Virginia Governor Ralph Northam (D) signed comprehensive privacy legislation, the Virginia Consumer Data Protection Act (CDPA), into law on March 2, 2021. The new law emulates aspects of the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR).

The new Virginia CDPA establishes a framework for controlling and processing personal data of Virginia consumers, applicable to many marketing research and data analytics companies and departments. It will saddle covered companies with responsibilities and privacy protection standards and grant consumers rights to access, correction, deletion, portability, and to opt out of the sale of personal data. Covered companies will also be required to conduct certain data protection assessments. The law comes into effect January 1, 2023.

The Insights Association and its grassroots members communicated with the sponsor and the Virginia legislature regarding the Act and other proposed privacy and data security legislation.

“While our concerns about the treatment of marketing research, and a definition of sensitive data so broad as to include common demographic data, went unheeded, we appreciate the Commonwealth keeping enforcement power vested with the state Attorney General,” commented Howard Fienberg, VP Advocacy for the Insights Association.

The CDPA’s new privacy framework will impact many in the insights industry, even those not located in-state, since personal data of Virginia residents is regularly collected, processed and shared for legitimate purpose by insights companies and organizations.

Fienberg reaffirmed IA’s commitment to passage of a federal privacy law. “As a founding member of Privacy for America, the Insights Association advocates for comprehensive federal privacy legislation that will move beyond the old-school notice-and-choice model and focus on outcomes instead of processes.”

In addition to the new law in Virginia, and CCPA in California, IA is already contending with comprehensive privacy bills under consideration this year in Alabama, Arizona, Connecticut, Florida, Illinois, Kentucky, Massachusetts, Minnesota, New Jersey, New York, Oklahoma, Rhode Island, Utah, Vermont, and Washington state

Fienberg concluded that, “our industry, and the people, companies, organizations and governments that rely upon the insights we produce every day to be able to learn, understand and respond to consumer attitudes, needs, behavior and opinions, cannot afford this growing patchwork of conflicting state privacy laws.”

IA shared analyses of CDPA with members in the legislation’s initial draft and in final form.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.