The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Virginia Introduces Privacy Law Of Its Own

by Chris Brook on Monday January 13, 2020

Contact Us
Free Demo
Chat

Virginia appears to be following in the footsteps of California with new legislation, the Virginia Privacy Act, that would strengthen the data privacy rights of Virginians.

Like California, Colorado, Florida, and countless other states before it, Virginia appears ready to tap its own privacy legislation in the New Year.

By doing so the state would follow California's lead in particular, which on January 1, saw the California Consumer Privacy Act (CCPA) go into effect; the Act won't be enforced by the state's attorney general until July 1, 2020.

The bill, the Virginia Privacy Act (HB 473) was introduced to the General Assembly of Virginia last Wednesday by Mark D. Sickles, a member of the state's House of Delegates. The Act, referred to the state's Committee on Communications, Technology and Innovation, would technically amend and reenact the Code of Virginia by adding sections on the management and oversight of personal data.

The Act would bring the Commonwealth up to date with many of its peers and complement other legislation already on the books there pertaining to the data breach notification and medical information breach notification.

If enacted, the Act would apply to any entity that conducts business in the Commonwealth of Virginia or produces products to services that are targeted to residents there, as long as the businesses controls of processes data of not fewer than 100,000 consumers, and derives more than 50 percent of gross revenue from the sale of personal data and processes or controls the personal data of not fewer than 25,000.

Under the Act, a controller - an entity that determines the purposes and means of processing personal data, needs to be transparent about their processing activities and make available to consumers the following in a privacy policy:

  • The categories of personal data collected by the controller;
  • The purposes for which the categories of personal data are used and disclosed to third parties, if any;
  • A list of the rights that consumers may exercise pursuant to § 59.1-574, which include the right to access, correction, deletion, restriction of processing, objection to processing;
  • The categories of personal data that the controller shares with third parties, if any; and the categories of third parties, if any, with whom the controller shares personal data.

One interesting part of the legislation would be a section, § 59.1-576, that that controllers conduct a risk assessment of their processing activities whenever there's a change in processing. Under Virginia's Act, data controllers would be required to perform and document a privacy risk assessment for every processing activity. taking into account the type of data processes, the extent to which personal data is sensitive. While confidential, the controller would still have to make the risk assessment available to the Attorney General upon request.

When it comes to selling data, Virginia’s law hews closer to Nevada’s, which went into effect two months earlier than the CCPA, on October 1. Nevada’s, for what it’s worth, covers any exchange of covered information for monetary consideration by the operator to a person, assuming person will license or sell the covered information to additional persons

According to Virginia's legislation, selling data means any exchange of personal data for “for monetary consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”

Similar to the CCPA, businesses in Virginia that are found in violation of the Act would have 30 days to cure a breach following a noncompliance notice. It’s likely still too early to know what a violation of the Act would cost. Violations would still be subject to the enforcement provisions of the Virginia Consumer Protection Act however. something that allows a private cause of action for violations to recover actual damages, or $500, whichever is greater. If it's found a violation of the Virginia Consumer Protection Act is willful, the damages could be increased, to a number not exceeding three times the damages sustained, or $1,000.

Tags: Data Privacy, Data Protection

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.