Virginia Governor Ralph Northam signed a data privacy bill into law on Tuesday, making Virginia the second state to do so.
The Consumer Data Protection Act applies to businesses that control or process the personal data of at least 100,000 consumers, or businesses that control or process the data of at least 25,000 consumers and derive more than 50 percent of their gross revenue from the sale of that data. The law would not apply to state or local government entities, and it exempts certain data from its provisions, for example, protected health information under HIPAA would not be affected by the law.
The law allows consumers to access, correct, delete, and obtain a copy of their personal data from the specified businesses, and allows consumers to opt out of the processing of their data for targeted advertising purposes. Violations of the law would be enforced by the state Attorney General’s office. Any penalties or fees collected during enforcement of the law will be diverted into a Consumer Privacy Fund, which shall be used by the Attorney General’s office to continue enforcement of the law.
California, the only other state so far to pass consumer data privacy protections, had its law go into effect last year. The Virginia law is set to take effect in 2023.