When Virginia’s General Assembly first took up legislation billed as a major step toward giving regular people more control over their data in an increasingly online world, some of the first testimony lawmakers heard came from tech giants like Microsoft and Amazon.

Both companies said they were in full support of Virginia’s effort to become just the second state in America to pass its own data privacy bill, an early marker in a debate still unfolding in other states and at the national level.

Supporters of Virginia’s Consumer Data Protection Act, approved by the General Assembly this year and already signed by Gov. Ralph Northam, say the fact that Virginia was able to pass such significant legislation without a major fight is a testament to the quality of the bill, which lays out new consumer protections while largely shielding companies from a flood of data-related lawsuits.

Noting that an estimated 70 percent of internet traffic flows through servers in Virginia, Sen. Dave Marsden, D-Fairfax, said Virginia’s legislation could be “a good starting place for a national privacy bill.”

Last month, Virginia lawmakers quietly passed one of the most restrictive bans in the country on the use of facial recognition technology.

The legislation, which won unusually broad bipartisan support, prohibits all local law enforcement agencies and campus police departments from purchasing or using facial recognition technology unless it is expressly authorized by the state legislature.

But now, some law enforcement officials are asking Gov. Ralph Northam to put the brakes on the legislation, arguing that it is overly broad and hasn’t been thoroughly vetted.

On February 19, 2012, the Virginia House of Delegates voted overwhelmingly to pass the Virginia Consumer Data Protection Act (CDPA). The Senate previously voted in favor of passing the legislation. The General Assembly had been considering the CDPA in a special session after both chambers passed companion bills during the regular session. The Senate and House bills are available here and here, respectively.

Prior to passing, the CDPA was amended slightly to create a working group to “review the provisions of [the CDPA] and issues related to its implementation” and submit a report with its “findings, best practices, and recommendations” to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.

According to the General Assembly, the bill will now be printed as an enrolled bill, and examined and signed by the presiding officer of each house. It will then be sent to the Governor, who is expected to sign it.

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.

When Virginia’s General Assembly first took up legislation billed as a major step toward giving regular people more control over their data in an increasingly online world, some of the first testimony lawmakers heard came from tech giants like Microsoft and Amazon.

Both companies said they were in full support of Virginia’s effort to become just the second state in America to pass its own data privacy bill, an early marker in a debate still unfolding in other states and at the national level.

Supporters of Virginia’s Consumer Data Protection Act, approved by the General Assembly this year and already signed by Gov. Ralph Northam, say the fact that Virginia was able to pass such significant legislation without a major fight is a testament to the quality of the bill, which lays out new consumer protections while largely shielding companies from a flood of data-related lawsuits.