2025 SESSION
INTRODUCED
25101967D
SENATE BILL NO. 1440
Offered January 17, 2025
A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 58, consisting of sections numbered 59.1-607 through 59.1-611, relating to consumer data privacy; automakers; civil penalty.
PatronDurant
Referred to Committee on General Laws and Technology
Be it enacted by the General Assembly of Virginia:
1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 58, consisting of sections numbered 59.1-607 through 59.1-611, as follows:
CHAPTER 58.
AUTOMAKER DATA PRIVACY.
59.1-607. Definitions.
"Automaker" means any person, whether resident or nonresident, that manufacturers, assembles, or imports motor vehicles for sale or distribution in the Commonwealth.
"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. "Consent" may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
"Consumer" means a natural person who is a resident of the Commonwealth acting only in an individual or household context.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" does not include publicly available information.
"Process" or "processing" means any operation or set of operations performed, whether by manual or automatic means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
"Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
"Sale of personal data" means the exchange of personal data for compensation or valuable consideration.
59.1-608. Consumer data privacy; sale of personal data prohibited.
A. No automaker operating in the Commonwealth shall engage in the collection or processing of personal data of a consumer without such consumer's express consent. A consumer that provides such express consent shall be permitted to invoke the rights in 59.1-609. An automaker that receives such express consent from a consumer shall comply with the requirements of subsections C and D.
B. No automaker operating in the Commonwealth shall engage in the sale of personal data of a consumer.
C. An automaker that has received express consent for the collecting or processing of personal data from a consumer shall:
1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which such data is processed, as disclosed to the consumer;
2. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue; and
3. Not process data in violation of state and federal laws that prohibit unlawful discrimination against consumers. An automaker shall not discriminate against a consumer for exercising any of the rights contained in this chapter.
D. An automaker that has received express consent from a consumer for the collection or processing of personal data shall provide such consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
1. The categories of personal data processed by the automaker;
2. The purpose for processing personal data;
3. How consumers may exercise their consumer rights pursuant to subsection A;
4. The categories of personal data that the automaker shares with third parties, if any; and
5. The categories of third parties, if any, with whom the automaker shares personal data.
59.1-609. Personal data rights; consumers.
A. A consumer that provides express consent to an automaker for the collection or processing of personal data shall be entitled to invoke the following rights at any time by submitting a request to the automaker through the means established in subsection D:
1. To confirm whether or not the automaker is processing the consumer's personal data and to access such personal data;
2. To correct inaccuracies in the consumer's personal data;
3. To delete personal data provided by or obtained about the consumer;
4. To obtain a copy of the consumer's personal data that the consumer previously provided to the automaker; and
5. To opt out of the collection or processing of personal data.
B. An automaker shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to subsection A within 45 days of receipt of the request. This response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the automaker informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.
C. An automaker that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subdivision A 3 by (i) retaining a record of the deletion request and the minimum data necessary for purposes of ensuring that the consumer's personal data remains deleted from the automaker's records and not using such retained data for any other purpose and (ii) opting the consumer out of the collection or processing of personal data.
D. Each automaker operating in the Commonwealth shall establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall take into account the ways in which consumers normally interact with the automaker, the need for secure and reliable communication of such requests, and the ability of the automaker to authenticate the identity of the consumer making the request.
59.1-610. Investigative authority.
Whenever the Attorney General has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this chapter, the Attorney General is empowered to issue a civil investigative demand. The provisions of 59.1-9.10 shall apply mutatis mutandis to civil investigative demands issued under this section.
59.1-611. Enforcement; civil penalty; expenses.
A. The Attorney General shall have exclusive authority to enforce the provisions of this chapter.
B. Prior to initiating any action under this chapter, the Attorney General shall provide an automaker 30 days' written notice identifying the specific provisions of this chapter the Attorney General alleges have been or are being violated. If within the 30-day period the automaker cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated against the automaker.
C. If an automaker continues to violate this chapter following the cure period in subsection B or breaches an express written statement provided to the Attorney General under that subsection, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.
D. The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any action initiated under this chapter.
E. Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law.