2026 SESSION

SENATE SUBSTITUTE

26108358D

HOUSE BILL NO. 1161

AMENDMENT IN THE NATURE OF A SUBSTITUTE

(Proposed by the Senate Committee on General Laws and Technology

on March 4, 2026)

(Patron Prior to Substitute—Delegate Tran)

A BILL to amend and reenact §§ 2.2-3800, 2.2-3801, 2.2-3802, 2.2-3803, 2.2-3806, and 2.2-3809 of the Code of Virginia, relating to Government Data Collection and Dissemination Practices Act; dissemination of personal information to federal government; civil penalties.

Be it enacted by the General Assembly of Virginia:

1. That §§ 2.2-3800, 2.2-3801, 2.2-3802, 2.2-3803, 2.2-3806, and 2.2-3809 of the Code of Virginia are amended and reenacted as follows:

§ 2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use, and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies and political subdivisions of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase, or amend inaccurate, obsolete, or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used or disseminated for another purpose unless such use or dissemination is authorized or required by law.

10. The Commonwealth or any No agency or political subdivision thereof of the Commonwealth shall not collect personal information except as explicitly or implicitly authorized by law.

11. No agency or political subdivision of the Commonwealth shall sell personal information.

12. Any agency or political subdivision of the Commonwealth shall disseminate personal information only:

a. To the extent necessary to comply with state or federal law, including the federal Health Insurance Portability and Accountability Act (42 U.S.C. § 1320d et seq.), as amended;

b. To the extent necessary to carry out the administration of a state or federal program pursuant to state or federal law;

c. To comply with a subpoena, court order, or administrative proceeding;

d. To the extent necessary to ensure fulfillment of the obligations of a purchase or contract made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.) or a memorandum of understanding or management agreement made in accordance with the Restructured Higher Education Financial and Administrative Operations Act (§ 23.1-1000 et seq.);

e. When the data subject has given consent; or

f. To the extent necessary to accomplish a proper purpose of the agency.

§ 2.2-3801. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

"Consent" means a clear affirmative act signifying a data subject's freely given, specific, informed, and unambiguous agreement to disseminate personal information relating to the data subject. "Consent" may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

"Personal information" means all information that (i) describes, locates, or indexes anything about an individual, including, but not limited to, his social security number, U.S. Citizenship and Immigration Services (USCIS) alien registration number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, tax identification number, and his education, financial transactions, medical history, ancestry, national origin, religion, political ideology, voting history, criminal or employment record, and immigration status, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints fingerprints, voiceprints, faceprints, eye retinas, irises, or other unique biological patterns or characteristics, physical or digital photographs, videos, or audio, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall does not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.

"Private entity" means any natural person, corporation, general partnership, limited liability company, limited partnership, joint venture, business trust, public benefit corporation, nonprofit entity, or other business entity.

"Proper purpose" includes the sharing or dissemination of data or information among and between agencies, or, as applicable, private entities, in order to (i) streamline administrative processes to improve the efficiency and efficacy of services, access to services, eligibility determinations for services, and service delivery; (ii) reduce paperwork and administrative burdens on applicants for and recipients of public services; (iii) improve the efficiency and efficacy of the management of public programs; (iv) prevent fraud and improve auditing capabilities; (v) conduct outcomes-related research; (vi) develop quantifiable data to aid in policy development and decision making to promote the most efficient and effective use of resources; and (vii) perform data analytics regarding any of the purposes set forth in this definition.

"Purge" means to obliterate information completely from the transient, permanent, or archival records of an agency.

§ 2.2-3802. Systems to which chapter inapplicable.

