RICHMOND, Va.—Virginia Gov. Ralph Northam has signed the Virginia Consumer Data Protection Act into law, giving credit unions in other states a preview of what might be expected from their own legislatures or perhaps even Congress.
Unlike the California Consumer Privacy Act (CCPA), the Virginia bill includes language to exclude entities that are covered by the Gramm-Leach-Bliley Act (GLBA), including credit unions. It is set to take effect Jan. 1, 2023, NAFCU said.
In addition to providing the GLBA-exemption, the Virginia legislation requires transparency for how data is collected, used, and shared, as well as the disclosure of certain data held regarding individual consumers upon request.
For entities not covered by the GLBA, such as some credit union service organizations (CUSOs), the law will apply to those that control or process personal data of:
- At least 100,000 Virginia residents
- 25,000 Virginia residents and derives over 50 percent of gross revenue from the sale of personal data