InfoBytes Blog

Virginia enacts additional consumer data protections

On April 11, the Virginia governor signed legislation enacting additional amendments to the Virginia Consumer Data Protection Act (VCDPA). Both bills take effect July 1.

HB 714 (identical bill SB 534) expands the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.

HB 381 amends VCDPA provisions related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. 

As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” 

Privacy/Cyber Risk & Data Security State Issues State Legislation Virginia Consumer Protection Act Virginia Consumer Protection

Virginia and Tennessee specify automatic renewal cancellation requirements

On April 11, the Virginia governor signed HB 78, which relates to automatic renewal or continuous service offers to consumers. The bill, among other things, requires that suppliers of automatic renewals or continuous service offers through an online website make a conspicuous online option available for canceling a recurring purchase of a good or service. Under the Virginia Consumer Protection Act, the bill establishes that failing to make available such option to cancel is prohibited. The bill is effective July 1.

On April 8, the Tennessee governor signed HB 1652, which also requires that suppliers of automatic renewals or continuous service offers through an online website make a conspicuous online option available for canceling a recurring purchase of a good or service. The bill is effective January 1, 2023.

State Issues State Legislation Virginia Consumer Protection Consumer Finance

Virginia allows banks to provide virtual currency custody services

On April 11, the Virginia governor signed HB 263, which permits banks in the Commonwealth to provide customers with virtual currency custody services “so long as the bank has adequate protocols in place to effectively manage risks and comply with applicable laws.” Before offering virtual currency custody services, banks must conduct a self-assessment process to carefully examine the risks involved in offering such services, which includes: (i) “implement[ing] effective risk management systems and controls to measure, monitor, and control relevant risks associated with custody of digital assets such as virtual currency”; (ii) confirming adequate insurance coverage for such services; and (iii) maintaining a service provider oversight program to address risks to service provider relationships as a result of engaging in virtual currency custody services. Banks may provide virtual currency custody services in either a fiduciary or non-fiduciary capacity. If a bank provides such services in a nonfiduciary capacity, the bank will “act as a bailee, taking possession of the customer’s asset for safekeeping while legal title remains with the customer” (i.e. “the customer retains direct control over the keys associated with their virtual currency”). Should a bank provide services in a fiduciary capacity, it must “require customers to transfer their virtual currencies to the control of the bank by creating new private keys to be held by the bank.” The bank will have “authority to manage virtual currency assets as it would any other type of asset held in such capacity.” HB 263 takes effect July 1.

State Issues Digital Assets State Legislation Virginia Virtual Currency Fintech

Virginia creates provisions for sales-based financing providers

On April 11, the Virginia governor signed HB 1027, which requires sales-based financing providers to register with the State Corporation Commission and provide certain disclosures to a recipient at the time of extending a specific offer of sales-based financing. Exempt from the bill’s provisions are financial institutions and any “person, provider, or broker that enters into no more than five sales-based financing transactions with a recipient in a 12-month period” or enters a single sales-based financing transaction greater than $500,000. With respect to the bill’s disclosure requirements, sales-based financing providers must include details related to the total amount financed, finance charges, total repayment amount, and any other potential fees and charges not included in the finance charge. Additionally, an updated disclosure must be provided should the recipient choose to pay off or refinance the sales-based financing prior to full repayment. The bill also provides that any cause of action related to a contract or agreement for sales-based financing shall be brought in the Commonwealth, and that arbitration proceedings must be in the jurisdiction where the recipient’s principle place of business is located. Sales-based financing contracts are also prohibited from containing a confession by judgment or any similar provision. The bill provides the attorney general with enforcement authority, as well as the ability to seek damages and other relief, including reasonable attorneys’ fees and costs, as allowed by law. The Commission will adopt regulations to implement the bill’s provisions. The bill’s provisions apply to sales-based financing contracts or agreements entered into on or after July 1.

