Join us on LinkedIn Follow us on Twitter Like us on Facebook Follow us on Instagram
 
  OCTOBER RESEARCH STORE SUBSCRIBE LOG IN
AddControlToContainer_DynamicNavigation3
The Legal Description > News > Virginia adopts Consumer Data Protection Act

Virginia adopts Consumer Data Protection Act

Email A Friend Printer Friendly Version
0 comments
Cybersecurity, Legislative Developments
Monday, March 15, 2021

Virginia Gov. Ralph Northam signed the Consumer Data Protection Act, which provides consumers specific rights regarding the use of their personal data. The bill, SB 1392, was introduced by Sen. Dave Marsden, D-Burke.

Under the new law, “a consumer may invoke the consumer rights authorized pursuant to [the bill’s provisions] at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child’s parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the known child.”

The bill defines a controller as “the natural or legal person that, along or jointly with others, determines the purposes and means of processing personal data.” Controllers will have to comply with an authenticated consumer request to exercise the right:

  • To confirm whether a controller is processing the consumer’s personal data and to access that personal data.
  • To correct inaccuracies in the consumer’s personal data.
  • To delete personal data provided by or obtained about the consumer.
  • To obtain a copy of the consumer’s personal data.
  • To opt out of the processing of the personal data for the purpose of targeted advertising, the same of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

    Controllers will have to respond to a consumer within 45 days of receiving a request to exercise consumer rights. That period could be extended once by 45 days when reasonably necessary. If a controller declines to take action, they must inform the consumer within 45 days of their justification for declining to take action and instructions for how to appeal the decision.

    Information provided in response to a consumer request will have to be provided by a controller free of charge, up to twice annually per consumer. If the requests are unfounded, excessive or repetitive, the controller will be able to charge the consumer a reasonable fee to cover the costs of complying with the request or decline to act on the request.

    If a controller is unable to authenticate the request using commercially reasonable efforts, the controller will not be required to comply with a request and may ask that the consumer provide additional information to authenticate the consumer and his or her request.

    “A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision pursuant to Subdivision B 2,” the bill states. “The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to Subsection A. Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reason for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.”

    Controllers may:

  • Limit the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
  • Not process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which the data is processed.
  • Establish reasonable administrative, technical and physical data security practices “to protect the confidentiality, integrity and accessibility of personal data.
  • Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
  • Not process sensitive data concerning a consumer without obtaining the consumer’s consent.

    Controllers will also have to provide consumers with “a reasonably accessible, clear, and meaningful” privacy notice that includes:

  • The categories of personal data processed by the controller.
  • The purpose for processing personal data.
  • How consumers may exercise their consumer rights pursuant to Section 59.1-573.
  • The categories of personal data that the controller shares with third parties, if any.

    The bill defines processor as “a natural or legal entity that processes personal data on behalf of a controller.” A contract between a controller and a processor will govern the processor’s data processing procedures with respect to processing performed on the controller’s behalf. The contract must include requirements that the process will:

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
  • At the controller’s direction, delete or return all personal data to the controller as requested.
  • Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with its obligations.
  • Allow reasonable assessments by the controller or a qualified independent assessor to assess the processor’s policies and technical and organizational measures in support of its obligations.
  • Engage any subcontractor pursuant to a written contract in accordance with [the bill’s provisions] that require the subcontractor to meet the obligations of the processor with respect to the personal data.

    Controllers will have to conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal data for purposes of targeted advertising.
  • The sale of personal data.
  • The processing of personal data for purposes of profiling, where the profiling presents a risk of unfair or deceptive treatment of consumers; financial, physical or reputational injury to consumers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers; or other substantial injury to consumers.
  • The processing of sensitive data.
  • Any processing activities involving personal data that present a heightened risk of harm to consumers.

    These data protection assessments must “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the risk. The use of de-identified data and the reasonable relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.”

    The attorney general will be able to request a controller disclose any data protection assessment relevant to an investigation conducted by the attorney general. The attorney general may evaluate the data protection assessment for compliance with state law.

    The bill will apply to those “that conduct business in the commonwealth, or produce products or services that are targeted to residents of the commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” It will not apply to an entity of the commonwealth; financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act; covered entities and business associates governed by the privacy, security and breach notification rules issued by the U.S. Department of Health and Human Services pursuant to the federal Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act; nonprofit organizations; or institutions for higher education.”

    Nothing in the bill will be construed to restrict a controller’s or processor’s ability to:

  • Comply with federal, state or local laws, rules or regulations.
  • Comply with a civil, criminal or regulatory inquiry, investigation subpoena, or summons by federal, state, local or other governmental authorities.
  • Cooperate with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or local laws, rules or regulations.
  • Investigate, establish, exercise, prepare for, or defend legal claims.
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract.
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis.
  • Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board, or similar independent oversight entities that determine: if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; the expected benefits of the research outweigh the privacy risks; and if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
  • Assist another controller, processor or third party with any of the obligations under [the bill].”

The Virginia attorney general will have the authority to investigate a violation of the law. He or she will have exclusive authority to enforce the new statute. Before initiating an action under the statute, the attorney general will have to provide the controller or processor 30 days’ written notice identifying the specific provisions of the bill he or she alleges has been violated. If the controller or processor cures the violation within the 30-day period, no action will be initiated against the controller or processor. If the controller or processor continues to violate the statute or breaches an express written statement provided to the attorney general, the attorney general may initiate an action and seek an injunction to restrain any violations of the law and civil penalties of up to $7,500 for each violation.

“The chairman of the Joint Commission on Technology and Science shall create a work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons and consumer rights advocates,” the bill states. “The work group shall review the provisions of this act and issues related to its implementation. The chairman of the Joint Commission on Technology and Science shall submit the work group’s findings, best practices and recommendations regarding the implementation of this act to the chairmen of the Senate Committee n General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than Nov. 1, 2021.”

