2026 SESSION
INTRODUCED
26105301D
HOUSE BILL NO. 638
Offered January 14, 2026
Prefiled January 13, 2026
A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered 59.1-614 through 59.1-618, relating to regulation of data brokers; civil penalties.
—————
Patrons—Maldonado, Anthony and Henson
—————
Referred to Committee on Communications, Technology and Innovation
—————
Be it enacted by the General Assembly of Virginia:
1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered 59.1-614 through 59.1-618, as follows:
§ 59.1-200. Prohibited practices.
A. The following fraudulent acts or practices committed by a supplier in connection with a consumer transaction are hereby declared unlawful:
1. Misrepresenting goods or services as those of another;
2. Misrepresenting the source, sponsorship, approval, or certification of goods or services;
3. Misrepresenting the affiliation, connection, or association of the supplier, or of the goods or services, with another;
4. Misrepresenting geographic origin in connection with goods or services;
5. Misrepresenting that goods or services have certain quantities, characteristics, ingredients, uses, or benefits;
6. Misrepresenting that goods or services are of a particular standard, quality, grade, style, or model;
7. Advertising or offering for sale goods that are used, secondhand, repossessed, defective, blemished, deteriorated, or reconditioned, or that are "seconds," irregulars, imperfects, or "not first class," without clearly and unequivocally indicating in the advertisement or offer for sale that the goods are used, secondhand, repossessed, defective, blemished, deteriorated, reconditioned, or are "seconds," irregulars, imperfects, or "not first class";
8. Advertising goods or services with intent not to sell them as advertised, or with intent not to sell at the price or upon the terms advertised.
In any action brought under this subdivision, the refusal by any person, or any employee, agent, or servant thereof, to sell any goods or services advertised or offered for sale at the price or upon the terms advertised or offered, shall be prima facie evidence of a violation of this subdivision. This paragraph shall not apply when it is clearly and conspicuously stated in the advertisement or offer by which such goods or services are advertised or offered for sale, that the supplier or offeror has a limited quantity or amount of such goods or services for sale, and the supplier or offeror at the time of such advertisement or offer did in fact have or reasonably expected to have at least such quantity or amount for sale;
9. Making false or misleading statements of fact concerning the reasons for, existence of, or amounts of price reductions;
10. Misrepresenting that repairs, alterations, modifications, or services have been performed or parts installed;
11. Misrepresenting by the use of any written or documentary material that appears to be an invoice or bill for merchandise or services previously ordered;
12. Notwithstanding any other provision of law, using in any manner the words "wholesale," "wholesaler," "factory," or "manufacturer" in the supplier's name, or to describe the nature of the supplier's business, unless the supplier is actually engaged primarily in selling at wholesale or in manufacturing the goods or services advertised or offered for sale;
13. Using in any contract or lease any liquidated damage clause, penalty clause, or waiver of defense, or attempting to collect any liquidated damages or penalties under any clause, waiver, damages, or penalties that are void or unenforceable under any otherwise applicable laws of the Commonwealth, or under federal statutes or regulations;
13a. Failing to provide to a consumer, or failing to use or include in any written document or material provided to or executed by a consumer, in connection with a consumer transaction any statement, disclosure, notice, or other information however characterized when the supplier is required by 16 C.F.R. Part 433 to so provide, use, or include the statement, disclosure, notice, or other information in connection with the consumer transaction;
14. Using any other deception, fraud, false pretense, false promise, or misrepresentation in connection with a consumer transaction;
15. Violating any provision of § 3.2-6509, 3.2-6512, 3.2-6513, 3.2-6513.1, 3.2-6514, 3.2-6515, 3.2-6516, or 3.2-6519 is a violation of this chapter;
16. Failing to disclose all conditions, charges, or fees relating to:
