Senators Marsden and Dunnavant introduced Senate Bill No. 1392 this session, a bill providing a “Consumer Data Protection Act” for Virginia. Code of Virginia §§ 59.1-579 – 580. The Act authorizes consumers to determine, by inquiry to a controller, whether or not their personal data is being processed by a data controller or processer and, if it is, on a qualified basis (only “commercially reasonable efforts” required) to correct inaccuracies, obtain a copy of the data, and opt out of future processing, and to delete the data. The bill has a delayed effective date of January 1, 2023.
Terms utilized in the Act and their lengthy definitions have the ring of the European General Data Protection Regulation (GDPR), however, in comparison, the Act’s effect is much more modest.
Which Businesses Qualify?
The Act limits its application to data controllers and processers conducting business in the Commonwealth or businesses which produce products or services targeted to Virginia residents and which control or process personal data of at least 100,000 consumers, or control or process data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The Act’s coverage is not, thus, strictly limited to businesses which