As readers of CPW know, the Virginia Consumer Data Protection Act (the “Act”) is expected to be signed into law shortly by Governor Ralph Northam.   If enacted, the Act will become effective on January 1, 2023, and make Virginia only the second state in the US to enact a comprehensive data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

The Act provides rights to natural persons who are Virginia residents and generally imposes obligations on any natural or legal person that:

  • Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and
  • In a calendar year, either:
    • Controls or processes the personal data of at least 100,000 Virginia residents; or
    • Controls or processes the personal data of at least 25,000 Virginia residents and derives at least 50% of its gross revenue from the sale of personal data.

There are certain exceptions, as set forth in the Act.  The Act provides Virginia residents with various rights, including the right to delete and the right to opt-out.  It also imposes significant obligations on controllers and processors of data (data minimization, reasonable security, etc.).

CPW’s Glenn Brown has a fantastic analysis exploring these requirements and others in detail.  It is a must-read for any entity wondering what its legal obligations are under the Act.  Check it out here.