a. The return of goods for refund, exchange, or credit. Such disclosure shall be by means of a sign attached to the goods, or placed in a conspicuous public area of the premises of the supplier, so as to be readily noticeable and readable by the person obtaining the goods from the supplier. If the supplier does not permit a refund, exchange, or credit for return, he shall so state on a similar sign. The provisions of this subdivision shall not apply to any retail merchant who has a policy of providing, for a period of not less than 20 days after date of purchase, a cash refund or credit to the purchaser's credit card account for the return of defective, unused, or undamaged merchandise upon presentation of proof of purchase. In the case of merchandise paid for by check, the purchase shall be treated as a cash purchase and any refund may be delayed for a period of 10 banking days to allow for the check to clear. This subdivision does not apply to sale merchandise that is obviously distressed, out of date, post season, or otherwise reduced for clearance; nor does this subdivision apply to special order purchases where the purchaser has requested the supplier to order merchandise of a specific or unusual size, color, or brand not ordinarily carried in the store or the store's catalog; nor shall this subdivision apply in connection with a transaction for the sale or lease of motor vehicles, farm tractors, or motorcycles as defined in § 46.2-100;
b. A layaway agreement. Such disclosure shall be furnished to the consumer (i) in writing at the time of the layaway agreement, or (ii) by means of a sign placed in a conspicuous public area of the premises of the supplier, so as to be readily noticeable and readable by the consumer, or (iii) on the bill of sale. Disclosure shall include the conditions, charges, or fees in the event that a consumer breaches the agreement;
16a. Failing to provide written notice to a consumer of an existing open-end credit balance in excess of $5 (i) on an account maintained by the supplier and (ii) resulting from such consumer's overpayment on such account. Suppliers shall give consumers written notice of such credit balances within 60 days of receiving overpayments. If the credit balance information is incorporated into statements of account furnished consumers by suppliers within such 60-day period, no separate or additional notice is required;
17. If a supplier enters into a written agreement with a consumer to resolve a dispute that arises in connection with a consumer transaction, failing to adhere to the terms and conditions of such an agreement;
18. Violating any provision of the Virginia Health Club Act, Chapter 24 (§ 59.1-294 et seq.);
19. Violating any provision of the Virginia Home Solicitation Sales Act, Chapter 2.1 (§ 59.1-21.1 et seq.);
20. Violating any provision of the Automobile Repair Facilities Act, Chapter 17.1 (§ 59.1-207.1 et seq.);
21. Violating any provision of the Virginia Lease-Purchase Agreement Act, Chapter 17.4 (§ 59.1-207.17 et seq.);
22. Violating any provision of the Prizes and Gifts Act, Chapter 31 (§ 59.1-415 et seq.);
23. Violating any provision of the Virginia Public Telephone Information Act, Chapter 32 (§ 59.1-424 et seq.);
24. Violating any provision of § 54.1-1505;
25. Violating any provision of the Motor Vehicle Manufacturers' Warranty Adjustment Act, Chapter 17.6 (§ 59.1-207.34 et seq.);
26. Violating any provision of § 3.2-5627, relating to the pricing of merchandise;
27. Violating any provision of the Pay-Per-Call Services Act, Chapter 33 (§ 59.1-429 et seq.);
28. Violating any provision of the Extended Service Contract Act, Chapter 34 (§ 59.1-435 et seq.);
29. Violating any provision of the Virginia Membership Camping Act, Chapter 25 (§ 59.1-311 et seq.);
30. Violating any provision of the Comparison Price Advertising Act, Chapter 17.7 (§ 59.1-207.40 et seq.);
31. Violating any provision of the Virginia Travel Club Act, Chapter 36 (§ 59.1-445 et seq.);
32. Violating any provision of §§ 46.2-1231 and 46.2-1233.1;
33. Violating any provision of Chapter 40 (§ 54.1-4000 et seq.) of Title 54.1;
34. Violating any provision of Chapter 10.1 (§ 58.1-1031 et seq.) of Title 58.1;
35. Using the consumer's social security number as the consumer's account number with the supplier, if the consumer has requested in writing that the supplier use an alternate number not associated with the consumer's social security number;
36. Violating any provision of Chapter 18 (§ 6.2-1800 et seq.) of Title 6.2;
37. Violating any provision of § 8.01-40.2;
38. Violating any provision of Article 7 (§ 32.1-212 et seq.) of Chapter 6 of Title 32.1;
39. Violating any provision of Chapter 34.1 (§ 59.1-441.1 et seq.);
40. Violating any provision of Chapter 20 (§ 6.2-2000 et seq.) of Title 6.2;
41. Violating any provision of the Virginia Post-Disaster Anti-Price Gouging Act, Chapter 46 (§ 59.1-525 et seq.). For the purposes of this subdivision, "consumer transaction" has the same meaning as provided in § 59.1-526;
42. Violating any provision of Chapter 47 (§ 59.1-530 et seq.);
43. Violating any provision of § 59.1-443.2;
