Virginia is set to become the second state, after California, to pass data privacy legislation. The bill could become law as soon April when Gov. Ralph Northam is expected to sign a measure that has passed both chambers of the state legislature but is awaiting a few last-minute tweaks. 

Known as the Consumer Data Protection Act, the law would go into effect Jan. 1, 2023 and would apply to all business that control or process data for at least 100,000 Virginians, or those commercial entities that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers. 

The law would exempt health care data and information collected for assessing credit worthiness. It would give consumers the right to determine whether their data is being collected and processed and ask for a copy of their data, correct inaccuracies, ask for the deletion of personal data, and opt out of the processing of personal data that may be used for targeted advertising, sale, or consumer profiling. 

The Virginia law would put more pressure on Congress to pass a federal data privacy law. Other states are continuing to push similar legislation. Washington state, which has twice failed to pass a privacy bill, is once again taking up a measure this year.

The European Union’s privacy legislation known as the General Data Protection Regulation or GDPR has been in force since May 2018. 

“This is a big deal,” Virginia state Sen. David Marsden, a Democrat, who sponsored the Senate version of the bill, said in an interview. “People are being pestered to death, because of people selling our information,” he said talking about his motivation in promoting the legislation. 

Marsden, 72, said he was still getting calls to refinance his college debt, even though “I never had anything to begin with.” 

The legislation would allow Virginians to “have control over your data,” Marsden said. 

Northam is likely to sign the legislation six weeks after the Virginia legislative session ends on March 1, Marsden said, adding that he expects any proposed amendments to be passed by both houses of Virginia’s General Assembly by then. Some of the potential changes include strengthening the office of the state attorney general, which will be in charge of implementing the law, he said.

Comparison to California law

The Virginia law differs from California’s in a few key ways. 

Unlike the California privacy law, which applies to companies with annual gross revenue of $25 million or for-profit entities that possess and process data on 50,000 consumers, the Virginia law does not set a revenue threshold. 

Doing away with a monetary threshold “cuts out game playing,” Marsden said, when companies engage in undercounting their revenues to escape the law. 

Not having a revenue definition also may leave out small and medium-sized businesses, said Ashley Shively, attorney and partner in the law firm of Holland & Knight. 

“The absence of the monetary threshold is unique,” Shively said. “And I think the potential result of that is that fewer businesses could fall within the scope” of the legislation, potentially exempting small and medium-sized businesses, she said.  

And that is his goal, Marsden said, “because they just don’t have the bandwidth to deal with all of those issues” and forcing them might have put some small enterprises out of business, he said. 

Leaving out small businesses while passing data privacy legislation may not be perfect but it’s still progress, he said.

The right to sue

The Virginia law also expressly prohibits private right of action. In other words Virginians cannot sue, unlike the California law. Although the California Consumer Privacy Act, which came into force in January 2020, already allowed consumers to sue companies for data breaches, California voters approved a new proposition in November that further expands the scope of protection. 

The new proposition, called the California Privacy Rights Act, which goes into force Jan. 1, 2023, would allow consumers to sue not only for the breach of data under the state’s breach notification laws, but also include the breach of email addresses, passwords, and security questions that may allow unauthorized users to access a consumer’s account. 

By expressly prohibiting private right of action, Virginia is closing any possible loopholes that may open the doors to plaintiff’s lawyers bringing lawsuits, Shively said. 

Marsden said Virginia’s goal was to stop the misuse of personal data and not “turn this into another business” by creating opportunities for lots of lawsuits. He said the state attorney general would create a new office to enforce compliance, with an annual budget of about $400,000 that would be supplemented with fines and penalties. 

If the state’s own enforcement mechanism doesn’t work as well as it ought to “you might consider something different someday, but right now this is the way to go,” Marsden said. 

California’s private right of action provision has been a major sticking point in crafting a federal data privacy bill. While Democratic lawmakers have favored retaining the right or at least not ruling out the right to sue, Republican lawmakers have been opposed to a federal statute that would permit consumer lawsuits against tech companies. 

If Congress is looking for an alternative, the Virginia law “is going to be a great model for the federal government,” Marsden said. “We need a national standard.”