Virginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include:
- Applicability. The bill will apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably, financial institutions, data governed by federal regulations, nonprofit organizations, and certain protected health information are exempt from coverage.
- Consumers’ rights. Under the bill, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- Controllers’ responsibilities. Data controllers under the bill will be responsible for (i) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (ii) not processing data for reasons incompatible with the specified purpose; (iii) securing personal data from unauthorized access; (iv) not processing data in violation of state or federal anti-discrimination laws; (v) obtaining consumer consent in order to process sensitive data; (vi) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (vii) providing clear and meaningful privacy notices.
- Data processing agreements/data protection assessments. The bill requires controllers to enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. Controllers must also conduct data protection assessments for all processing activities that involve targeted advertising, the sale of personal data, certain profiling activities, sensitive data, and any processing activities that present a heightened risk of harm to consumers.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the data controller written notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit.
The two bills next move to a reconciliation process, and if passed and signed into law, the bill will take effect January 1, 2023.