44. Violating any provision of Chapter 48 (§ 59.1-533 et seq.);
45. Violating any provision of Chapter 25 (§ 6.2-2500 et seq.) of Title 6.2;
46. Violating the provisions of clause (i) of subsection B of § 54.1-1115;
47. Violating any provision of § 18.2-239;
48. Violating any provision of Chapter 26 (§ 59.1-336 et seq.);
49. Selling, offering for sale, or manufacturing for sale a children's product the supplier knows or has reason to know was recalled by the U.S. Consumer Product Safety Commission. There is a rebuttable presumption that a supplier has reason to know a children's product was recalled if notice of the recall has been posted continuously at least 30 days before the sale, offer for sale, or manufacturing for sale on the website of the U.S. Consumer Product Safety Commission. This prohibition does not apply to children's products that are used, secondhand or "seconds";
50. Violating any provision of Chapter 44.1 (§ 59.1-518.1 et seq.);
51. Violating any provision of Chapter 22 (§ 6.2-2200 et seq.) of Title 6.2;
52. Violating any provision of § 8.2-317.1;
53. Violating subsection A of § 9.1-149.1;
54. Selling, offering for sale, or using in the construction, remodeling, or repair of any residential dwelling in the Commonwealth, any drywall that the supplier knows or has reason to know is defective drywall. This subdivision shall not apply to the sale or offering for sale of any building or structure in which defective drywall has been permanently installed or affixed;
55. Engaging in fraudulent or improper or dishonest conduct as defined in § 54.1-1118 while engaged in a transaction that was initiated (i) during a declared state of emergency as defined in § 44-146.16 or (ii) to repair damage resulting from the event that prompted the declaration of a state of emergency, regardless of whether the supplier is licensed as a contractor in the Commonwealth pursuant to Chapter 11 (§ 54.1-1100 et seq.) of Title 54.1;
56. Violating any provision of Chapter 33.1 (§ 59.1-434.1 et seq.);
57. Violating any provision of § 18.2-178, 18.2-178.1, or 18.2-200.1;
58. Violating any provision of Chapter 17.8 (§ 59.1-207.45 et seq.). For the purposes of this subdivision, "consumer transaction" also includes transactions involving an automatic renewal or continuous service offer by a supplier to a small business, as those terms are defined in § 59.1-207.45;
59. Violating any provision of subsection E of § 32.1-126;
60. Violating any provision of § 54.1-111 relating to the unlicensed practice of a profession licensed under Chapter 11 (§ 54.1-1100 et seq.) or Chapter 21 (§ 54.1-2100 et seq.) of Title 54.1;
61. Violating any provision of § 2.2-2001.5;
62. Violating any provision of Chapter 5.2 (§ 54.1-526 et seq.) of Title 54.1;
63. Violating any provision of § 6.2-312;
64. Violating any provision of Chapter 20.1 (§ 6.2-2026 et seq.) of Title 6.2;
65. Violating any provision of Chapter 26 (§ 6.2-2600 et seq.) of Title 6.2;
66. Violating any provision of Chapter 54 (§ 59.1-586 et seq.);
67. Knowingly violating any provision of § 8.01-27.5;
68. Failing to, in accordance with § 59.1-207.46, (i) make available a conspicuous online option to cancel a recurring purchase of a good or service or (ii) with respect to a free trial lasting more than 30 days, notify a consumer of his option to cancel such free trial within 30 days of the end of the trial period to avoid an obligation to pay for the goods or services;
69. Selling or offering for sale any substance intended for human consumption, orally or by inhalation, that contains a synthetic derivative of tetrahydrocannabinol. As used in this subdivision, "synthetic derivative" means a chemical compound produced by man through a chemical transformation to turn a compound into a different compound by adding or subtracting molecules to or from the original compound. This subdivision shall not (i) apply to products that are approved for marketing by the U.S. Food and Drug Administration and scheduled in the Drug Control Act (§ 54.1-3400 et seq.) or (ii) be construed to prohibit any conduct permitted under Chapter 16 (§ 4.1-1600 et seq.) of Title 4.1;
70. Selling or offering for sale to a person younger than 21 years of age any substance intended for human consumption, orally or by inhalation, that contains tetrahydrocannabinol. This subdivision shall not (i) apply to products that are approved for marketing by the U.S. Food and Drug Administration and scheduled in the Drug Control Act (§ 54.1-3400 et seq.) or (ii) be construed to prohibit any conduct permitted under Chapter 16 (§ 4.1-1600 et seq.) of Title 4.1;
