Virginia’s Consumer Data Protection Act, which will force companies to give consumers the right to opt out of data collection, has this week been signed into law.
Passed by the state’s general assembly in February and signed into law by State Governor Ralph Northam this week, the legislation covers companies holding personal data for at least 100,000 consumers. It also applies to those holding at least 25,000 individuals’ personal data and making more than half their income selling that data.
Virginia becomes the second state in the United States, after California, to enact comprehensive privacy legislation.
The Virginia law allows consumers to confirm whether a company is holding their data and access it using an automated system. They can then amend inaccuracies or force the company to delete it altogether.
Consumers can also prevent companies from using the information for marketing or other purposes.
Organisations must respond to requests within 45 days, but can extend that by 45 days in complex cases provided they inform the consumer and explain the reason.
Companies are obliged to disclose what they will use an individual’s data for and must limit personal data collection to those purposes. They must also explain which third parties will share the data and what they will do with it.
Consumers also have the right to opt out of personal information collection and the sale of data to third parties. But should a company need a consumer’s opted-out data to provide goods or services the organisation can choose not to provide the goods or services to the individual.
Breaking the law carries a civili penalty of up to $7,500 per affected individual but can escape penalties if they solve the problem within 30 days of the state notifying them. All money collected will go to a Consumer Privacy Fund to support enforcement.
The act refers to existing regulations in the state’s legal code rather than define new data breach rules.
The legislation now goes to a commission to evaluate how to implement it. A study is due to be released by November.
There is a long lead in until the law takes effect on 1 January 2023. California is the only other US state with a similar law. Its CCPA consumer protection act took effect last year.
Virginia’s law does not apply to state or local government entities, and exempts some data such as protected health information under the Health Insurance Portability and Accountability Act (HIPAA).
Learn more about privacy in America at PrivSec Global on 23rd March.