process personal data of at least 100,000 consumers or derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers,” according to the bill text.
The bill outlines responsibilities and privacy protection standards for data controllers and processors but does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.
Under the bill, consumers have rights to access, correct, delete, obtain a copy of personal data and to opt out of the processing of personal data for the purposes of targeted advertising.
The attorney general has sole authority to enforce violations of the law, and the Consumer Privacy Fund was created to support this effort.
According to Roll Call, one key difference between the Virginia law and the CCPA is that the Virginia law does not set a revenue threshold for companies that store consumers’ data.
The CCPA, ACA International previously reported, applies to certain businesses that fall under one or more of the following criteria:
- Annual gross revenues of more than $25 million;
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more California consumers, California households or devices;
- Derive 50% or more of annual revenue from selling consumers’ personal information.
The Virginia law prohibits private right of action, or the right to sue for data privacy violations, for consumers, which the California law does not, Roll Call reports.
Other States Calculate Data Privacy Laws
Washington state is also again reviewing a consumer data privacy bill. The bill, currently under review at the Senate committee level:
- Provides Washington residents with the consumer personal data rights of access, correction, deletion, data portability and opt out of the processing of personal data for specified purposes.
- Specifies the thresholds a legal entity must satisfy for the requirements set forth in this act to apply.
- Identifies controller responsibilities such as transparency, purpose specification and data minimization.
- Requires controllers to conduct data protection assessments under certain conditions.
- Authorizes sole attorney general enforcement under the Consumer Protection Act.
- Regulates the processing of data collected for certain contact tracing purposes.
In other news, Oklahoma and Minnesota also recently introduced bills related to data privacy. In January, Oklahoma introduced House Bill 1130, mandating that businesses post policies on their data collection and privacy practices. It does not include rights for Oklahoma residents on their personal information.
In Minnesota, a new bill seeks to provide consumers rights for their personal data, including a private right of action and as well as data transparency obligations on businesses.
ACA continues to monitor about 350 state bills that would impact the accounts receivable management (ARM) industry if enacted, and members can hear updates on state and federal legislation on the weekly ACA Huddle sponsored by Connect International, Solutions by Text and Pay N Seconds.
Visit the Events & Education calendar to complete a one-time registration for the ACA Huddle and stay tuned for more speaker announcements. Members may access recordings of the ACA Huddle presentations here.
Download the ACA Mobile app for reminders on ACA Huddle webinars and online education and to access resources on the go. Log on to acainternational.org and select My ACA to subscribe to our emails, including member alerts, ACA Daily and education and events updates.
For more information on how the ACA licensing staff can assist with your licensing application completion needs, please contact us at [email protected] or call (952) 926-6547.