As used in this chapter, unless the context requires a different meaning: “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, “control” or “controlled” means (i) ownership of, or the power […]
A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and […]
A. A consumer may invoke the consumer rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child’s parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to […]
A. A controller shall: 1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer; 2. Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to […]
A. A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under this chapter. Such assistance shall include: 1. Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to […]
A. A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: 1. The processing of personal data for purposes of targeted advertising; 2. The sale of personal data; 3. The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable […]
A. The controller in possession of de-identified data shall: 1. Take reasonable measures to ensure that the data cannot be associated with a natural person; 2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and 3. Contractually obligate any recipients of the de-identified data to comply with all provisions […]
A. Nothing in this chapter shall be construed to restrict a controller’s or processor’s ability to: 1. Comply with federal, state, or local laws, rules, or regulations; 2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; 3. Cooperate with law-enforcement agencies concerning conduct […]
Whenever the Attorney General has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this chapter, the Attorney General is empowered to issue a civil investigative demand. The provisions of § 59.1-9.10 shall apply mutatis mutandis to civil investigative demands issued under […]
A. The Attorney General shall have exclusive authority to enforce the provisions of this chapter. B. Prior to initiating any action under this chapter, the Attorney General shall provide a controller or processor 30 days’ written notice identifying the specific provisions of this chapter the Attorney General alleges have been or are being violated. If […]
Repealed by Acts 2022, cc. 451 and 452, cl. 2.
