Like other comprehensive privacy laws such as the GDPR, CCPA, and California Privacy Rights Act of 2020 («CPRA»), the CDPA offers individuals a range of privacy rights. In particular, the CDPA grants consumers the right (§ 59.1-577(A) of the CDPA): 4. Comply with a requirement imposed on the merchant by Commonwealth or federal law; In addition, some other laws described in this guide include data security requirements. Virginia has also enacted the Virginia Information Technology Agency Act pursuant to Chapter 20.1 of Title 2.2, Part C, of Title 2.2 of the Code of Virginia, which governs the duties of the Virginia Chief Information Officer with respect to the security of government information. This Act requires this Chief Information Officer to provide technical advice to the Department of General Services in the development of policies, standards, and guidelines for the recycling and disposal of computers and other technological assets, and requires that policies, standards, and guidelines include the deletion of all confidential data and personal information of Virginia citizens prior to such sale. Sale or other transfer of computers or other technology assets. Section 18.2-216.1 of Chapter 6, Section 8 of Title 18.2 of the Virginia Code prohibits the use of a person`s name, likeness, or likeness for advertising or commercial purposes without the person`s prior written consent. If the person is deceased, the prior written consent of the surviving spouse must be obtained and, if not, of the next of kin. If the person is a minor, the written consent of the parent or guardian must be obtained in advance. A person may bring an action for equitable compensation and actual damages. A jury may, at its discretion, award punitive damages for knowledge of violations.
In addition, under Virginia criminal law, a violation is a misdemeanor punishable by a fine of $50 to $1,000. The substance of the CDPA is not particularly new compared to recent data protection laws. It relies heavily on the proposed Washington Privacy Act and includes elements similar to the California Consumer Privacy Act. The obligation to conduct data protection assessments does not apply retroactively and only applies to processing activities created or generated after January 1, 2023 (§59.1-580(F) of the CDPA). In addition, an assessment conducted by a monitor to comply with other laws or regulations may satisfy the CDPA`s requirement to conduct a confidentiality assessment if the assessments are reasonably comparable in scope and effect (§ 59.1-580(D) and (E) of the CDPA). Virginia has also enacted laws requiring notification of certain data breaches, as described in this overview. On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act («VCDPA»). [1] Virginia is only the second state after California to pass comprehensive privacy legislation, but its content is based on both California Consumer Privacy Act («CCPA») and the new California Privacy Rights and Enforcement Act («CPRA») – as well as a number of recently proposed privacy laws. However, the Virginia legislature is the first to enact such a law on its own initiative — the California legislature enacted the CCPA in 2018 to anticipate an election initiative (and the CPRA was passed by California voters as a voting initiative). Virginia has enacted several other laws regarding health information, including laws dealing with: Therefore, there remains much to be seen about Virginia`s new law. How consumers respond to their new rights, how the economy handles consumer demands, and how companies` obligations to protect and properly use personal data are interpreted are question marks until 2023 and possibly beyond.
The Auditor General will play a key role in determining the climate facing consumers and businesses. The VCDPA envisions interoperability with other data protection systems, such as ACPL and GDPR, so that reasonably comparable company privacy ratings developed for other laws are also compliant with Virginia law. However, the VCDPA`s more industry-friendly approach to the CPRA and other privacy regulations may prompt some companies to develop separate compliance systems for certain aspects of each Act. Depending on how the unknowns of the VCDPA are resolved, it could be a new model of data protection or a different legal approach to personal data. CDPA offers consumers many rights that have become the norm in comprehensive data protection laws, including the right to access, correct and delete personal information. Consumers also have the right to confirm processing and obtain portable copies of personal data. The CDPA goes beyond the CCPA and provides a right to opt out of targeted advertising and profiling with significant or legal effects, in addition to the right to opt out of the sale of personal information. The CDPA does not target authorized agents and does not explicitly require companies to adhere to browser-based opt-out options. In addition, certain other laws described in this guide contain privacy policies. For example, Virginia law, which governs a business that provides online school services, requires such a company to provide clear and easy-to-understand information about the personal information it collects and how the information is managed, used, or shared (Virginia Code § 22.1-289.01). While Virginia may be the second state to enact a comprehensive privacy law, it likely won`t be the last.
Washington, New York, Florida, Utah and Ohio are among many states considering privacy laws during this legislature. The VCDPA, which took place on 1. January 2023 is still very different from other comprehensive privacy laws passed or proposed, and companies doing business in Virginia or marketing to Virginians will need to reassess their collection and use of consumers` personal data and modify their compliance efforts accordingly.
