Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Virginia Consumer Data Protection Act Work Group issues final report

Privacy/Cyber Risk & Data Security State Issues Virginia State Legislation VCDPA

Privacy, Cyber Risk & Data Security

Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:

  • Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
  • Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
  • Employing an “ability to cure” option for violations where a potential cure is possible.
  • Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
  • Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
  • Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
  • Studying specific data privacy protections for children.
  • Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
  • Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
  • Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
  • Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.

The Work Group’s recommendations will be presented during the upcoming legislative session.