Virginia has become the second state to sign into law a measure to protect consumers’ data, joining California as the only two states to pass such privacy legislation.
Virginia Governor Ralph Northam (pictured above) signed the Consumer Data Protection Act (CDPA) that will give consumers far more control over their own data by allowing them to opt out of marketers using their personal information for targeted advertising along with the right to know if their data is being used. The bill was introduced by State Senator David Marsden (D).
“This is a huge step forward,” said Marsden. "This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers,” he said.
Specifically, the law gives Virginia consumers the right to access their data, correct mistakes, and request information be deleted. In some circumstances, Virginia residents would also be able to opt out of data collection altogether. However, the CDPA does not provide recourse for personal data compromised in security breaches and leaves enforcement of violations to the state Attorney General. The legislation goes into effect in 2023 and impacts businesses that hold the personal data of at least 100,000 people, with at least half of their revenue stemming from the sale of 25,000 people’s personal information at minimum. Any entity conducting business in Virginia is subject to the CDPA's regulations.
Virginia and California Data Privacy Laws: What's the Difference?
Virginia's data privacy law has a bit fewer teeth than California's. Unlike California’s Consumer Privacy Act, which took effect on January 1, 2020, Virginia’s legislation limits the ability of consumers to sue should their data be illegally appropriated.
By comparison, the California law, which resembles the European Union’s General Data Protection Regulation, gives the state’s 40 million residents the right to require a business to disclose the types of personal information it collects on the consumer, where that information is collected and whether it’s being sold or shared, and to opt out of the whole thing. Violators could be docked up to $7,500 for each infraction.
In the 2020 election, California voters expanded consumer’s data privacy by passing the California Privacy Rights Act, which includes any information collected irrespective of when it was collected and covers data breaches where exposed personal information includes a username and password. The law also creates a watchdog enforcement organization called the California Privacy Protection.
State-level Data Privacy Legislation: More Coming?
In the absence of a federal law for data privacy other states are also considering legislation similar to California’s and Virginia’s, including New York, Oklahoma, Utah and Washington. It’s widely accepted on both sides of the aisle that a federal law would give consumers and businesses a set of uniform use and compliance regulations regarding personal data protection.