There’s More than One Privacy and Data Protection Law in Virginia

On January 1, 2023, Virginia’s Consumer Data Protection Act (CPDA) will take effect. It provides rights, contractual provisions and security obligations, a broad definition of “personal information, a “sensitive data” category and data protection assessment obligations for data controllers. Virginia has other privacy and data protection legislation, however, that predates the CDPA. The Personal Information Privacy Act restricts the sale of customers’ personal information by merchants and limits the use of social security numbers. The Insurance Data Security Act, effective as of July 2020, requires insurance licensees to maintain the security of information systems and nonpublic information and investigates cyber security events. The Data Breach Law, enacted in 2008, requires state agencies and entities doing business in Virginia to notify individuals of any breach of their computerized, unredacted, and unencrypted personal information, with violations enforced by the Attorney General, who may seek up to $150,000 in penalties per breach.