February 08, 2021

Virginia set to enact consumer data protection law

data privacyThe Virginia House and Senate have passed legislation to establish a consumer data protection law in the state, though, unlike the California Consumer Privacy Act (CCPA), the Virginia bill includes language to exclude entities that are covered by the Gramm-Leach-Bliley Act (GLBA), including credit unions.

The chambers must reconcile their bills by Feb. 11, after which the Virginia Consumer Data Protection Act will head to the governor for enactment.

NAFCU has continuously advocated for a federal, national privacy and data security standard so credit unions are not subject to multiple privacy frameworks; for more information, the association developed a whitepaper that outlines a set of six key data privacy principles.

In its advocacy on the CCPA, the association specifically called for an exemption for credit unions as the industry already complies with the federal GLBA for consumer data security and privacy. The association has also asked the Federal Financial Institutions Examination Council (FFIEC) to provide interagency guidance related to the GLBA to help credit unions and other financial institutions comply with data privacy laws to ensure credit unions are not unnecessarily burdened by conflicting state laws.

In addition to providing the GLBA-exemption, the Virginia legislation requires transparency for how data is collected, used, and shared, as well as the disclosure of certain data held regarding individual consumers upon request. It also establishes consumer rights to the correction, deletion, or portability of certain data, and the ability for consumers to opt-out of certain data processing and sale.

For entities not covered by the GLBA, such as some credit union service organizations (CUSOs), the law will apply to those that control or process personal data of:

  • at least 100,000 Virginia residents; or
  • 25,000 Virginia residents and derives over 50 percent of gross revenue from the sale of personal data.

There is no private right of action, but the law will be enforced through civil actions brought by the Virginia Attorney General, with a statutory civil penalty of up to $7,500 per violation, and includes a 30-day cure provision. It will also create a Consumer Privacy Fund to support ongoing enforcement of the law.

NAFCU will keep credit unions informed of the law's enactment and implementation, and continue to monitor for additional data privacy and protection laws on the horizon.