Offered January 8, 2020
Prefiled January 7, 2020
A BILL to amend the Code of Virginia by adding a section numbered 8.01-40.5, relating to civil action; sale of personal data.
Patron-- Surovell
Referred to Committee on the Judiciary

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding a section numbered 8.01-40.5 as follows:

§8.01-40.5. Civil action for sale of personal data.

A. As used in this section:

"Consumer" means a natural person who is a resident and domiciliary of the Commonwealth.

"Data seller" means a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee.

"Personal data" includes any information that could be used to identify an individual consumer, including such consumer's date of birth, social security number, credit card information (including account number, expiration date, and security code), passwords, personal identification numbers (PINs), or information about an individual consumer's character, habits, spending, hobbies, or personal interests.

"Public record information" shall refer to publicly available information from federal, state, or local government entities.

B. Data sellers shall:

1. Implement and maintain reasonable security procedures and practices to protect (i) the confidentiality of a consumer's personal data and (ii) the accuracy of public record information.

2. Implement processes to affirmatively obtain the express consent of a parent or guardian of a minor before selling the personal data of such minor.

3. Implement procedures for consumers to submit a request to obtain any of their own personal data maintained by the data seller, including, at a minimum, a toll-free telephone number, and to obtain a copy of such data or any of such data sold to another entity by the data seller regarding the consumer.

4. Refrain from maintaining or selling personal data about a consumer that it knows to be inaccurate.

5. Provide a link on the homepage of the website of the data seller labeled "Do Not Sell My Personal Information" that directs a consumer to a webpage enabling him or his authorized representative to opt out of the sale of the consumer's personal data.

6. In the event of a data breach, notify all affected consumers via mail or email within 30 days of the discovery of the breach. A copy of the notice shall also be sent to the Office of the Attorney General.

C. The provisions of this section shall not apply to the Commonwealth or any agency, commission, instrumentality, or political subdivision thereof; any clerk of court; any organization that is tax exempt pursuant to §501(c) or 527 of the Internal Revenue Code; or the activity of any consumer reporting agency that is subject to civil liability pursuant to 15 U.S.C. §1681.

D. If a data seller violates a provision of subsection B:

1. The Attorney General or an attorney for the Commonwealth may initiate a civil action against the data seller and may recover a civil penalty of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.

2. A consumer may initiate a civil action against the data seller and may recover up to $1,000 per violation, in addition to actual damages caused by such violation, punitive damages in cases in which the data seller's conduct was willful, and reasonable attorney fees, expert witness expenses, and costs. A consumer may initiate a civil action and recover damages under this provision either for himself or on behalf of a class of consumers.

3. In any action on behalf of a class, a consumer may also obtain injunctive relief.