The provisions of this chapter shall not apply to personal information systems:

1. Maintained by any court of the Commonwealth;

2. Which may exist in publications of general circulation;

3. Contained in the Criminal Justice Information System as defined in §§ 9.1-126 through 9.1-137 or in the Sex Offender and Crimes Against Minors Registry maintained by the Department of State Police pursuant to Chapter 9 (§ 9.1-900 et seq.) of Title 9.1, except to the extent that information is required to be posted on the Internet pursuant to § 9.1-913;

4. Contained in the Virginia Juvenile Justice Information System as defined in §§ 16.1-222 through 16.1-225;

5. Maintained by agencies concerning persons required by law to be licensed in the Commonwealth to engage in the practice of any profession, in which case the names and addresses of persons applying for or possessing the license may be disseminated upon written request to a person engaged in the profession or business of offering professional educational materials or courses for the sole purpose of providing the licensees or applicants for licenses with informational materials relating solely to available professional educational materials or courses, provided the disseminating agency is reasonably assured that the use of the information will be so limited;

6. Maintained by the Parole Board, the Crime Commission, the Judicial Inquiry and Review Commission, the Virginia Racing Commission, the Virginia Criminal Sentencing Commission, and the Virginia Alcoholic Beverage Control Authority;

7. Maintained by any of the following and that deal with investigations and intelligence gathering related to criminal activity:

a. The Department of State Police;

b. The police department of the Chesapeake Bay Bridge and Tunnel Commission;

c. Police departments of cities, counties, and towns;

d. Sheriff's departments of counties and cities;

e. Campus police departments of public institutions of higher education as established by Article 3 (§ 23.1-809 et seq.) of Chapter 8 of Title 23.1; and

f. The Division of Capitol Police.

8. Maintained by local departments of social services regarding alleged cases of child abuse or neglect while such cases are also subject to an ongoing criminal prosecution;

9. Maintained by the Virginia Port Authority as provided in § 62.1-132.4 or 62.1-134.1;

10. Maintained by the Virginia Tourism Authority in connection with or as a result of the promotion of travel or tourism in the Commonwealth, in which case names and addresses of persons requesting information on those subjects may be disseminated upon written request to a person engaged in the business of providing travel services or distributing travel information, provided the Virginia Tourism Authority is reasonably assured that the use of the information will be so limited;

11. Maintained by the Division of Consolidated Laboratory Services of the Department of General Services and the Department of Forensic Science, which deal with scientific investigations relating to criminal activity or suspected criminal activity, except to the extent that § 9.1-1104 may apply;

12. Maintained by the Department of Corrections, the Department of Juvenile Justice, or the Office of the State Inspector General that deal with investigations and intelligence gathering by persons acting under the provisions of Chapter 3.2 (§ 2.2-307 et seq.);

13. Maintained by (i) the Office of the State Inspector General or internal audit departments of state agencies or institutions that deal with communications and investigations relating to the Fraud, Waste and Abuse Hotline or (ii) an auditor appointed by the local governing body of any county, city, or town or a school board that deals with local investigations required by § 15.2-2511.2;

14. Maintained by the Department of Social Services or any local department of social services relating to public assistance fraud investigations;

15. Maintained by the Department of Social Services related to child welfare or public assistance programs when requests for personal information are made to the Department of Social Services. Requests for information from these systems shall be made to the appropriate local department of social services that is the custodian of that record. Notwithstanding the language in this section, an individual shall not be prohibited from obtaining information from the central registry in accordance with the provisions of § 63.2-1515; and

16. Maintained by the Department for Aging and Rehabilitative Services related to adult services, adult protective services, or auxiliary grants when requests for personal information are made to the Department for Aging and Rehabilitative Services. Requests for information from these systems shall be made to the appropriate local department of social services that is the custodian of that record.

§ 2.2-3803. Administration of systems including personal information; internet privacy policy; exceptions.

A. Any agency maintaining an information system that includes personal information shall:

1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency;

2. Collect information to the greatest extent feasible from the data subject directly, or through the sharing of data with other agencies, in order to accomplish a proper purpose of the agency;

3. Establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls;

4. Maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject;

5. Make no dissemination to another system without (i) specifying requirements for security and usage, including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. This subdivision shall not apply, however, to a dissemination made by an agency to an agency in another state, district, or territory of the United States where the personal information is requested by the agency of such other state, district, or territory in connection with the application of the data subject therein for a service, privilege, or right under the laws thereof, nor shall this apply to information transmitted to family advocacy representatives of the United States Armed Forces in accordance with subsection N of § 63.2-1503;

