Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. We discuss the Virginia legislation here, along with legislative activity in several other states that seem likely to pass. It was California that enacted the first data breach notification law which became effective in 2003. In about 15 years’ time, all U.S. states have such a law, as well as many jurisdictions around the world.
Whether it is the pending Virginia Consumer Data Protection Act (VCDPA), the California Consumer Privacy Act (CCPA), or a similar framework, there are several features that should be considered when examining the effects of such laws on an organization:
Answering these questions is certainly not the end of the analysis. For example, if covered, there are a whole host of additional questions organizations need to ask in order to evaluate compliance needs, allocate resources, identify affected business units, weigh risk management objectives, manage vendor compliance, and implement new policies and procedures, as needed. However, these questions can help to sharpen the big picture on the effect one or more of these privacy laws may have on your organization.