For what seemed like an eternity (okay, just a couple years), the California Consumer Privacy Act was the only game in town when it came to state-level, comprehensive privacy legislation. Sure, we saw many other states introduce similar bills, and Washington got close a couple times to passing the Washington Privacy Act. Those all died on the vine, however. In fact, California was the only state after itself to see passage of anything really big, with the California Privacy Rights Act (which amends the CCPA, and is
not a separate, new law) gaining passage in the November 2020 election.
All to which Virginia has recently stepped forward and said, “Hold my … authenticated consumer request.” The Virginia Consumer Data Protection Act (or VACDPA, as I prefer to call it) is a comprehensive privacy bill that was just signed into law by Governor Northam on March 2, and shows influences from both the CCPA and Europe’s General Data Protection Regulation (GDPR).
On March 2, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA). The law passed the state legislature with strong bipartisan support..
Five senior compliance practitioners tell us how their companies have reacted to recent privacy legislation like the GDPR, CCPA, and other state regulations in the pipeline.
To embed, copy and paste the code into your website or blog:
We have long predicted that just as other states followed California in passing breach notification laws, states would follow in California’s footsteps in regulating information privacy practices with the California Consumer Privacy Act of 2018 (CCPA), which was later amended by the California Privacy Rights Act of 2020 (CPRA). [1] The Virginia state legislature recently became the first state to do so, surprising many with news that it quickly passed and signed into law comprehensive privacy legislation, namely the Virginia Consumer Data Protection Act (CDPA). Like the CCPA, Virginia’s CDPA builds on the Fair Information Privacy Principles (FIPP), making many of the lessons learned implementing the CCPA applicable here. The CDPA will take effect January 1, 2023.
To embed, copy and paste the code into your website or blog:
Virginia knocked off California’s crown as the only U.S. state to have a comprehensive, general consumer privacy law when Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“
CDPA”) into law on March 2, 2021, unless you count Nevada which we warned you would stay in Vegas. The law takes effect on January 1, 2023, matching the effective date of the California Privacy Rights Act (“
CPRA”).
Here is what in-house counsel should do now to be well-positioned for compliance in 2023:
Figure out how many Virginians’ personal data your organization processes to determine whether the CDPA applies to your organization. As discussed below, the CDPA applies only to certain for-profit entities based on processing thresholds.