6. Maintain a list of all persons or organizations having regular access to personal information in the information system;

7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained;

8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, and the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;

9. Establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security; and

10. Collect no personal information concerning the political or religious beliefs, affiliations, and activities of data subjects that is maintained, used, or disseminated in or by any information system operated by any agency unless authorized explicitly by statute or ordinance. Nothing in this subdivision shall be construed to allow an agency to disseminate to federal government authorities information concerning the religious beliefs and affiliations of data subjects for the purpose of compiling a list, registry, or database of individuals based on religious affiliation, national origin, or ethnicity, unless such dissemination is specifically required by state or federal law; and

11. Disseminate personal information only:

a. To the extent necessary to comply with state or federal law, including the federal Health Insurance Portability and Accountability Act (42 U.S.C. § 1320d et seq.), as amended;

b. To the extent necessary to carry out the administration of a state or federal program pursuant to state or federal law;

c. To comply with a subpoena, court order, or administrative proceeding;

d. To the extent necessary to ensure fulfillment of the obligations of a purchase or contract made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.) or a memorandum of understanding or management agreement made in accordance with the Restructured Higher Education Financial and Administrative Operations Act (§ 23.1-1000 et seq.);

e. When the data subject has given consent; or

f. To the extent necessary to accomplish a proper purpose of the agency.

B. Every public body, as defined in § 2.2-3701, that has an Internet internet website associated with that public body shall develop an Internet internet privacy policy and an Internet internet privacy policy statement that explains the policy to the public. The policy shall be consistent with the requirements of this chapter. The statement shall be made available on the public body's website in a conspicuous manner. The Secretary of Administration or his designee shall provide guidelines for developing the policy and the statement, and each public body shall tailor the policy and the statement to reflect the information practices of the individual public body. At minimum, the policy and the statement shall address (i) what information, including personally identifiable information, will be collected, if any; (ii) whether any information will be automatically collected simply by accessing the website and, if so, what information; (iii) whether the website automatically places a computer file, commonly referred to as a "cookie," on the Internet internet user's computer and, if so, for what purpose; and (iv) how the collected information is being used or will be used.

C. Notwithstanding the provisions of subsection A, the Virginia Retirement System may disseminate information as to the retirement status or benefit eligibility of any employee covered by the Virginia Retirement System, the Judicial Retirement System, the State Police Officers' Retirement System, or the Virginia Law Officers' Retirement System, to the chief executive officer or personnel officers of the state or local agency by which he is employed.

D. Notwithstanding the provisions of subsection A, the Department of Social Services may disseminate client information to the Department of Taxation for the purposes of providing specified tax information as set forth in clause (ii) of subsection C of § 58.1-3.

E. Notwithstanding the provisions of subsection A, the State Council of Higher Education for Virginia may disseminate student information to agencies acting on behalf or in place of the U.S. government to gain access to data on wages earned outside the Commonwealth or through federal employment, for the purposes of complying with § 23.1-204.1.

§ 2.2-3806. Rights of data subjects.

A. Any agency maintaining personal information shall:

1. Inform an individual who is asked to supply personal information about himself whether he is legally required, or may refuse, to supply the information requested, and also of any specific consequences that are known to the agency of providing or not providing the information.

2. Give notice to a data subject of the possible dissemination of part or all of this information to another agency, nongovernmental organization, or system, including a federal agency or system, or to a private entity, that does not having have regular access authority, and indicate the use for which it the possible dissemination is intended, and the specific consequences for the individual, which that are known to the agency, of providing or not providing the information. However, documented permission consent for dissemination in the hands of the other agency or, organization, system, or private entity shall satisfy the requirement of this subdivision. The notice may be given on applications or other data collection forms prepared by data subjects.

3. Upon request and proper identification of any data subject, or of his authorized agent, grant the data subject or agent the right to inspect, in a form comprehensible to him:

a. All personal information about that data subject except as provided in subdivision 1 of § 2.2-3705.1, subdivision A 1 of § 2.2-3705.4, and subdivision 1 of § 2.2-3705.5.

b. The nature of the sources of the information.

c. The names of recipients, other than those with regular access authority, of personal information about the data subject including the identity of all persons and organizations involved and their relationship to the system when not having regular access authority, except that if the recipient has obtained the information as part of an ongoing criminal investigation such that disclosure of the investigation would jeopardize law-enforcement action, then no disclosure of such access shall be made to the data subject.

d. Any consent given by the data subject for the dissemination of personal information.

