Having passed both houses of the Virginia General Assembly, the proposed Consumer Data Protection Act (CDPA) may become the second comprehensive consumer privacy bill to be enacted in the United States. However, to reach the governor’s desk, it would need three more readings in the Senate and two more readings in the House, prior to the end of the session, which will be no later than March 1. If the CDPA reaches Governor Northam this session, he will have seven days to approve, amend or veto the bill. Should he take no action, the bill would become law at the end of seven days per the Virginia Constitution, but would not become effective until Jan. 1, 2023, the same day as the operative date of the California Privacy Rights Act (CPRA), which substantially amends the California Consumer Privacy Act (CCPA).

Alternatively, the governor could return the bill to the Legislature for reconsideration on April 7, 2021, when it reconvenes for the purpose of considering bills that may have been returned by the governor with recommendations for their amendment and bills and items of appropriation, including the general appropriation act, that may have been returned by the governor with his objections. We will be watching Richmond to see what happens.

Read an in-depth analysis of the bill here.