                                 CODE OF VIRGINIA

SCOPE; EXEMPTIONS (§ 59.1-576)

A. This chapter applies to persons that conduct business in the Commonwealth or
produce products or services that are targeted to residents of the Commonwealth
and that (i) during a calendar year, control or process personal data of at
least 100,000 consumers or (ii) control or process personal data of at least
25,000 consumers and derive over 50 percent of gross revenue from the sale of
personal data.

B. This chapter shall not apply to any (i) body, authority, board, bureau,
commission, district, or agency of the Commonwealth or of any political
subdivision of the Commonwealth; (ii) financial institution or data subject to
Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. &#xA7; 6801 et seq.);
(iii) covered entity or business associate governed by the privacy, security,
and breach notification rules issued by the U.S. Department of Health and Human
Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the
Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);
(iv) nonprofit organization; or (v) institution of higher education.

C. The following information and data is exempt from this chapter:

   1. Protected health information under HIPAA;

   2. Health records for purposes of Title 32.1;

   3. Patient identifying information for purposes of 42 U.S.C. &#xA7; 290dd-2;

   4. Identifiable private information for purposes of the federal policy for the
   protection of human subjects under 45 C.F.R. Part 46; identifiable private
   information that is otherwise information collected as part of human subjects
   research pursuant to the good clinical practice guidelines issued by The
   International Council for Harmonisation of Technical Requirements for
   Pharmaceuticals for Human Use; the protection of human subjects under 21
   C.F.R. Parts 6, 50, and 56, or personal data used or shared in research
   conducted in accordance with the requirements set forth in this chapter, or
   other research conducted in accordance with applicable law;

   5. Information and documents created for purposes of the federal Health Care
   Quality Improvement Act of 1986 (42 U.S.C. &#xA7; 11101 et seq.);

   6. Patient safety work product for purposes of the federal Patient Safety and
   Quality Improvement Act (42 U.S.C. &#xA7; 299b-21 et seq.);

   7. Information derived from any of the health care-related information listed
   in this subsection that is de-identified in accordance with the requirements
   for de-identification pursuant to HIPAA;

   8. Information originating from, and intermingled to be indistinguishable
   with, or information treated in the same manner as information exempt under
   this subsection that is maintained by a covered entity or business associate
   as defined by HIPAA or a program or a qualified service organization as
   defined by 42 U.S.C. &#xA7; 290dd-2;

   9. Information used only for public health activities and purposes as
   authorized by HIPAA;

   10. The collection, maintenance, disclosure, sale, communication, or use of
   any personal information bearing on a consumer&#8217;s credit worthiness,
   credit standing, credit capacity, character, general reputation, personal
   characteristics, or mode of living by a consumer reporting agency or furnisher
   that provides information for use in a consumer report, and by a user of a
   consumer report, but only to the extent that such activity is regulated by and
   authorized under the federal Fair Credit Reporting Act (15 U.S.C. &#xA7; 1681
   et seq.);

   11. Personal data collected, processed, sold, or disclosed in compliance with
   the federal Driver&#8217;s Privacy Protection Act of 1994 (18 U.S.C. &#xA7;
   2721 et seq.);

   12. Personal data regulated by the federal Family Educational Rights and
   Privacy Act (20 U.S.C. &#xA7; 1232g et seq.);

   13. Personal data collected, processed, sold, or disclosed in compliance with
   the federal Farm Credit Act (12 U.S.C. &#xA7; 2001 et seq.); and

   14. Data processed or maintained (i) in the course of an individual applying
   to, employed by, or acting as an agent or independent contractor of a
   controller, processor, or third party, to the extent that the data is
   collected and used within the context of that role; (ii) as the emergency
   contact information of an individual under this chapter used for emergency
   contact purposes; or (iii) that is necessary to retain to administer benefits
   for another individual relating to the individual under clause (i) and used
   for the purposes of administering those benefits.

D. Controllers and processors that comply with the verifiable parental consent
requirements of the Children&#8217;s Online Privacy Protection Act (15 U.S.C.
&#xA7; 6501 et seq.) shall be deemed compliant with any obligation to obtain
parental consent under this chapter.

HISTORY: 2021, Sp. Sess. I, cc. 35, 36.