With companies still scrambling to comply with the newly effective California Consumer Privacy Act (CCPA), other states continue to introduce data privacy legislation of their own.
Virginia added itself to the ever-growing list of states considering such bills when the Virginia Privacy Act (VPA) was introduced to the General Assembly for consideration January 8. The VPA combines the CCPA’s notice requirements with consumer rights similar to those found in the European Union’s General Data Protection Regulation (GDPR).
How would VPA be different?
The proposed legislation would require data controllers be transparent about their processing activities and give consumers the right to opt out of the sale of their data.
As drafted, the Virginia bill adopts a “sale” definition more in line with Nevada’s new law (SB220) than the broader CCPA definition: “the exchange of personal data for monetary consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”
Unlike either the CCPA or the GDPR, Virginia’s law would also require data controllers to conduct and document a privacy risk assessment for every processing activity it conducts.
If passed, the VPA would complicate the growing patchwork of state laws governing consumer data privacy, creating more compliance hurdles for companies that conduct business in Virginia or intentionally target Virginia residents with their products or services.
VPA’s similarities to CCPA
Like the CCPA, however, the VPA does create a private cause of action. Violations of the VPA would expose companies to liability in the amount of the individual’s actual damages or $500, whichever is greater.
Companies deemed to have willfully violated the VPA would face even greater liability — up to three times the amount of actual damages sustained or $1,000, whichever is greater.
As states continue to self-regulate, the tech lobby and others are pushing more vigorously for a federal privacy law. Our Privacy, Cybersecurity, and Data Management team will continue to monitor state and federal developments on the issue.