                                 CODE OF VIRGINIA

DATA CONTROLLER RESPONSIBILITIES; TRANSPARENCY (§ 59.1-578)

A. A controller shall:

   1. Limit the collection of personal data to what is adequate, relevant, and
   reasonably necessary in relation to the purposes for which such data is
   processed, as disclosed to the consumer;

   2. Except as otherwise provided in this chapter, not process personal data for
   purposes that are neither reasonably necessary to nor compatible with the
   disclosed purposes for which such personal data is processed, as disclosed to
   the consumer, unless the controller obtains the consumer&#8217;s consent;

   3. Establish, implement, and maintain reasonable administrative, technical,
   and physical data security practices to protect the confidentiality,
   integrity, and accessibility of personal data. Such data security practices
   shall be appropriate to the volume and nature of the personal data at issue;

   4. Not process personal data in violation of state and federal laws that
   prohibit unlawful discrimination against consumers. A controller shall not
   discriminate against a consumer for exercising any of the consumer rights
   contained in this chapter, including denying goods or services, charging
   different prices or rates for goods or services, or providing a different
   level of quality of goods and services to the consumer. However, nothing in
   this subdivision shall be construed to require a controller to provide a
   product or service that requires the personal data of a consumer that the
   controller does not collect or maintain or to prohibit a controller from
   offering a different price, rate, level, quality, or selection of goods or
   services to a consumer, including offering goods or services for no fee, if
   the consumer has exercised his right to opt out pursuant to &#xA7; 59.1-577 or
   the offer is related to a consumer&#8217;s voluntary participation in a bona
   fide loyalty, rewards, premium features, discounts, or club card program; and

   5. Not process sensitive data concerning a consumer without obtaining the
   consumer&#8217;s consent, or, in the case of the processing of sensitive data
   concerning a known child, without processing such data in accordance with the
   federal Children&#8217;s Online Privacy Protection Act (15 U.S.C. &#xA7; 6501
   et seq.).

B. Any provision of a contract or agreement of any kind that purports to waive
or limit in any way consumer rights pursuant to &#xA7; 59.1-577 shall be deemed
contrary to public policy and shall be void and unenforceable.

C. Controllers shall provide consumers with a reasonably accessible, clear, and
meaningful privacy notice that includes:

   1. The categories of personal data processed by the controller;

   2. The purpose for processing personal data;

   3. How consumers may exercise their consumer rights pursuant &#xA7; 59.1-577,
   including how a consumer may appeal a controller&#8217;s decision with regard
   to the consumer&#8217;s request;

   4. The categories of personal data that the controller shares with third
   parties, if any; and

   5. The categories of third parties, if any, with whom the controller shares
   personal data.

D. If a controller sells personal data to third parties or processes personal
data for targeted advertising, the controller shall clearly and conspicuously
disclose such processing, as well as the manner in which a consumer may exercise
the right to opt out of such processing.

E. A controller shall establish, and shall describe in a privacy notice, one or
more secure and reliable means for consumers to submit a request to exercise
their consumer rights under this chapter. Such means shall take into account the
ways in which consumers normally interact with the controller, the need for
secure and reliable communication of such requests, and the ability of the
controller to authenticate the identity of the consumer making the request.
Controllers shall not require a consumer to create a new account in order to
exercise consumer rights pursuant to &#xA7; 59.1-577 but may require a consumer
to use an existing account.

F. 1. Subject to the consent requirement established by subdivision 3, no
controller shall process any personal data collected from a known child:
			a. For the purposes of (i) targeted advertising, (ii) the sale of such
personal data, or (iii) profiling in furtherance of decisions that produce legal
or similarly significant effects concerning a consumer;
			b. Unless such processing is reasonably necessary to provide the online
service, product, or feature;
			c. For any processing purpose other than the processing purpose that the
controller disclosed at the time such controller collected such personal data or
that is reasonably necessary for and compatible with such disclosed purpose; or
			d. For longer than is reasonably necessary to provide the online service,
product, or feature.

   2. Subject to the consent requirement established by subdivision 3, no
   controller shall collect precise geolocation data from a known child unless
   (i) such precise geolocation data is reasonably necessary for the controller
   to provide an online service, product, or feature and, if such data is
   necessary to provide such online service, product, or feature, such controller
   shall only collect such data for the time necessary to provide such online
   service, product, or feature and (ii) the controller provides to the known
   child a signal indicating that such controller is collecting such precise
   geolocation data, which signal shall be available to such known child for the
   entire duration of such collection.

   3. No controller shall engage in the activities described in subdivisions 1 or
   2 unless the controller obtains consent from the child&#8217;s parent or legal
   guardian in accordance with the federal Children&#8217;s Online Privacy
   Protection Act (15 U.S.C. &#xA7; 6501 et seq.).

HISTORY: 2021, Sp. Sess. I, cc. 35, 36; 2024, cc. 840, 844.