71. Selling or offering for sale any substance intended for human consumption, orally or by inhalation, that contains tetrahydrocannabinol, unless such substance is (i) contained in child-resistant packaging, as defined in § 4.1-600; (ii) equipped with a label that states, in English and in a font no less than 1/16 of an inch, (a) that the substance contains tetrahydrocannabinol and may not be sold to persons younger than 21 years of age, (b) all ingredients contained in the substance, (c) the amount of such substance that constitutes a single serving, and (d) the total percentage and milligrams of tetrahydrocannabinol included in the substance and the number of milligrams of tetrahydrocannabinol that are contained in each serving; and (iii) accompanied by a certificate of analysis, produced by an independent laboratory that is accredited pursuant to standard ISO/IEC 17025 of the International Organization of Standardization by a third-party accrediting body, that states the tetrahydrocannabinol concentration of the substance or the tetrahydrocannabinol concentration of the batch from which the substance originates. This subdivision shall not (i) apply to products that are approved for marketing by the U.S. Food and Drug Administration and scheduled in the Drug Control Act (§ 54.1-3400 et seq.) or (ii) be construed to prohibit any conduct permitted under Chapter 16 (§ 4.1-1600 et seq.) of Title 4.1;
72. Manufacturing, offering for sale at retail, or selling at retail an industrial hemp extract, as defined in § 3.2-5145.1, a food containing an industrial hemp extract, or a substance containing tetrahydrocannabinol that depicts or is in the shape of a human, animal, vehicle, or fruit;
73. Selling or offering for sale any substance intended for human consumption, orally or by inhalation, that contains tetrahydrocannabinol and, without authorization, bears, is packaged in a container or wrapper that bears, or is otherwise labeled to bear the trademark, trade name, famous mark as defined in 15 U.S.C. § 1125, or other identifying mark, imprint, or device, or any likeness thereof, of a manufacturer, processor, packer, or distributor of a product intended for human consumption other than the manufacturer, processor, packer, or distributor that did in fact so manufacture, process, pack, or distribute such substance;
74. Selling or offering for sale a topical hemp product, as defined in § 3.2-4112, that does not include a label stating that the product is not intended for human consumption. This subdivision shall not (i) apply to products that are approved for marketing by the U.S. Food and Drug Administration and scheduled in the Drug Control Act (§ 54.1-3400 et seq.), (ii) be construed to prohibit any conduct permitted under Chapter 16 (§ 4.1-1600 et seq.) of Title 4.1, or (iii) apply to topical hemp products that were manufactured prior to July 1, 2023, provided that the person provides documentation of the date of manufacture if requested;
75. Violating any provision of § 59.1-466.8;
76. Violating subsection F of § 36-96.3:1;
77. Selling or offering for sale (i) any kratom product to a person younger than 21 years of age or (ii) any kratom product that does not include a label listing all ingredients and with the following guidance: "This product may be harmful to your health, has not been evaluated by the FDA, and is not intended to diagnose, treat, cure, or prevent any disease." As used in this subdivision, "kratom" means any part of the leaf of the plant Mitragyna speciosa or any extract thereof;
78. Advertising of any ignition interlock system in Virginia by an ignition interlock vendor not approved by the Commission on the Virginia Alcohol Safety Action Program to operate in Virginia; targeted advertising of any ignition interlock system to a person before determination of guilt; and any advertising, whether before or after determination of guilt, without a conspicuous statement that such advertisement is not affiliated with any government agency. For purposes of this subdivision, "ignition interlock system" has the same meaning as ascribed to that term in § 18.2-270.1 and "targeted advertising" has the same meaning ascribed to that term in § 59.1-575 and includes direct mailings to an individual. This provision shall not apply to ignition interlock service vendor ads, pamphlets, or kiosk advertisements approved by the Commission on the Virginia Alcohol Safety Action Program and provided at a Commission-approved location;
79. Failing to disclose the total cost of a good or continuous service, as defined in § 59.1-207.45, to a consumer, including any mandatory fees or charges, prior to entering into an agreement for the sale of any such good or provision of any such continuous service;
80. Violating any provision of the Unfair Real Estate Service Agreement Act (§ 55.1-3200 et seq.);
