RICHMOND, Va.—The Virginia House and Senate have passed legislation to establish a consumer data protection law in the state, but it comes with a provision not found in the earlier California Consumer Privacy Act (CCPA) that many have held up as a model--the Virginia bill includes language to exclude entities covered by the federal Gramm-Leach-Bliley Act (GLBA), including credit unions.
The chambers must reconcile their bills by Feb. 11, after which the Virginia Consumer Data Protection Act will head to the governor for enactment.
In addition to providing the GLBA-exemption, the Virginia legislation requires transparency for how data is collected, used, and shared, as well as the disclosure of certain data held regarding individual consumers upon request. It also establishes consumer rights to the correction, deletion, or portability of certain data, and the ability for consumers to opt-out of certain data processing and sale, noted NAFCU in its analysis.
For entities not covered by the GLBA, such as some CUSOs, the law will apply to those that control or process personal data of:
- At least 100,000 Virginia residents
- 25,000 Virginia residents and derives over 50% of gross revenue from the sale of personal data
Enforcement
There is no private right of action, but the law will be enforced through civil actions brought by the Virginia Attorney General, with a statutory civil penalty of up to $7,500 per violation and includes a 30-day cure provision. It will also create a Consumer Privacy Fund to support ongoing enforcement of the law, NAFCU said.