Virginia has, as expected, passed into law its Consumer Data Protection Act (VCDPA), thus becoming the second U.S. state to enact stringent privacy legislation.  The VCDPA will take effect on January 1, 2023.  Like a similar law that took effect in California last year, this will give consumers more choice and control over how online companies collect and use their data.  

Also like the California law, the VCDPA will cover companies that do not reside in Virginia, as long as they do business there and meet certain size thresholds.  Covered companies must give explicit notice of data-gathering practices and must honor consumer requests to see, correct, or delete data gathered about them.  The law also creates the first affirmative obligation in the US for covered companies to perform regular assessments of their data handling practices.  

This is the first of several expected new state laws focused on privacy, most of which will operate beyond the state's borders and apply to more than retail consumer transactions.  More and more companies are likely to be subject to the increasingly complex web of state privacy requirements that affect nearly all aspects of electronic data gathering, processing, and storage.