Virginia State Privacy Laws | Davis Wright Tremaine

Effective Date: January 1, 2023

Threshold

Conduct business or produce goods or services that are targeted to Virginia residents, and either:

control or process personal data of more than 100,000 residents’ data per year; or
derive over 50 percent of gross revenue from the sale of personal data of at least 25,000 residents

Definition of "Personal Data"

Any information that is linked or reasonably linkable to an identified or identifiable natural person. Does not include de-identified data or publicly available information. Personal data does not include data from people acting in an employment or commercial context.

Definition of "Sale"

Exchange of personal data for monetary consideration by controller to third party

Data-Protection Assessments

Required for targeted advertising, sale, sensitive data, certain profiling

Opt-In Consent Required for Processing Sensitive Data

Yes

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Consumer Right to Opt Out of Profiling

Yes

Pseudonymous Data Exempt from Consumer Requests

Yes

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

None

Data of Minors

Process sensitive data of a known child in accordance with COPPA

GLBA Exemption

Yes (entity-level)

HIPAA Exemption

Yes (entity-level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

30 Days

Cure Period Expiration

None

Enforcement Authority/Damages

Attorney General/up to $7,500 per violation

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.

Virginia

Summary

Code/Regulations

Details

Threshold

Definition of "Personal Data"

Definition of "Sale"

Data-Protection Assessments

Opt-In Consent Required for Processing Sensitive Data

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Consumer Right to Opt Out of Sale

Consumer Right to Opt Out of Targeted Ads/Sharing

Consumer Right to Opt Out of Profiling

Pseudonymous Data Exempt from Consumer Requests

Appeal Rights

Universal Opt-Out Mechanism Required Recognition/Date

Data of Minors

GLBA Exemption

HIPAA Exemption

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Nonprofit Exemption

Private Right of Action

Cure Period

Cure Period Expiration

Enforcement Authority/Damages

Virginia

Summary

Related Content

Code/Regulations

Details

Threshold

Definition of "Personal Data"

Definition of "Sale"

Data-Protection Assessments

Opt-In Consent Required for Processing Sensitive Data

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Consumer Right to Opt Out of Sale

Consumer Right to Opt Out of Targeted Ads/Sharing

Consumer Right to Opt Out of Profiling

Pseudonymous Data Exempt from Consumer Requests

Appeal Rights

Universal Opt-Out Mechanism Required Recognition/Date

Data of Minors

GLBA Exemption

HIPAA Exemption

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Nonprofit Exemption

Private Right of Action

Cure Period

Cure Period Expiration

Enforcement Authority/Damages