The bill will go into effect Jan. 1, 2023.

Today's other top stories
Bank moves to dismiss fraud liability case brought on by title underwriter
Digital forgery law enacted in Pennsylvania to combat AI scams
FHFA orders GSEs to count crypto as assets for mortgage assessments
California considers updates to ban on unsolicited purchase offers of wildfire-impacted properties
Podcast: Adapting to the Future of Work


COMMENT BOX DISCLAIMER:
October Research is not responsible for the comments posted on its websites by readers. We will do our best to remove comments that include profanity or personal attacks or other inappropriate comments.
Comments:

Be the first to leave a comment.

Leave your comment
Please enter a comment.
CAPTCHA Validation
CAPTCHA
Code:
Please enter the word displayed in the image above. Please enter the word displayed in the image above.
: 
Please enter your name.
: 
Please enter your email address.
This field must contain a valid email address.
Your Email is for reporting purposes only. It will NOT be displayed.
Popularity:
This article has been viewed 1207 times.
News by Topic   News by Edition   In-depth Reports   Events   Subscribe
Court Report
Cybersecurity
Excess Equity
Industry News
Legislative Developments
Regulatory Updates
Remote Online Notarization
The Blotter
The TRID Journey
 
May 26, 2025
June 9, 2025
June 23, 2025
July 7, 2025
Archives
 
2025 State of the Industry
Cybersecurity Today
Technology as a Compliance Tool
Real Estate Compliance Outlook
Title Insurance Alternatives
eClosing Security
Attorney State Perspectives
Technology as a Compliance Tool
Archives
 
 
National Settlement Services Summit (NS3)
Women's Leadership Summit (WLS)
Webinars
 
Newsletter Subscriptions
Free Email Updates
Try a Free Edition
  About   Library   Other Publications  
 
The Legal Description
Contact / Editors
Advertise
Request a Media Kit
Social Media
Are You An Expert?
Subscriber Agreement
 
Blog - Tuesdays with Mary
Cybersecurity Central
Court Cases
Keys to Real Estate Podcast
Legislation
Position Papers
Regulations
RON Resource Center
 
The Title Report
RESPA News
Valuation Review
Dodd Frank Upate
 
                 
Copyright © 2000-2025 The Legal Description
An October Research, LLC publication
3046 Brecksville Road, Suite D, Richfield, OH 44286
(330) 659-6101, All Rights Reserved
www.thelegaldescription.com | Privacy Policy
VISIT OUR OTHER WEBSITES
> The Title Report
> RESPA News
> Dodd Frank Update
> Valuation Review
> NS3 The Summit
> Women's Leadership Summit
> October Research, LLC
> The October Store


Loading... Loading...
Featuring:
  • Delivery 3X a week plus breaking news as it happens
  • Comprehensive title insurance industry news
  • Recent acquisitions, mergers, real estate stats
  • Exclusive in-depth coverage of the industry's hottest stories
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • Comprehensive Dodd-Frank coverage
  • The latest information from the CFPB
  • Full coverage of Congressional hearings
  • Updates on all agency actions
  • Analysis of controversial provisions
  • Release of newest studies and reports
Sign up today and...
  • Be one of the first to know where NS3 is being held
  • Learn about NS3 speakers and sessions
  • Save on registration with Super-Early Bird rates
  • Discover the networking opportunities NS3 offers
  • Find out if CE credits will be offered for your area
  • And much more
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • Preview the latest RESPAnews.com Top Story
  • RESPA related headline news
  • Quote of the Week
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • Legal, regulatory and legislative information impacting the settlement services industry
  • News from HUD, Congress, state legislatures and other regulatory agencies
  • Follow the lobbying efforts of all the major national real estate services organizations.
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • The industry's only full-time newsroom
  • Relevant, up-to-date appraisal industry news
  • Covering the hottest stories and industry trends
NEWS BY TOPIC
NEWS BY EDITION
IN-DEPTH REPORTS
EVENTS
LIBRARY
FREE EMAIL UPDATES
ABOUT
SUBSCRIBE
Court Report
Cybersecurity
Excess Equity
Industry News
Legislative Developments
Regulatory Updates
Remote Online Notarization
State AG Enforcement
The Blotter
Current Edition
June 23, 2025
June 9, 2025
May 26, 2025
May 12, 2025
Archives
2025 Voice of the Title Agent
2025 State of the Industry
Cybersecurity Today
2024 Title Technology
eClosing Innovations
Real Estate Compliance Outlook
Title Insurance Alternatives
Archives
National Settlement
Services Summit (NS3)
Women's Leadership
Summit (WLS)
Webinars
2025 Economic Outlook Series
Evolving Realtor Relationships
CFPB's Shake-Up & Its Impact
Artificial Intelligence for Title
Industry and Regulatory Outlook
RESPA Updates You Need to Know
Strategies post-NAR settlement
Evolving Consumer Relationships
Fraud Threats Facing Title
Excess Equity
2024 Economic Forecast Series
Securing Your Cyber Network
Webinar Archives
State AG Enforcement
Keys to Real Estate Podcast
Blog - Tuesdays with Mary
Excess Equity Watch
Cyber Solutions Showcase
Cybersecurity Central
eClosing Solutions Showcase
Executive Interview Series
RON Resource Center
Case Law
Legislation
Position Papers
Regulations
By Year
By State
2012
2011
Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Kentucky
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Comment Letters
White Papers
Testimony
The Legal Description
Contact Us
Advertise
Request a Media Kit
Are You An Expert?
Subscriber Agreement
Social Media