Search results for: virginia

As readers of CPW know, the Virginia Consumer Data Protection Act (the “Act”) is expected to be signed into law shortly by Governor Ralph Northam.   If enacted, the Act will become effective on January 1, 2023, and make Virginia only the second state in the US to enact a comprehensive data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

The Act provides rights to natural persons who are Virginia residents and generally imposes obligations on any natural or legal person that:

  • Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and
  • In a calendar year, either:
    • Controls or processes the personal data of at least 100,000 Virginia residents; or
    • Controls or processes the personal data of at least 25,000 Virginia residents and derives at least 50% of its gross revenue from the sale of personal data.

There are certain exceptions, as set forth in the Act.  The Act provides Virginia residents with various rights, including the right to delete and the right to opt-out.  It also imposes significant obligations on controllers and processors of data (data minimization, reasonable security, etc.).

CPW’s Glenn Brown has a fantastic analysis exploring these requirements and others in detail.  It is a must-read for any entity wondering what its legal obligations are under the Act.  Check it out here.

This article originally published on February 23, 2021, by the American Bar Association, and is republished here with permission. For more information visit www.americanbar.org.

The article expands on our original report on the Virginia Consumer Data Protection Act published on February 2, 2021.

In the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act (the “Act”), which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the US to enact a holistic data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

Overview and Quick Take

In many ways, the Act is similar to the California Consumer Privacy Act (the “CCPA”), the first holistic data privacy law in the US, and to the California Privacy Rights Act (the “CPRA”), which was enacted by ballot referendum in November 2020. It also shares some concepts with the EU’s General Data Privacy Regulation (the “GDPR”).  However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the Act will not be able to rely solely on its previous compliance efforts in complying with the Act.

Continue Reading Virginia Set to Become Second State to Enact Holistic Data Privacy Law

Virginia took one step closer the end of last week to becoming the second state with its own comprehensive data privacy legislation, as the Virginia General Assembly voted to send the Consumer Data Protection Act (“CDPA”) to the desk of Governor Ralph Northam.  Governor Northam has previously expressed support for the measure and is expected to sign the bill into law.  It would take effect on January 1, 2023 and set a framework for collecting, controlling, and processing personal data in the Commonwealth of Virginia.

CPW previously shared Lydia de la Torre‘s fantastic write up of the CDPA and some of the key differences between the CDPA and the California Consumer Privacy Act (“CCPA”).  Similar to the CCPA, the CDPA would give Virginia consumers the right to access their data, correct inaccuracies, and request the deletion of information. Virginia residents would also be able to opt out of data collection under certain circumstances.  However, the CDPA does not include a private right of action for data breaches: violations of the Virginia law are enforceable only by the state Attorney General.

We’ll continue to monitor the development of this important legislation for you.

As Lydia de la Torre explains, Virginia may join California as the second US state to enact a comprehensive data-privacy law as soon as next week.  On January 29th the Virginia House of Delegates voted 89-9 to pass HB2307 and sent the bill to the state Senate, which is also moving forward with an identical bill (SB 1392) that is currently before the Senate Finance Committee. Because Virginia’s legislative session is extremely short, absent an extension, the Virginia Senate has less than two weeks to approve the bill before the state legislature adjourns for the year.

Read Lydia’s discussion of this significant development here.

Virginia may join California as the second US state to enact a comprehensive data-privacy law as soon as next week.

On January 29th the Virginia House of Delegates voted 89-9 to pass HB2307 and sent the bill to the state Senate, which is also moving forward with an identical bill (SB 1392) that is currently before the Senate Finance Committee. Because Virginia’s legislative session is extremely short, absent an extension, the Virginia Senate has less than two weeks to approve the bill before the state legislature adjourns for the year Continue Reading Comprehensive Privacy in the US: Will Virginia be Next?

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Rewriting EU Telecom Rules: Inside the New Digital Networks Act

Attention Privacy World Readers! Do you need CLE? We have some options for you!

Key Changes To Virginia Telephone Privacy Protection Act Take Effect

Primer on 2026 Consumer Privacy, AI, and Cybersecurity Laws

FCC Extends Waiver of TCPA Consent Rule Providing “Stop One Means Stop All”

Federal Judge Enjoins Enforcement of Texas App Store Age Verification Law

2025 Video Privacy Protection Act Litigation Year in Review

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

Many organizations have been working diligently to comply with the 13 state consumer privacy laws (CPLs) in effect in the first half of 2025 (14 if you count Florida). Some have chosen to comply on a state-by-state basis and others have followed the high-watermark approach of applying the strictest standard from among the CPLs to all states with CPLs or on a nationwide basis. Regardless of the chosen approach, the next six months brings a new batch of CPLs, some with material differences from the earlier generations, starting as early as July 1, 2025. In addition, amendments to CPLs already in effect will bring new obligations and requirements for many businesses during the second half of 2025. Accordingly, if these changes were not prospectively addressed, now is the time to confirm which of new CPLs are applicable, and timely revise privacy notices and compliance program procedures. Also, with the increase in CPL enforcement, and the growing size and frequency of civil penalties, now is also a good time for an overall privacy compliance checkup. 

(A list of the 20 CPLs and their effective dates and applicability thresholds is included in an appendix at the end.)

Continue Reading The Second Half of the Year Brings New State Privacy Obligations – Are You Ready?

(Updated May 12, 2025)

Since January, the federal government has moved away from comprehensive legislation on artificial intelligence (AI) and adopted a more muted approach to federal privacy legislation (as compared to 2024’s tabled federal legislation). Meanwhile, state legislatures forge ahead – albeit more cautiously than in preceding years.

As we previously reported, the Colorado AI Act (COAIA) will go into effect on February 1, 2026. In signing the COAIA into law last year, Colorado Governor Jared Polis (D) issued a letter urging Congress to develop a “cohesive” national approach to AI regulation preempting the growing patchwork of state laws. Absent a federal AI law, Governor Polis encouraged the Colorado General Assembly to amend the COAIA to address his concerns that the COAIA’s complex regulatory regime may drive technology innovators away from Colorado. Eight months later, the Trump Administration announced its deregulatory approach to AI regulation making federal AI legislation unlikely. At that time, the Trump Administration seemed to consider existing laws – such as Title VI and Title VII of the Civil Rights Act and the Americans with Disabilities Act which prohibit unlawful discrimination – as sufficient to protect against AI harms. Three months later, a March 28 Memorandum issued by the federal Office of Management and Budget directs federal agencies to implement risk management programs designed for “managing risks from the use of AI, especially for safety-impacting and rights impacting AI.”

Continue Reading States Shifting Focus on AI and Automated Decision-Making

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:

Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.) 

Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.

Continue Reading Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?