News & Events

Virginia’s Privacy Law: A Primer

Virginia follows California in adopting a comprehensive consumer data privacy law.  This article is a primer of the Virginia law, notes the key similarities and differences to the California Consumer Privacy Act (“CCPA”), and tracks other pending state privacy legislation.

The Virginia Privacy Law in a Nutshell

On March 2, 2021, Virginia adopted the Consumer Data Protection Act. The Virginia law generally grants consumers rights over their personal data. It applies to businesses, called “controllers,” that are located in Virginia or produce products or services targeted to Virginia residents and which control or process personal data of at least 100,000 consumers per year or control or process the personal data of at least 25,000 consumers and derive more than half their gross revenue from the sale of personal data. The Virginia law has important, broad exemptions for entities and data covered by other laws, including HIPAA and related health care laws, Gramm-Leach-Bliley, FCRA, FERPA, and COPPA, among others. De-identified or pseudonymous data is also generally exempt from the law’s provisions.

Importantly, the Virginia law also defines “consumer” as a resident of Virginia “acting only in an individual or household context.” The law explicitly excludes “a natural person acting in a commercial or employment context.” Thus, employers who collect data from employees who reside in Virginia are not subject to the law’s provisions.

Under the law, consumers may submit a request to a data controller to invoke any of the following rights:

  1. Confirmation of whether the controller is processing the consumer’s personal data and access to that data;
  2. Correcting inaccuracies related to the consumer’s personal data;
  3. Deleting personal data;
  4. Obtaining a copy of the consumer’s personal data provided by the consumer to the controller; and
  5. Opting out of the processing of the personal data for targeted data, sale of personal data, or profiling.

The business controlling the data has several obligations in responding to such a request. First, the business must respond within 45 days of receipt. The controller must also have an appeal process in place in the event that they decline to comply with a consumer request. Any information provided in response to a consumer’s request must generally be provided at no charge to the consumer. While the business may charge a “reasonable fee” where the consumer’s requests are “manifestly unfounded, excessive, or repetitive,” it bears the burden of demonstrating the unreasonableness of the request.

The Virginia law also requires covered businesses to do the following:

  1. Limit the personal data collected to that which is “adequate, relevant, and reasonably necessary” for the purposes for which the data is processed;
  2. Refrain from processing personal data for purposes that are “neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed,” without the consumer’s consent;
  3. “Establish, implement, and maintain” reasonable security practices with respect to the personal data, which are appropriate to the amount and nature of the personal data;
  4. Refrain from processing personal data in a discriminatory manner that violates state and federal laws; and
  5. Obtain consent prior to processing sensitive data.

Controllers are also required to provide consumers with a privacy notice including, generally, the categories of personal data processed, the purpose for processing the data, how a consumer may exercise his or her right, and the categories of data shared with third parties.

Importantly, the Virginia law does not provide for a private right of action. Only the attorney general may bring an enforcement action. A 30-day cure period is required, and a failure to cure may result in fines for up to $7500 per violation.

CCPA Similarities and Differences

The Virginia law has many similarities to the CCPA.  The Virginia law provides consumers with similar rights as the CCPA:  to access, correct, delete, data portability, and to opt-out. Also like the CCPA, the Virginia law requires businesses to implement reasonable technical safeguards to protect personal data. Also similar to a main feature of the CCPA, the Virginia law requires businesses to provide consumers with a privacy policy stating what personal data they collect, what they do with it, how consumers can exercise their rights, and what personal data is shared with third parties.

There are differences, too. Unlike the CCPA, the Virginia law does not have a global revenue threshold for applicability. Compared to the CCPA, the Virginia law doubles the number of residents’ data (100,000) that must be collected or processed before it becomes applicable. Also contrary to the CCPA, the definition of a sale of personal data requires the consideration to be monetary; the CCPA considers it a sale of personal data if it is exchanged for “monetary or other valuable consideration.”

The exemptions are different as well. The CCPA narrowly exempts entities governed by HIPAA “to the extent” the covered entity maintains PHI in accordance with HIPAA’s privacy, security and breach notification rules. Likewise, the CCPA narrowly exempts personal information collected pursuant to Gramm-Leach-Bliley. Thus, under the CCPA, entities governed by HIPAA and Gramm-Leach-Bliley may collect personal data that is not covered by those federal laws, which could require compliance with the CCPA. Importantly the Virginia law broadly exempts financial institutions or data subject to Gramm-Leach-Bliley, not just data collected pursuant to it.  And Virginia exempts covered entities and business associates governed by HIPAA, not just PHI collected pursuant to HIPAA.

Comparisons to Other Pending State Privacy Legislation

Roughly a dozen states currently have pending privacy laws, and the Virginia law is comparable to many of these. The Virginia law was modeled after the Washington Privacy Act of 2021 (Washington law), as well as the CCPA.[1] The applicability requirements for both the Virginia law and the Washington law are similar, except that the Virginia law applies where an entity derives more than 50% of gross revenue from the sale of personal data, whereas the Washington law applies where an entity derives more than 25% of gross revenue from the sale of personal data. Both laws define personal data as “information that is linked or reasonably linkable to an identified or identifiable natural person,” not including de-identified data or publicly available information.[2] Additionally, the Virginia law outlines five exempted entities, including nonprofits, and the Washington law would apply to nonprofits starting July 31, 2026. Both laws impose contractual requirements between controllers and processors, as well as data protection assessment requirements,[3] and both provide the same consumer rights: the right to access, correct, delete, and opt out of the sale of personal data or certain types of processing. Importantly, neither law provides for a private right of action—both provide for enforcement by the attorney general and civil penalties of up to $7500 per violation. Under both laws, a controller has 30 days to correct the violation and provide the attorney general with an express written statement that the issue has been resolved before a civil penalty may be imposed.

Florida’s proposed privacy law[4] differs from the Virginia law and tracks the CCPA’s applicability requirements by providing that the law may apply to an entity with global revenues of more than $25 million. Even so, consumer rights are the same under both the Virginia and Florida law. Another key difference includes differentiation between unintentional and intentional violations, allowing the attorney general to seek $2500 for each unintentional violation and $7500 for each intentional violation. Fines may be tripled for offenses involving minors. Additionally, Florida’s privacy law provides for a private right of action for a data breach of personal information or an email address (together with information that would allow account access) resulting from an entity’s failure to maintain reasonable security procedures; and provides for statutory damages of up to $750 for each incident.

Pending privacy laws in Oklahoma[5] and New York[6] also provide for a private right of action, and in Oklahoma, statutory damages are $2500 for each negligent violation and $7500 for each intentional violation. The Oklahoma Computer Data Privacy Act differs from the Virginia law (and many other privacy laws) in that it is an opt-in privacy law, meaning that businesses must obtain consent prior to collecting and selling consumer personal information.

With the growing wave of states considering consumer privacy legislation, a patchwork of different state privacy laws could be a compliance headache for businesses. It may be most efficient for businesses to adopt the most stringent state privacy requirements for their enterprise-wide compliance program. However, businesses must regularly review their privacy programs to ensure compliance with each new state privacy law enacted down the road.

[1] SB 5062.

[2] Privacy laws pending in Florida, New York, and Oklahoma all have more elaborate and specific definitions of personal information.

[3] This is a key feature of the EU’s General Data Protection Regulation.

[4] HB 969.

[5] HB 1602.

[6] A 680.