81. Selling or offering for sale services as a professional mold remediator to be performed upon any residential dwelling without holding a mold remediation certification from a nationally or internationally recognized certifying body for mold remediation, and failing to comply with (i) the U.S. Environmental Protection Agency's publication on Mold Remediation in Schools and Commercial Buildings, as revised; (ii) the ANSI/IICRC S520 Standard for Professional Mold Remediation, as revised; or (iii) any other equivalent ANSI-accredited mold remediation standard, when conducting or offering to conduct mold remediation in the Commonwealth;
82. Willfully violating any provision of § 59.1-444.4;
83. Violating any provision of Chapter 23.2 (§ 59.1-293.10 et seq.);
84. Selling any food that is required by the FDA to have a nutrition label that does not meet the requirements of 21 C.F.R. Part 101;
85. Obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer;
86. Violating any provision of Chapter 58 (§ 59.1-607 et seq.); and
87. (Effective July 1, 2026) Violating any provision of the Medical Debt Protection Act (§ 59.1-611 et seq.); and
88. (Effective July 1, 2027) Violating any provision of Chapter 60 (§ 59.1-614 et seq.).
B. Nothing in this section shall be construed to invalidate or make unenforceable any contract or lease solely by reason of the failure of such contract or lease to comply with any other law of the Commonwealth or any federal statute or regulation, to the extent such other law, statute, or regulation provides that a violation of such law, statute, or regulation shall not invalidate or make unenforceable such contract or lease.
CHAPTER 60.
DATA BROKER REGULATION.
§ 59.1-614. Definitions.
As used in this chapter, unless the context requires a different meaning:
"Artificial intelligence system" means any machine learning-based system that, for any explicit or implicit objective, infers from the inputs such system receives how to generate outputs, including content, decisions, predictions, and recommendations, that can influence physical or virtual environments. "Artificial intelligence system" does not include any artificial intelligence system or general purpose artificial intelligence model that is used for development, prototyping, and research activities before such artificial intelligence system or general purpose artificial intelligence model is made available to deployers or consumers.
"Biometric data" means the same as that term is defined in § 59.1-575.
"Business" means a corporation, partnership, sole proprietorship, firm, enterprise, franchise, association, trust or foundation, or any other individual or entity carrying on a business or profession, whether or not for profit. "Business" does not include a state or local agency.
"Consumer" means the same as that term is defined in § 59.1-575.
"Data broker" means a business that knowingly collects and conducts the sale of personally identifiable information to third parties with whom the business does not have a direct relationship. The following activities conducted by a business, and the collection and sale or licensing of personally identifiable information incidental to conducting these activities, do not qualify the business as a "data broker":
1. Providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
2. Providing publicly available information related to a consumer's business or profession; or
3. Providing publicly available information through real-time or near-real-time alert services for health or safety purposes.
"Data broker security breach" means an unauthorized acquisition or a reasonable belief of an unauthorized acquisition of more than one element of personally identifiable information maintained by a data broker when the personally identifiable information is not de-identified, redacted, or protected by another method that renders the information unreadable or unusable by an unauthorized person. "Data broker security breach" does not include good faith but unauthorized acquisition of personally identifiable information by an employee or agent of the data broker for a legitimate purpose of the data broker, provided that the personally identifiable information is not used for a purpose unrelated to the data broker's business or subject to further unauthorized disclosure. In determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data broker may consider:
1. Indications that the personally identifiable information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing personally identifiable information;
2. Indications that the personally identifiable information has been downloaded or copied;
3. Indications that the personally identifiable information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
4. That the personally identifiable information has been made public.
"Data collector" means a person who, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personally identifiable information, and includes public and private entities.
