Signed by Governor Ralph Northam

Vote Smart's Synopsis:

Vote to concur with House amendments and pass a bill that establishes a framework for controlling and processing personal health data in the Commonwealth.

Highlights:

• Classifies the "sale of personal data" as the exchange of personal data for monetary consideration by the controller to a third party. "Sale of personal data" does not include the following (Sec. 59.1-571):

• The disclosure of personal data to a processor that processes the personal data on behalf of the controller;

• The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

• The disclosure or transfer of personal data to an affiliate of the controller;

• The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or

• The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

• Requires a controller to do the following (Sec. 59.1-574):

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;

• Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;

• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices will be appropriate to the volume and nature of the personal data at issue; and

• Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.

• Requires a controller to conduct and document a data protection assessment of each of the following processing activities involving personal data (Sec. 59.1-576.A):

• The processing of personal data for purposes of targeted advertising;

• The sale of personal data;

• The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;

• The processing of sensitive data; and

• Any processing activities involving personal data that present a heightened risk of harm to consumers.

• Prohibits the obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under the laws of the Commonwealth. Nothing in this law will be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the Commonwealth as part of a privileged communication (Sec. 59.1-578.C).

• Authorizes personal data processed by a controller pursuant to this section may be processed to the extent that such processing is (Sec. 59.1-578.F):

• Reasonably necessary and proportionate to the purposes listed in this law; and

• Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this law.

Full Bill Text