by Nathan D. Taylor and Robert N. Famigletti
As the Virginia Consumer Data Protection Act (H.B. 2307) heads to Governor Northam’s desk, it appears increasingly likely that Virginia will become the second state to enact a comprehensive consumer privacy law.
After overwhelmingly passing slightly different versions of the bill in late January and early February 2021, Virginia’s House of Delegates and Senate reconciled and passed a substitute, H.B. 2307, on February 19, 2021. This comes just three months after California voters dramatically changed the California privacy law landscape by approving the California Privacy Rights Act (CPRA), a set of numerous amendments to the California Consumer Privacy Act (CCPA) that will become operative on January 1, 2023. If enacted, H.B. 2307 will impose additional compliance obligations beyond the CCPA, even as amended by the CPRA. Moreover, Virginia’s passage of comprehensive privacy legislation may encourage other state legislatures to follow suit—all likely renewing the call for a federal consumer privacy law.
This post provides an overview of the Virginia bill, with a focus on the areas in which it departs from the CCPA and/or CPRA. Like the CPRA’s substantive obligations, H.B. 2307, if enacted, would become operative on January 1, 2023.