The Virginia legislature, which adjourned its annual legislative session last week, passed the second state-level consumer data privacy law in the nation. The Virginia Consumer Data Protection Act (CDPA) was signed into law by Virginia Governor Ralph Northam on March 2, 2021, and will go into effect January 1, 2023. Virginia joins California as the second state to enact comprehensive data privacy protections for its residents.
The Virginia Attorney General (AG) will be the main interpreter and enforcer of the new law. The CDPA gives the AG exclusive enforcement authority–there is no private right of action. Without a private right of action, the AG alone will control how the CDPA will be enforced.
When asked about the CDPA, Virginia AG Mark Herring has said that, while he did not advocate specifically for the new law, nor how it would be enforced, he made clear to the General Assembly that his office would need adequate resources to be its sole enforcer. He emphasized the need for dedicated staff in order to ensure that his office can fully exercise the enforcement powers given by the CDPA and provide tangible benefits to consumers in the Commonwealth. The CDPA includes the creation of the Consumer Privacy Fund, which will be funded by civil penalties, expenses, and attorney’s fees collected per the CDPA.
Companies that control and process personal data should continue to keep an eye on Virginia. States without comprehensive consumer data privacy laws will be looking to the Commonwealth as an example, which may lead to more states giving sole privacy enforcement powers to their AGs. California’s cutting-edge data privacy law, which does include a private cause of action, still highlighted for the privacy community the significant role of that an AG can have in privacy enforcement. The CDPA continues that trend. The privacy community should be mindful of the role of AGs in the enforcement of data privacy protections as the privacy landscape continues to evolve.
It is important to note that the CDPA may not be in its final form. AG Herring recently described the CDPA as a work in progress, referencing the working group mandated by the law. This group, which includes the AG as a member, will be tasked with reviewing the CDPA and potential issues with its implementation. The group will report back to the General Assembly by November, 2021, just in time for new legislation to amend the CDPA to be introduced for the 2022 Session.
If you would like to learn more about the Virginia Consumer Data Protection Act, you will find a comprehensive analysis of the new law, how it compares to the California standards, and practical compliance tips provided by members of Reed Smith’s Tech & Data Group in a post here.