Amendments proposed to Virginia Consumer Data Protection Act

Virginia lawmakers will consider multiple amendments to the Virginia Consumer Data Protection Act in advance of its January 1, 2023 effective date.

As the legislature opened on January 12, Virginia lawmakers proposed seven bills to amend the Virginia Consumer Data Protection Act (VCDPA). The bills come after the VCDPA Work Group held six meetings from June to August 2021 and issued a Final Report on November 1, 2021 (see our summary of the report here).

The bills seek to amend the VCDPA’s right to delete, nonprofit definition and enforcement provisions. The Work Group’s Final Report identified many other topics for potential amendments. It remains to be seen whether other amendments will be offered as the legislative session advances. The Virginia legislature is scheduled to close on March 12, 2022 unless the session is extended.

Below is a summary of the bills.

Right to Delete

House Bill 381 and Senate Bill 393 would add a new exemption to the VCDPA’s right to delete to provide that a “controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data pursuant to subdivision A 3 by opting the consumer out of the processing of that data for targeted advertising, sale, or profiling pursuant to subdivision A 5.”

The proposed amendment is consistent with comments made by LexisNexis at the August 17, 2021 Work Group meeting.

The Senate bill was referred to the Committee on General Laws and Technology. The House bill is pending committee assignment.

Senate Bill 584 also would add a new exemption to the right to delete but with different language than in HB 381 and SB 393: “If a controller has obtained personal data about a consumer from a source other than the consumer, the controller may comply with such consumer’s request to delete such personal data pursuant to subdivision A 3 by opting the consumer out of the processing of such personal data for targeted advertising, sale, or profiling, pursuant to subdivision A 5.”

The Senate bill was referred to the Committee on General Laws and Technology.

Nonprofit Definition

House Bill 552 and Senate Bill 516 would expand the VCDPA’s definition of “nonprofit organization” to include “any organization exempt from taxation under § 501 (c)(4) of the Internal Revenue Code that is identified in § 52-41.” The VCDPA exempts nonprofits.

The Senate bill was referred to the Committee on Commerce and Labor. The House bill is pending committee assignment.

Enforcement and Nonprofit Definition

House Bill 714 and Senate Bill 534 would repeal § 59.1-585, which creates the Consumer Privacy Fund. Section 59.1-584 also would be amended to provide that “[a]ll civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.”

The bills also would amend the right to cure provision to provide that the right to cure exists only “if a cure is deemed possible by the Attorney General.” The Attorney General also would be authorized to seek “actual damages for aggrieved consumers.”

Finally, the bills would amend the definition of “nonprofit organization” to include “political organizations” and define that term as “a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”

The Senate bill was referred to the Committee on Finance and Appropriations. The House bill is pending committee assignment.

David Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.