Virginia is close to becoming the second state to pass a privacy law protecting state residents. The Virginia Consumer Data Protection Act, which has passed both houses of the state legislature, will take effect 1/12023 once signed by the governor. That is the same date that expanded privacy laws approved last year in California take effect.
Under the VCDPA, consumers are explicitly granted rights of access, deletion, opt-out, and correction. Most of those rights also exist or are pending in California. Companies subject to the Virginia law also will be required to implement data security measures including periodic data protection assessments, a first in the US.
The bill is, however, in many ways narrower than California's rules. It specifically exempts data processing in the commercial and employment contexts. The definition of covered "personal data" is much narrower than the "personal information" protected in California. The Virginia law would specifically allow sharing of data with affiliated companies. In addition, the VCDPA provides that only the Attorney General has enforcement powers: it does not allow for companies to be sued directly by consumers. Finally, the VCDPA applies to a narrower range of companies, generally those that process data of 100,000 Virginians annually, regardless of the company's income. This should excuse many small and medium-sized companies from compliance than does California's law.