"De-identified data" means the same as that term is defined in § 59.1-575.
"Direct relationship" means that a consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business's products or services. A consumer does not have a "direct relationship" with a business if the purpose of their engagement is to exercise any right described under § 59.1-577, or for the business to verify the consumer's identity. A business does not have a "direct relationship" with a consumer because it collects personally identifiable information directly from the consumer; the consumer must intend to interact with the business. A business is still a data broker and does not have a direct relationship with a consumer as to the sale of personally identifiable information that such business collected outside of a first party interaction with the consumer.
"Identified or identifiable natural person" means the same as that term is defined in § 59.1-575.
"Personally identifiable information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, whether directly or indirectly, with a particular consumer. "Personally identifiable information" includes the following:
1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or similar identifier;
2. Characteristics of protected classifications under state or federal law;
3. Commercial information, including records of personal property, product or service purchases, whether obtained or considered, or other purchasing or consuming histories or tendencies;
4. Biometric data;
5. Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with an internet website application or advertisement;
6. Precise geolocation data;
7. Audio, electronic, visual, thermal, olfactory, or similar information;
8. Information related to profession or employment;
9. Education information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g);
10. Inferences drawn from any of the information identified in this definition to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; and
11. Sensitive data.
"Personally identifiable information" does not include publicly available information or personally identifiable information that has been de-identified.
"Precise geolocation data" means that same as that term is defined in § 59.1-575.
"Publicly available information" means information that has been lawfully made available to the general public from (i) federal, state, or local government records, if the person collects, processes, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity; (ii) widely distributed media; or (iii) a disclosure to the general public as required by federal, state, or local law.
"Publicly available information" does not include (i) any obscene visual depiction; (ii) any inference made exclusively from multiple independent sources of publicly available information that reveals sensitive data with respect to a consumer; (iii) biometric data; (iv) personal data that is created through the combination of personal data with publicly available information; (v) genetic data, unless otherwise made publicly available by the individual to whom the information pertains; or (vi) intimate images, whether authentic or computer-generated, known to be nonconsensual.
"Sale of personally identifiable information" means the exchange of personally identifiable information for monetary or other valuable consideration by a data broker to a third party. "Sale of personally identifiable information" does not include a one-time or occasional sale of assets of a business as part of a transfer of control of those assets that is not part of the ordinary conduct of the business or a sale of personally identifiable information that is merely incidental to the business.
"Sensitive data" means the same as that term is defined in § 59.1-575.
§ 59.1-615. Acquisition of personally identifiable information; prohibition.
A. No person shall acquire personally identifiable information through fraudulent means.
B. No person shall acquire or use personally identifiable information for the purpose of:
1. Stalking of harassing another person;
2. Committing a fraud, including identity theft, financial fraud, or email fraud; or
3. Engaging in unlawful discrimination, including employment discrimination or housing discrimination.
§ 59.1-616. Data brokers; comprehensive information security program.
A. A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate according to:
1. The size, scope, and type of business of the data broker;
2. The amount of resources available to the data broker;
3. The amount of stored data; and
4. The need for security and confidentiality of personally identifiable information.
A data broker shall adopt safeguards in the comprehensive security program that are consistent with the safeguards for protection of personally identifiable information and information of a similar character set forth in other state or federal laws or regulations applicable to the data broker, including the Consumer Data Protection Act (§ 59.1-575 et seq.).
B. A comprehensive information security program required pursuant to subsection A shall include the following features:
1. Designation of one or more employees to maintain the program;
2. Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information;
3. A process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including (i) ongoing employee training, including training for temporary and contract employees; (ii) employee compliance with policies and procedures; and (iii) means of detecting and preventing security system failures;
4. Security policies for employees relating to the storage, access, and transportation of records containing personally identifiable information outside business premises;
5. Disciplinary measures for violations of the comprehensive information security program rules;
6. Measures that prevent terminated employees from accessing records containing personally identifiable information;
7. Supervision of third-party service providers by taking reasonable steps to select and retain such providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law and by requiring such providers by contract to implement and maintain appropriate security measures for personally identifiable information;
8. Reasonable restrictions upon physical access to records containing personally identifiable information and storage of the records and data in locked facilities, storage areas, or containers;
9. Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personally identifiable information and upgrading information safeguards as necessary to limit risks;
10. Review of the scope of the security measures (i) at least annually and (ii) whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personally identifiable information; and
11. Documentation of responsive actions taken in connection with any incident involving a breach of security and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personally identifiable information.
