Virginia has, as expected, passed into law its Consumer Data Protection Act (VCDPA), thus becoming the second U.S. state to enact stringent privacy legislation. The VCDPA will take effect on January 1, 2023. Like a similar law that took effect in California last year, this will give consumers more choice and control over how online companies collect and use their data.
Also like the California law, the VCDPA will cover companies that do not reside in Virginia, as long as they do business there and meet certain size thresholds. Covered companies must give explicit notice of data-gathering practices and must honor consumer requests to see, correct, or delete data gathered about them. The law also creates the first affirmative obligation in the US for covered companies to perform regular assessments of their data handling practices.
This is the first of several expected new state laws focused on privacy, most of which will operate beyond the state's borders and apply to more than retail consumer transactions. More and more companies are likely to be subject to the increasingly complex web of state privacy requirements that affect nearly all aspects of electronic data gathering, processing, and storage.
Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. *** The law will go into effect in 2023 and applies to all businesses that control or process the proposal data of at least 100,000 consumers, derive more than 50 percent gross revenue from the sale of personal data or process the personal data of at least 25,000 consumers.