State Issues State Legislation Virginia Sales-Based Financing Consumer Finance

Virginia enacts qualified education loan servicer legislation

On April 11, the Virginia governor signed SB 496, which amends provisions related to financial institutions and qualified education loan servicers. The bill, among other things provides that a “qualified education loan servicer” is an individual that meets all of the following criteria: (i) “receives any scheduled periodic payments from a qualified education loan borrower or notification of such payments or applies payments to the qualified education loan borrower's account pursuant to the terms of the qualified education loan or the contract governing the servicing”; (ii) “during a period when no payment is required on a qualified education loan, maintains account records for the qualified education loan and communicates with the qualified education loan borrower regarding the qualified education loan, on behalf of the qualified education loan's holder”; and (iii) “interacts with a qualified education loan borrower, which includes conducting activities to help prevent default on obligations arising from qualified education loans or to facilitate certain activities.” The bill is effective July 1.

State Issues Virginia State Legislation Student Lending Student Loan Servicer

HUD announces disaster relief for homeowners in several states

On March 16, HUD announced disaster assistance for certain areas in Virginia and Tennessee (see here and here) impacted by severe winter storms. The disaster assistance follows President Biden’s major disaster declarations on March 11. According to the announcements, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties and is making FHA insurance available to victims whose homes were destroyed or severely damaged, such that “reconstruction or replacement is necessary.” HUD’s Section 203(k) loan program enables individuals who have lost homes to finance a home purchase or to refinance a home to include repair costs through a single mortgage. The program also allows homeowners with damaged property to finance the repair of their existing single-family homes. Furthermore, HUD is allowing administrative flexibilities to community planning and development grantees, as well as to public housing agencies and Tribes. 

On March 18, HUD announced disaster assistance for certain areas in Maine impacted by a severe storm and flooding. The disaster assistance follows President Biden’s major disaster declarations on March 15. According to the announcements, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties and is making FHA insurance available to victims whose homes were destroyed or severely damaged, such that “reconstruction or replacement is necessary.” HUD’s Section 203(k) loan program enables individuals who have lost homes to finance a home purchase or to refinance a home to include repair costs through a single mortgage. The program also allows homeowners with damaged property to finance the repair of their existing single-family homes. Furthermore, HUD is allowing administrative flexibilities to community planning and development grantees, as well as to public housing agencies and Tribes.

Federal Issues Disaster Relief HUD Tennessee Virginia Consumer Finance FHA Foreclosure Mortgages

Virginia passes additional VCDPA amendments

On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.

As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Virginia

Virginia passes amendments on CDPA for data deletion

On February 25, the Virginia House and Senate passed HB 381, which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor.

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Virginia

Virginia Consumer Data Protection Act Work Group issues final report

Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:

• Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
• Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
• Employing an “ability to cure” option for violations where a potential cure is possible.
• Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
• Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
• Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
• Studying specific data privacy protections for children.
• Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
• Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
• Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
• Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.

The Work Group’s recommendations will be presented during the upcoming legislative session.

Privacy/Cyber Risk & Data Security State Issues Virginia

Virginia expands military service member housing protections

On July 1, the Virginia governor signed SB 1410, which, among other things, amends the state’s anti-discrimination statutes to prohibit discrimination in public accommodations, employment, and housing based on military status. The bill amends the Virginia Fair Housing Law to prohibit discrimination in the sale or rental of dwellings by any person or entity, and prohibit discrimination by “any person or other entity, including any lending institution, whose business includes engaging in residential real estate-related transactions.” The bill also provides that “the term ‘residential real estate-related transaction’ means any of the following: [t]he making or purchasing of loans or providing other financial assistance (i) for purchasing, constructing, improving, repairing, or maintaining a dwelling or (ii) secured by residential real estate; or [t]he selling, brokering, insuring, or appraising of residential real property.” The bill is effective immediately.

State Issues State Legislation Military Lending Virginia