Be it enacted by the General Assembly of Virginia:
1. That §§59.1-575 and 59.1-576 of the Code of Virginia are amended and reenacted and that the Code of Virginia is amended by adding a section numbered 59.1-577.1 as follows:
§59.1-575. Definitions.
As used in this chapter, unless the context requires a different meaning:
"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, "control" or "controlled" means (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; (ii) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or (iii) the power to exercise controlling influence over the management of a company.
"Authenticate" means verifying through reasonable means that the consumer, entitled to exercise his consumer rights in § 59.1-577, is the same consumer exercising such consumer rights with respect to the personal data at issue.
"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. "Biometric data" does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
"Business associate" means the same meaning as the term established by HIPAA.
"Child" means any natural person younger than 13 years of age.
"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
"Consumer" means a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
"Covered entity" means the same as the term is established by HIPAA.
"Decisions that produce legal or similarly significant effects concerning a consumer" means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.
"De-identified data" means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. A controller that possesses "de-identified data" shall comply with the requirements of subsection A of §59.1-581.
"Health record" means the same as that term is defined in §32.1-127.1:03.
"Health care provider" means the same as that term is defined in §32.1-276.3.
"HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. §1320d et seq.).
"Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.
"Institution of higher education" means a public institution and private institution of higher education, as those terms are defined in §23.1-100.
"Minor" means any natural person younger than 18 years of age.
"Nonprofit organization" means any corporation organized under the Virginia Nonstock Corporation Act (§13.1-801 et seq.) or any organization exempt from taxation under §501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any political organization, any organization exempt from taxation under §501(c)(4) of the Internal Revenue Code that is identified in §52-41, and any subsidiary or affiliate of entities organized pursuant to Chapter 9.1 (§56-231.15 et seq.) of Title 56.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information.
"Political organization" means a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.
"Precise geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
"Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
"Processor" means a natural or legal entity that processes personal data on behalf of a controller.
"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Protected health information" means the same as the term is established by HIPAA.
"Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
"Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
"Sale of personal data" means the exchange of personal data for monetary consideration by the controller to a third party. "Sale of personal data" does not include:
1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
3. The disclosure or transfer of personal data to an affiliate of the controller;
4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or
5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
"Sensitive data" means a category of personal data that includes:
1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
3. The personal data collected from a known child; or
4. Precise geolocation data.
"Social media platform" means an electronic medium or service where users may create, share, or view user-generated content, including videos, photographs, blogs, podcasts, messages, emails, or website profiles or locations, and create a personal account.
"State agency" means the same as that term is defined in §2.2-307.
"Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. "Targeted advertising" does not include:
1. Advertisements based on activities within a controller's own websites or online applications;
2. Advertisements based on the context of a consumer's current search query, visit to a website, or online application;
3. Advertisements directed to a consumer in response to the consumer's request for information or feedback; or
4. Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
"Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
"Verifiable parental consent" means authorization by a parent or legal guardian for a social media platform that is required in order to permit any minor to create an account with such social media platform and, with such account, use the social media platform.
§59.1-576. Scope; exemptions.
A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
B. This chapter shall not apply to any (i) body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth; (ii) financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. §6801 et seq.); (iii) covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5); (iv) nonprofit organization; or (v) institution of higher education.
C. The following information and data is exempt from this chapter:
1. Protected health information under HIPAA;
2. Health records for purposes of Title 32.1;
3. Patient identifying information for purposes of 42 U.S.C. § 290dd-2;
4. Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law;
5. Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. §11101 et seq.);
6. Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. §299b-21 et seq.);
7. Information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
8. Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. §290dd-2;
9. Information used only for public health activities and purposes as authorized by HIPAA;
10. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. §1681 et seq.);
11. Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. §2721 et seq.);
12. Personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. §1232g et seq.);
13. Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. §2001 et seq.); and
14. Data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as the emergency contact information of an individual under this chapter used for emergency contact purposes; or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits.
D. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. §6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter, except requirements for social media platforms pursuant to §59.1-577.1.
§59.1-577.1. Social media platform responsibilities; verifiable parental consent.
A. A social media platform subject to the provisions of the Children's Online Privacy Protection Act (15 U.S.C. §6501 et seq.) shall obtain verifiable parental consent prior to permitting any minor to create an account with such social media platform and, with such account, use the social media platform. Such social media platform shall give the parent or legal guardian the option to consent to the collection and use of the minor's personal data without consenting to the disclosure of such minor's personal data to third parties.
B. A controller or processor shall make reasonable efforts to obtain verifiable parental consent by taking into consideration available technology to ensure that the person providing such consent is the minor's parent or legal guardian. Verifiable parental consent may be obtained from the parent or legal guardian by the parent or legal guardian:
1. Providing a signed consent form to the controller or processor;
2. Using a credit card, debit card, or other online payment system that provides notification of any transaction with the controller or processor to the primary account holder; or
3. Providing any valid government-issued identification to the controller or processor.