C. A comprehensive information security program required pursuant to subsection A shall, to the extent technically feasible, include the following technical elements:
1. A secure user authentication protocol that has (i) the control of user identifications and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and format that do not compromise the security of the data they protect; (iv) the ability to restrict access to only active users and active user accounts; and (v) the ability to block access to user identification after multiple unsuccessful attempts to gain access;
2. Secure access control measures that restrict access to records and files containing personally identifiable information to those who need such information to perform their job duties and assign to each person with computer access unique identifications plus passwords that are not vendor-supplied default passwords and that are reasonably designed to maintain the integrity of the security of the access controls;
3. A mechanism that ensures that all transmitted records and files containing personally identifiable information that will travel across public networks and all data containing personally identifiable information to be transmitted wirelessly shall be transformed to de-identified data prior to such travel or transmission;
4. Reasonable monitoring of systems for unauthorized use of or access to personally identifiable information;
5. A mechanism that ensures that all personally identifiable information stored on laptops or other portable devices is de-identified prior to such storage;
6. For files containing personally identifiable information on a system that is connected to the internet, reasonably up-to-date firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personally identifiable information;
7. Reasonably up-to-date versions of system security agent software that shall include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions and is set to receive that most current security updates on a regular basis; and
8. Education and training of employees in the proper use of the computer security system and the importance of personally identifiable information security.
Nothing in this subsection shall prohibit a comprehensive information security program from providing a higher degree of security than the protocols described in this subsection.
§ 59.1-617. Data brokers; registration.
Beginning on December 1, 2027, and annually thereafter, a data broker operating in the Commonwealth shall register with the Secretary of the Commonwealth by paying a registration fee of $100,000 and providing the following information:
1. The name and primary physical, email, and internet addresses of the data broker;
2. If the data broker permits a consumer to opt out of the data broker's collection of personally identifiable information, opt out of its databases, or opt out of certain sales of data, (i) the method for requesting an opt-out; (ii) which activities or sales the opt-out applies to, if the opt-out applies only to certain activities or sales; and (iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf;
3. A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;
4. A statement stating whether the data broker implements a purchaser credentialing process;
5. The number of data broker security breaches that the data broker experienced during the prior year, and, if known, the total number of consumers affected by such breaches;
6. Where the data broker has actual knowledge that it possesses the personally identifiable information of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the personally identifiable information of minors;
7. Whether the data broker collects:
a. Precise geolocation data;
b. Reproductive health care data;
c. Biometric data;
d. Data related to immigration status;
e. Data related to sexual orientation;
f. Data related to union membership;
g. Data related to name, date of birth, zip code, email address, or phone number;
h. Account login data in combination with any required security code, access code, or password that would permit access to a consumer's account by a third party;
i. Data related to driver's license number, state identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of an individual; or
j. Data related to mobile advertising identification number, connected television identification number, or vehicle identification number;
8. Whether the data broker has shared or sold consumer data in the past year with or to:
a. A foreign business or government;
b. The federal government;
c. A state government;
d. Any law enforcement agency, unless such data was shared pursuant to a subpoena or court order; or
e. A developer of an artificial intelligence system;
9. Between one and three of the most common categories of personally identifiable information that the data broker collects; and
10. Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
The Secretary of the Commonwealth shall post on its website the registration information provided by data brokers as described in this section.
§ 59.1-618. Enforcement; civil penalties.
Any violation of this chapter shall constitute a prohibited practice under the provisions of § 59.1-200 and shall be subject to any and all of the enforcement provisions of the Virginia Consumer Protection Act (§ 59.1-196 et seq.).
2. That the provisions of this act shall become effective on July 1, 2027.