Virginia Considers Amendment to their Consumer Data Protection Act

Written By Haley Metteauer

This year, Virginia legislatures are poised to consider several amendments to their Consumer Data Protection Act (SB 1392) (“CDPA”), which was enacted in 2021.

HB 714

Under HB 714, the Attorney General ("AG") will have the “exclusive authority” to enforce the CDPA. This authority provides the AG with the determination power of whether a cure is possible when a violation of the act has been found.

If HB 714 is approved, the violating party will receive a 30-day period to cure the violation and notify the AG of the steps taken and the violator's commitment to initiate no further violations. If a cure is denied, the AG may initiate an action against the violating party to seek an injunction against further violations, civil penalties of up to $7,500 for each violation, and actual damages for the aggrieved consumers.

Additionally, HB 714 would expand the CDPA’s current definition of “non-profit organizations”—which are exempt from the scope of the CDPA—to include “political organizations.”

HB 552

If enacted, HB 552 would likewise amend the CDPA’s current definition of “non-profit organizations” to include “any organization exempt from taxation under § 501 (c)(4) of the Internal Revenue Code that is identified in § 52-41”—which applies to organizations not organized for profit and operated for the exclusive purpose of promoting social welfare.

HB 381

If enacted, HB 381 would follow suit with the multitude of state legislatures who have recently enacted state privacy protections allowing consumers to request deletion of their personal data obtained by a business or third-party and to opt out of the processing and use of that data for “targeted advertising, sale, or profiling.”

Businesses and consumers covered by the CDPA[1] should review these amendments and consider the impact of the enactment of these provisions.

[1] Under section 59.1-572 of the CDPA, the act “applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”

Haley Metteauer
Previous

AI Best Practices Across All Industries
Next

Congress Introduces Banning Surveillance Advertisement Act