Virginia Code 59.1-578: (Effective until January 1, 2025) Data controller responsibilities; transparency
A. A controller shall:
Terms Used In Virginia Code 59.1-578
- Appeal: A request made after a trial, asking another court (usually the court of appeals) to decide whether the trial was conducted properly. To make such a request is "to appeal" or "to take an appeal." One who appeals is called the appellant.
- Authenticate: means verifying through reasonable means that the consumer, entitled to exercise his consumer rights in § Virginia Code 59.1-575
- Child: means any natural person younger than 13 years of age. See Virginia Code 59.1-575
- Consent: means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. See Virginia Code 59.1-575
- Consumer: means a natural person who is a resident of the Commonwealth acting only in an individual or household context. See Virginia Code 59.1-575
- Contract: A legal written agreement that becomes binding when signed.
- Controller: means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data. See Virginia Code 59.1-575
- Decisions that produce legal or similarly significant effects concerning a consumer: means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water. See Virginia Code 59.1-575
- Guardian: A person legally empowered and charged with the duty of taking care of and managing the property of another person who because of age, intellect, or health, is incapable of managing his (her) own affairs.
- Includes: means includes, but not limited to. See Virginia Code 1-218
- Personal data: means any information that is linked or reasonably linkable to an identified or identifiable natural person. See Virginia Code 59.1-575
- Precise geolocation data: means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. See Virginia Code 59.1-575
- Process: includes subpoenas, the summons and complaint in a civil action, and process in statutory actions. See Virginia Code 1-237
- processing: means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Virginia Code 59.1-575
- Profiling: means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. See Virginia Code 59.1-575
- Sensitive data: means a category of personal data that includes:
1. See Virginia Code 59.1-575
- State: when applied to a part of the United States, includes any of the 50 states, the District of Columbia, the Commonwealth of Puerto Rico, Guam, the Northern Mariana Islands, and the United States Virgin Islands. See Virginia Code 1-245
- Targeted advertising: means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. See Virginia Code 59.1-575
1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
2. Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent;
3. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue;
4. Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this subdivision shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to § 59.1-577 or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and
5. Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).
B. Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to § 59.1-577 shall be deemed contrary to public policy and shall be void and unenforceable.
C. Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
1. The categories of personal data processed by the controller;
2. The purpose for processing personal data;
3. How consumers may exercise their consumer rights pursuant § 59.1-577, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
4. The categories of personal data that the controller shares with third parties, if any; and
5. The categories of third parties, if any, with whom the controller shares personal data.
D. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
E. A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to § 59.1-577 but may require a consumer to use an existing account.
2021, Sp. Sess. I, cc. 35, 36.
A. A controller shall:
1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
2. Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent;
3. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue;
4. Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this subdivision shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to § 59.1-577 or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and
5. Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).
B. Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to § 59.1-577 shall be deemed contrary to public policy and shall be void and unenforceable.
C. Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
1. The categories of personal data processed by the controller;
2. The purpose for processing personal data;
3. How consumers may exercise their consumer rights pursuant § 59.1-577, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
4. The categories of personal data that the controller shares with third parties, if any; and
5. The categories of third parties, if any, with whom the controller shares personal data.
D. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
E. A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to § 59.1-577 but may require a consumer to use an existing account.
F. 1. Subject to the consent requirement established by subdivision 3, no controller shall process any personal data collected from a known child:
a. For the purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;
b. Unless such processing is reasonably necessary to provide the online service, product, or feature;
c. For any processing purpose other than the processing purpose that the controller disclosed at the time such controller collected such personal data or that is reasonably necessary for and compatible with such disclosed purpose; or
d. For longer than is reasonably necessary to provide the online service, product, or feature.
2. Subject to the consent requirement established by subdivision 3, no controller shall collect precise geolocation data from a known child unless (i) such precise geolocation data is reasonably necessary for the controller to provide an online service, product, or feature and, if such data is necessary to provide such online service, product, or feature, such controller shall only collect such data for the time necessary to provide such online service, product, or feature and (ii) the controller provides to the known child a signal indicating that such controller is collecting such precise geolocation data, which signal shall be available to such known child for the entire duration of such collection.
3. No controller shall engage in the activities described in subdivisions 1 or 2 unless the controller obtains consent from the child’s parent or legal guardian in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).