Privacy Moves to the East Coast: Virginia Set to Enact Comprehensive Consumer Data Protection Law

Bradley Arant Boult Cummings LLP

Virginia is primed to become the next U.S. state to pass comprehensive data-privacy legislation with striking similarities to the California Consumers Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the E.U.’s General Data Protection Regulation (GDPR).

The legislation, known as the Consumer Data Protection Act, passed the Virginia House of Delegates on January 29 by a vote of 89-9. On February 3, the Virginia Senate unanimously approved an identical bill 39-0. All that is left now is for Gov. Ralph Northam to sign the bill into law. If passed, the law will become effective alongside CPRA, on January 1, 2023.

Key Provisions of the Consumer Data Protection Bill


This legislation is applicable to businesses that either conduct business in Virginia or “produce products or services that are targeted to” Virginia and “during a calendar year, (1) control or process personal data of at least 100,000” Virginians or that (2) “control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data.”

Interestingly, “consumer” is defined more narrowly than CCPA or CPRA, and only includes a natural person acting in an individual or household context. The definition of consumer affirmatively excepts any natural person acting in a commercial or employment context.

Additionally, there are broad exemptions for financial institutions subject to the federal Gramm-Leach-Bliley Act and covered entities and business associates governed by HIPAA or HITECH. Non-profit organizations and institutions of higher education are also exempt under the proposed legislation.

Personal Data

The legislation broadly defines “personal data” to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Privacy Rights

The legislation gives consumers an opt-out right regarding “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” It also provides consumers with the right to confirm if their data is being processed, to correct inaccuracies, to data deletion, and to data portability. A similarity between this legislation and the newly enacted CPRA is that both provide an explicit opt-out right extended to targeted advertising and profiling.

Data Protection Assessments

The legislation imposes new obligations, not currently required under any U.S. privacy law, including a new requirement for data controllers to conduct data protection assessments of any processing activities that involve personal data used in any of the following: (a) targeted advertising, (b) sale of personal data, (c) for purposes of profiling, (d) sensitive data, and (e) data that presents a heightened risk of harm to consumers.

The Virginia attorney general can request that a controller disclose data protection assessments, and the attorney general is specifically tasked with evaluating data protection assessments for compliance with the responsibilities set out in the proposed legislation. There is also a specific provision that prevents the waiver of attorney-client privilege or work product protection when the assessment is requested or turned over to the attorney general for review.


The legislation defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” This is a very high standard and similar to the consent standard established by the GDPR.


Markedly, the legislation does not provide for a private right of action, rather the attorney general will have the exclusive right to enforce the law. The attorney general may seek up to $7,500 per violation of the law.


It is anticipated that the law will continue to move quickly through the legislative process and could be signed into law by the governor by the end of February. With what looks to be at least two new comprehensive state laws on the horizon, first in California with CPRA and likely in Virginia, companies need to start planning now for implementation of these laws in 2023. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.