On March 2, 2021, Governor Ralph Northam signed Virginia’s new data privacy act into law. Coming after California, this makes Virginia only the second state to enact such a law. Since so many find these laws confusing, let’s see if we can unpack what the new data privacy law contains.
A Brief History of Data Privacy Laws
Many have heard of the GDPR (General Data Privacy Regulation), Europe’s comprehensive data privacy legislation. It went into effect in 2018 and paved the way for similar laws around the world. When this regulation took effect, internet users worldwide began to see changes. For example, the law required website owners to alert visitors that they had cookies in place. Remember when you started seeing messages asking you to allow cookies and tracking? This all started with the GDPR. Even though this was not yet required in the US, Americans started to see it on websites wanting to be compatible with an international audience. In a nutshell, the GDPR sought to make sure that user data remain secure and that companies who had this data understood their responsibility to care for it.
I reached out to a friend who lives in England and asked her what major changes she saw when the GDPR first came about. According to her, the effects were twofold and included professional and personal. She works in IT for a financial institution, so she saw many changes at work. She attended numerous required trainings, and her employer created new positions specifically to ensure that the company complied with the new regulations. Even several years after it went into effect, this friend must attend trainings and refreshers dealing with the GDPR. In short, it created a lot more work.
From a consumer standpoint, she said that every company to which she had ever given her email address suddenly started sending messages. Every. Single. One. If she had ever filled out a contact form expressing interest in a random product or asking if a business had hours available next Tuesday, that business suddenly reached out to her. My friend describes it as becoming a common joke. “We have your email address…can we keep it?” It sounds like what your child would say when a puppy follows him home. It really felt as though people came out of the woodwork with these emails. At least the resulting memes provided some entertainment:
And my favorite:
California put themselves out in front of the US pack with the first data privacy law of any state. The California Consumer Privacy Act of 2018 (CCPA) applies to California consumers and includes:
- “The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.”
This is a simplified version of what it covers, but this law has the same basic tenets as the GDPR: to make companies responsible for keeping consumer data secure.
The New Virginia Data Privacy Law
Now on to what you need to know here in Virginia. Since the governor signed the law so recently, many questions loom about what it entails. First of all, the law does not take effect until (at the earliest) January 2023. You should still start to prepare, however.
Who must comply?
In most cases, small local businesses will need to change very little to comply, since it seems that the law will affect mainly larger businesses. It affects business that:
(i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii)  control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.National Law Review
In other words, if your database or list contains fewer than 100,000 people, the new law will have very little effect on you. If you have 25,000 customers and get at least half of your revenue from selling the data, you must also comply. It seems that many small businesses will see very few changes. Exemptions also include state and local government agencies and those already covered by privacy laws (such as HIPAA).
Enforcement of the Privacy Law
While the California law allows individuals to bring private suits for data violations, the Virginia law is only enforceable through the Attorney General’s office. Businesses in violation will have 30 days to remedy any infraction. After that time, the Attorney General may seek damages up to $7,500 per violation.
Now that you know who the law will effect and who can enforce it, you likely still have questions. Truthfully, so do we. For example, how does it affect website cookies? What about email marketing? We plan to monitor and research the law as more information becomes available. Rest assured, we will keep our audience up to date on anything we find! We already know about keeping your website secure and the importance of keeping your visitors safe from malware. Stay tuned as we learn more about the new data privacy law in Virginia. In the meantime, keep swimming along!