Virginia Code 59.1-576: (Effective January 1, 2023) Scope; exemptions
A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Terms Used In Virginia Code 59.1-576
- Business associate: means the same meaning as the term established by HIPAA. See Virginia Code 59.1-575
- Consent: means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. See Virginia Code 59.1-575
- Consumer: means a natural person who is a resident of the Commonwealth acting only in an individual or household context. See Virginia Code 59.1-575
- Controller: means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data. See Virginia Code 59.1-575
- Covered entity: means the same as the term is established by HIPAA. See Virginia Code 59.1-575
- Fair Credit Reporting Act: A federal law, established in 1971 and revised in 1997, that gives consumers the right to see their credit records and correct any mistakes. Source: OCC
- farm: means any person that obtains at least 51 percent of its annual gross income from agricultural operations and produces the agricultural waste used as feedstock for the waste-to-energy technology, (ii) "agricultural waste" means biomass waste materials capable of decomposition that are produced from the raising of plants and animals during agricultural operations, including animal manures, bedding, plant stalks, hulls, and vegetable matter, and (iii) "waste-to-energy technology" means any technology, including but not limited to a methane digester, that converts agricultural waste into gas, steam, or heat that is used to generate electricity on-site. See Virginia Code 1-222.1
- HIPAA: means the federal Health Insurance Portability and Accountability Act of 1996 (42 U. See Virginia Code 59.1-575
- Institution of higher education: means a public institution and private institution of higher education, as those terms are defined in § 23. See Virginia Code 59.1-575
- Nonprofit organization: means any corporation organized under the Virginia Nonstock Corporation Act (§ 13. See Virginia Code 59.1-575
- Obligation: An order placed, contract awarded, service received, or similar transaction during a given period that will require payments during the same or a future period.
- Personal data: means any information that is linked or reasonably linkable to an identified or identifiable natural person. See Virginia Code 59.1-575
- Process: includes subpoenas, the summons and complaint in a civil action, and process in statutory actions. See Virginia Code 1-237
- Processor: means a natural or legal entity that processes personal data on behalf of a controller. See Virginia Code 59.1-575
- Protected health information: means the same as the term is established by HIPAA. See Virginia Code 59.1-575
- Sale of personal data: means the exchange of personal data for monetary consideration by the controller to a third party. See Virginia Code 59.1-575
- Third party: means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller. See Virginia Code 59.1-575
B. This chapter shall not apply to any (i) body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth; (ii) financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); (iii) covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5); (iv) nonprofit organization; or (v) institution of higher education.
C. The following information and data is exempt from this chapter:
1. Protected health information under HIPAA;
2. Health records for purposes of Title 32.1;
3. Patient identifying information for purposes of 42 U.S.C. § 290dd-2;
4. Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law;
5. Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.);
6. Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);
7. Information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
8. Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2;
9. Information used only for public health activities and purposes as authorized by HIPAA;
10. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer‘s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.);
11. Personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.);
12. Personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.);
13. Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.); and
14. Data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as the emergency contact information of an individual under this chapter used for emergency contact purposes; or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits.
D. Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter.