Your web browser is out of date. Update your browser for more security, speed and the best experience on this site.

Update your browser
CapTech Home Page

Blog March 13, 2020

Sic Semper Tyrannis – Virginia Consumer Data Privacy

Peter Carr
Peter Carr

Virginia’s motto, “Thus always to Tyrants,” might aptly apply to our current consumer data privacy situation. In the Virginia seal, imagine the Virginia company is standing over and defeating the tyrant of poor data privacy controls.

Lax consumer data privacy practices are being confronted by state legislations across the country. The Commonwealth of Virginia’s new legislature is poised to pass more consumer-friendly laws and companies need to be prepared.

Most citizens want companies to do a better job securing personal information. With the spate of recent data breaches by bad actors and state-sponsored hackers, companies need to take more precautions with consumer data. We can no longer live with a simple Caveat Emptor (“buyer beware”) philosophy – whether this means increasing data governance processes, assessing external facing systems, or increasing security controls.

Mark Sickles, a delegate from Virginia’s 43rd District, introduced the first expanded Consumer Data Privacy law in the Virginia House of Delegates (HB 473) on January 8, 2020. This bill got little fanfare in the brief month it was being considered, but could have had wide-ranging impact to companies operating in the Commonwealth. Although I cannot offer any legal guidance or interpretation, from my reading of the bill, it sounded more similar to the European Union’s version of Consumer Data Privacy law (GDPR) than California’s (CCPA), using language like “processor” and “controller” of data.

Like CCPA, the bill offered consumers’ rights to their data or personal information (§ 59.1-574. Consumer rights). HB 473 expanded the rights from “access,” “deletion,” and “do not sell,” to include the right to “correction,” which means the consumer can have “inaccurate personal data that the controller maintains” corrected. Unlike CCPA, the bill would have also required companies that control or process data to do risk assessments of “their processing activities involving personal data.”

Risk assessments can help organizations develop better data governance patterns and stronger data security procedures (CapTech can provide this type of risk assessment). Having de facto processes that ensure data protection whenever companies collect and store data should be ex fida bona.

The Bill was punted, on 27 January 2020, in the Virginia Committee on Communications, Technology and Innovation ('the Committee'). However, this might not be the end to Consumer Data Privacy in the Commonwealth, as the Bill was continued to 2021 in the Committee by voice vote.

So why write on a bill that did not make it into law—yet?

Because it is highly likely that this bill or a bill like it will be offered in the next General Assembly, and companies in the Commonwealth need to be aware of the potential impact.

I’m a proponent for data privacy rights for consumers, but from my consulting experience, many companies may not be prepared to address these added demands.

CCPA was the first big legislation in the United States to put companies on notice about their responsibilities regarding consumer data. But we’ll likely see more legislation in the coming months. Check out International Association of Privacy Professional’s tracker on upcoming legislation (

My favorite teacher of all time was my high school Latin teacher, Mrs. Montross. We affectionately referred to her as Magistra. She taught me to look for Latin phrases in everyday life, and to recognize their broad application. Magistra taught me to be passionate about whatever I do. When I recently saw the Commonwealth’s flag, and noted the motto, I thought how this applies to my current passion Data Privacy. While Virginia’s companies are not the tyrants, lax data privacy controls may be perceived as a form of tyranny to consumer rights. Companies should seek to establish more effective protections, revise data retention policies, and take greater responsibility of the data they process and control. Carpe Diem!