Virginia lawmakers are considering multiple amendments to Virginia's Consumer Data Protection Act (CDPA). These amendments mostly address a variety of open issues under the law, including the right to cure, how businesses can process deletion requests, and the scope of the law's non-profit exemption. These changes were inspired by a report published in November of 2021 by a working group that was established under the law to suggest improvements. We have summarized these potential amendments to the CDPA below.
These proposals are notable because the CDPA does not provide the Virginia attorney general with any rulemaking authority (unlike the privacy laws in Colorado and California). This means that any changes to the law, including those relating to its technical administration, must be done by the Virginia legislature. While the Virginia legislature is looking to address some of the open issues in the law, companies will have less guidance overall on how to comply with the CDPA (compared to Colorado and California) due to the lack of rulemaking. This may create challenges for companies looking to comply with the law requirements prior to its effective date of January 1, 2023. Our privacy and cybersecurity team can assist businesses with any open questions they may have.
Proposed Amendments to the Virginia CDPA
- Right to Cure and Potential Penalties. HB 714 would revise the right to cure section in the law so that it only applies in situations where a potential cure is possible. It would further revise the enforcement section by allowing the Attorney General to seek "actual damages for aggrieved consumers" in a situation where a cure was not possible (in addition to the statutory damages of up to $7,500 per violation permitted under the law). If passed, this amendment would narrow the right to cure provision in the law and provide the Virginia Attorney General with another tool by which to bring potential penalties against non-compliant companies.
- Exemption for Non-Profits. The CDPA does not apply to "non-profit organizations." H.B. 552 would revise the definition of a non-profit organization to include "any organization exempt from taxation under § 501 (c)(4) of the Internal Revenue Code that is identified in § 52-41." This provision of the tax code broadly applies to social welfare organizations and local associations of employees. Another potential amendment, HB 714, would expand the definition of a "non-profit organization" to include "political organizations" and define that term as "a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed," If passed, these amendments would have the effect of expanding the number of non-profit organizations that are exempt from the law.
- Deletion Requests. HB 381 would allow controllers that have "obtained personal data about a consumer from a source other than the consumer" to be "in compliance with a consumer's request to delete... by opting the consumer out of the processing of that data for targeted advertising, sale, or profiling." This would assist data brokers and other companies that do not directly process consumer data to comply with requests to delete.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.