The bill, titled the "Consumer Data Protection Act" would apply to businesses in Virginia that control or process data of at least 100,000 consumers, or derives more than 50 percent of its revenue from the sale of personal data of at least 25,000 consumers.
It also allows for people to access, correct, delete, or get a copy of the data businesses have on them and to opt-out of the collection of personal data that is used for targeted advertising. If signed into law, it would become effective in 2023.
If it is signed, Virginia's law would be the second major data privacy bill passed by states. California passed its "California Consumer Privacy Act" in 2018 and it went into effect last year.
However, Virginia's bill differs in some areas, perhaps most notably with the omission of a private right of action—the ability for consumers to sue companies that violate the law. Instead, the bill leaves enforcement up to the state's attorney general.
Meanwhile, a group of public advocacy groups including Consumer Reports, EPIC, and the Electronic Frontier Foundation also wrote to Virginia lawmakers last week offering suggestions on how to make the bill stronger.
A private right of action is included in California's law and has been a major point of contention in talks around a federal data privacy bill. Last year, Democrats and Republicans in Congress both put out a framework for data privacy bills.
Sen. Maria Cantwell (D-Wash.) and other Democrats introduced a bill that would force big tech companies like Facebook and Google to explain what they are doing with user data and allow users to see and delete personal information that was collected. It also allowed users to opt-out of data being transferred to third parties.
That bill also allowed for a private right of action and wouldn't preempt state laws that go further than it. Sen. Roger Wicker (R-Miss.) circulated a draft of a rival bill that did not include the private right of action and would preempt state laws.