When the California Consumer Privacy Act of 2018 (CCPA) became law, it was only a matter of time before other states adopt their own statutes intended to enhance privacy rights and consumer protection for residents. The Virginia legislature has passed such a measure.
On February 3, 2021, the Virginia Senate unanimously passed the Virginia Consumer Data Protection Act (VCDPA), SB1392. The state’s House of Delegates had passed the companion bill (HB 2307) in January. Now, legislators are working to reconcile the bills in order to send a measure to the governor’s desk before the end of February, when the legislative session concludes.
If signed, the VCDPA will take effect January 1, 2023, the same day as the California Privacy Rights Act (CPRA). The CPRA expands on the protections provided by the CCPA. It was approved by California voters under Proposition 24 in the November election.
Introducing SB1392 in the Virginia Senate, State Senator David Marsden emphasized:
It is time that we find a meaningful way of protecting the citizens of the Commonwealth of Virginia’s data .… Virginia is in a unique position to be a leader on this issue. There’s a huge amount of the data on the internet that flows through the commonwealth. Privacy is not a new issue.
Unsurprisingly, VCDPA was modeled on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). Key elements of VCDPA include:
Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions.
A few other state bills to watch in 2021:
Although more limited in scope than CCPA-like, these proposals show how complicated the patchwork of laws will become as more states enact their own privacy laws with inconsistent with each other and often include mutually exclusive requirements.
States across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.