Colin Zick and Christopher Escobedo Hart of Foley Hoag write:
On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. This made Virginia the second state to enact a consumer privacy and data security law, and follows hot the heels of California’s Consumer Privacy Act (CCPA) and the newly-enacted California Privacy Rights and Enforcement Act (CPRA). Virginia will not be the last to regulate the relationship between consumers and businesses holding their data; Colorado has already become the third state to pass such a measure, and New Jersey, New York, Washington, Minnesota, Oklahoma, and others have bills under consideration. Virginia’s recent action is relevant beyond its borders, having become the model for proposed legislation in Utah and raising the profile of long-stalled congressional data privacy efforts.
The VCDPA builds on frameworks used in the CCPA and the European Union’s General Data Protection Regulation (GDPR). But unlike in Europe and California, Virginia’s new law garnered support from tech industry trade groups and businesses like Amazon and Microsoft. Its coverage and compliance regime may be less onerous than its predecessors, but still represents a major change in data regulation that previously had little state involvement.
Read more on Security, Privacy, & The LAW.
Related: Hogan Lovells 10 key differences between the 2023 California, Virginia, and Colorado privacy laws (June 30)