Like California, Colorado, Florida, and countless other states before it, Virginia appears ready to tap its own privacy legislation in the New Year.
By doing so the state would follow California's lead in particular, which on January 1, saw the California Consumer Privacy Act (CCPA) go into effect; the Act won't be enforced by the state's attorney general until July 1, 2020.
The bill, the Virginia Privacy Act (HB 473) was introduced to the General Assembly of Virginia last Wednesday by Mark D. Sickles, a member of the state's House of Delegates. The Act, referred to the state's Committee on Communications, Technology and Innovation, would technically amend and reenact the Code of Virginia by adding sections on the management and oversight of personal data.
The Act would bring the Commonwealth up to date with many of its peers and complement other legislation already on the books there pertaining to the data breach notification and medical information breach notification.
If enacted, the Act would apply to any entity that conducts business in the Commonwealth of Virginia or produces products to services that are targeted to residents there, as long as the businesses controls of processes data of not fewer than 100,000 consumers, and derives more than 50 percent of gross revenue from the sale of personal data and processes or controls the personal data of not fewer than 25,000.
Under the Act, a controller - an entity that determines the purposes and means of processing personal data, needs to be transparent about their processing activities and make available to consumers the following in a privacy policy:
- The categories of personal data collected by the controller;
- The purposes for which the categories of personal data are used and disclosed to third parties, if any;
- A list of the rights that consumers may exercise pursuant to § 59.1-574, which include the right to access, correction, deletion, restriction of processing, objection to processing;
- The categories of personal data that the controller shares with third parties, if any; and the categories of third parties, if any, with whom the controller shares personal data.
One interesting part of the legislation would be a section, § 59.1-576, that that controllers conduct a risk assessment of their processing activities whenever there's a change in processing. Under Virginia's Act, data controllers would be required to perform and document a privacy risk assessment for every processing activity. taking into account the type of data processes, the extent to which personal data is sensitive. While confidential, the controller would still have to make the risk assessment available to the Attorney General upon request.
When it comes to selling data, Virginia’s law hews closer to Nevada’s, which went into effect two months earlier than the CCPA, on October 1. Nevada’s, for what it’s worth, covers any exchange of covered information for monetary consideration by the operator to a person, assuming person will license or sell the covered information to additional persons
According to Virginia's legislation, selling data means any exchange of personal data for “for monetary consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”
Similar to the CCPA, businesses in Virginia that are found in violation of the Act would have 30 days to cure a breach following a noncompliance notice. It’s likely still too early to know what a violation of the Act would cost. Violations would still be subject to the enforcement provisions of the Virginia Consumer Protection Act however. something that allows a private cause of action for violations to recover actual damages, or $500, whichever is greater. If it's found a violation of the Virginia Consumer Protection Act is willful, the damages could be increased, to a number not exceeding three times the damages sustained, or $1,000.
