The new law provides Virginia residents with rights to access, correct, and delete the personal information businesses have about them, as well as the right to opt out of certain data processing practices such as online targeted advertising. The CDPA borrows from Europe’s General Data Protection Regulation (GDPR) by establishing a comprehensive framework designating businesses as either data controllers and processors and creating requirements around data minimization, processing limitations, data security, non-discrimination, third-party contracting, and conducting data protection assessments. Notably, the CDPA does not contain a private right of action and instead provides exclusive enforcement authority to the Virginia Attorney General. It also provides a 30-day “notice and cure” provision to allow businesses in violation of the law to come into compliance before any fines or penalties are levied.
The Virginia legislature’s streamlined process provides a new playbook for other states to follow and enact their own privacy laws such as Washington, New York, and Florida. With more than ten states already having introduced bills this year, Congress could face even more pressure to advance federal privacy legislation to preempt a growing patchwork of state laws. Many proposals have been introduced at the federal level, but have failed to move ahead due to partisan divisions and policy disagreements. RILA and other industry stakeholders’ main objective is to enact a national framework establishing a single set of rules that provide strong protections for consumers and accountability for all businesses within the digital ecosystem.
If you have any questions, please contact Brennan Duckett, director of government affairs.
Ensuring a Safe, Sustainable Future
Supporting Free Markets and Fostering Innovation
Retail Works for All of Us