Introduced in House Passed House Introduced in Senate Passed Senate Became Law
01/07/2020        

Civil action; sale of personal data.

Requires a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee to implement security practices to protect the confidentiality of a consumer's personal data, obtain express consent of a parent of a minor before selling the personal data of such minor, provide access to consumers to their own personal data that is held by the entity, refrain from maintaining or selling data that it knows to be inaccurate, and provide a means by which a consumer can opt out of the sale of his personal data. The bill provides that a violation could result in a civil penalty of up to $7,500 or damages to be awarded to a consumer. The bill also provides for the award of attorney fees and costs.

Date Version PDF TXT
01/07/2020 Senate: Prefiled and ordered printed; offered 01/08/20 20104658D Open

            

2020 SESSION

    20104658D
    SENATE BILL NO. 641
    Offered January 8, 2020
    Prefiled January 7, 2020
    A BILL to amend the Code of Virginia by adding a section numbered 8.01-40.5, relating to civil action; sale of personal data.
    ----------
    Patron-- Surovell
    ----------
    Referred to Committee on the Judiciary
    ----------

    Be it enacted by the General Assembly of Virginia:

    1. That the Code of Virginia is amended by adding a section numbered 8.01-40.5 as follows:

    8.01-40.5. Civil action for sale of personal data.

    A. As used in this section:

    "Consumer" means a natural person who is a resident and domiciliary of the Commonwealth.

    "Data seller" means a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee.

    "Personal data" includes any information that could be used to identify an individual consumer, including such consumers date of birth, social security number, credit card information (including account number, expiration date, and security code), passwords, personal identification numbers (PINs), or information about an individual consumers character, habits, spending, hobbies, or personal interests.

    "Public record information" shall refer to publicly available information from federal, state, or local government entities.

    B. Data sellers shall:

    1. Implement and maintain reasonable security procedures and practices to protect (i) the confidentiality of a consumers personal data and (ii) the accuracy of public record information.

    2. Implement processes to affirmatively obtain the express consent of a parent or guardian of a minor before selling the personal data of such minor.

    3. Implement procedures for consumers to submit a request to obtain any of their own personal data maintained by the data seller, including, at a minimum, a toll-free telephone number, and to obtain a copy of such data or any of such data sold to another entity by the data seller regarding the consumer.

    4. Refrain from maintaining or selling personal data about a consumer that it knows to be inaccurate.

    5. Provide a link on the homepage of the website of the data seller labeled "Do Not Sell My Personal Information" that directs a consumer to a webpage enabling him or his authorized representative to opt out of the sale of the consumers personal data.

    6. In the event of a data breach, notify all affected consumers via mail or email within 30 days of the discovery of the breach. A copy of the notice shall also be sent to the Office of the Attorney General.

    C. The provisions of this section shall not apply to the Commonwealth or any agency, commission, instrumentality, or political subdivision thereof; any clerk of court; any organization that is tax exempt pursuant to � 501(c) or 527 of the Internal Revenue Code; or the activity of any consumer reporting agency that is subject to civil liability pursuant to 15 U.S.C. � 1681.

    D. If a data seller violates a provision of subsection B:

    1. The Attorney General or an attorney for the Commonwealth may initiate a civil action against the data seller and may recover a civil penalty of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.

    2. A consumer may initiate a civil action against the data seller and may recover up to $1,000 per violation, in addition to actual damages caused by such violation, punitive damages in cases in which the data sellers conduct was willful, and reasonable attorney fees, expert witness expenses, and costs. A consumer may initiate a civil action and recover damages under this provision either for himself or on behalf of a class of consumers.

    3. In any action on behalf of a class, a consumer may also obtain injunctive relief.

    Picture Name From Date Type
    Scott A. Surovell D-Richmond Sponsor
    Date Branch Action
    01/24/2020 Senate Senate: Assigned Juciciary sub: Civil Law
    01/07/2020 Senate Senate: Prefiled and ordered printed; offered 01/08/20 20104658D
    01/07/2020 Senate Senate: Referred to Committee on the Judiciary
    Summary
    Congress - Bill Number Major Title
    Branch Vote Date Yes No Not Voting
    Wiki
    Date Bill Major Title
    Committee Name
    Subject Type