4. Comply with the following minimum conditions of disclosure to data subjects:

a. An agency shall make disclosures to data subjects required under this chapter, during normal business hours, in accordance with the procedures set forth in subsections B and C of § 2.2-3704 for responding to requests under the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) or within a time period as may be mutually agreed upon by the agency and the data subject.

b. The disclosures to data subjects required under this chapter shall be made (i) in person, if he appears in person and furnishes proper identification, or (ii) by mail, if he has made a written request, with proper identification. Copies of the documents containing the personal information sought by a data subject shall be furnished to him or his representative at reasonable charges for document search and duplication in accordance with subsection F of § 2.2-3704.

c. The data subject shall be permitted to be accompanied by a person of his choosing, who shall furnish reasonable identification. An agency may require the data subject to furnish a written statement granting the agency permission consent to discuss the individual's file in such person's presence.

5. If the data subject gives notice that he wishes to challenge, correct, or explain information about him in the information system, the following minimum procedures shall be followed:

a. The agency maintaining the information system shall investigate, and record the current status of that personal information.

b. If, after such investigation, the information is found to be incomplete, inaccurate, not pertinent, not timely, or not necessary to be retained, it shall be promptly corrected or purged.

c. If the investigation does not resolve the dispute, the data subject may file a statement of not more than 200 words setting forth his position.

d. Whenever a statement of dispute is filed, the agency maintaining the information system shall supply any previous recipient with a copy of the statement and, in any subsequent dissemination or use of the information in question, clearly note that it is disputed and supply the statement of the data subject along with the information.

e. The agency maintaining the information system shall clearly and conspicuously disclose to the data subject his rights to make such a request.

f. Following any correction or purging of personal information the agency shall furnish to past recipients notification that the item has been purged or corrected whose receipt shall be acknowledged.

B. Nothing in this chapter shall be construed to require an agency to disseminate any recommendation or letter of reference from or to a third party that is a part of the personnel file of any data subject nor to disseminate any test or examination used, administered, or prepared by any public body for purposes of evaluation of (i) any student or any student's performance, (ii) any seeker's qualifications or aptitude for employment, retention, or promotion, or (iii) qualifications for any license or certificate issued by any public body.

As used in this subsection, "test or examination" includes (i) (a) any scoring key for any such test or examination and (ii) (b) any other document that would jeopardize the security of the test or examination. Nothing contained in this subsection shall prohibit the release of test scores or results as provided by law, or to limit access to individual records as provided by law; however, the subject of the employment tests shall be entitled to review and inspect all documents relative to his performance on those employment tests.

When, in the reasonable opinion of the public body, any such test or examination no longer has any potential for future use, and the security of future tests or examinations will not be jeopardized, the test or examination shall be made available to the public. Minimum competency tests administered to public school children shall be made available to the public contemporaneously with statewide release of the scores of those taking such tests, but in no event shall such tests be made available to the public later than six months after the administration of such tests.

C. Neither any provision of this chapter nor any provision of the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) shall be construed to deny public access to records of the position, job classification, official salary or rate of pay of, and to records of the allowances or reimbursements for expenses paid to any public officer, official, or employee at any level of state, local, or regional government in the Commonwealth. The provisions of this subsection shall not apply to records of the official salaries or rates of pay of public employees whose annual rate of pay is $10,000 or less.

D. Nothing in this section or in this chapter shall be construed to require an agency to disseminate information derived from tax returns prohibited from release pursuant to § 58.1-3.

E. Nothing in this chapter shall be construed to require an agency to disseminate personal information except:

1. To the extent necessary to comply with state or federal law, including the federal Health Insurance Portability and Accountability Act (42 U.S.C. § 1320d et seq.), as amended;

2. To the extent necessary to carry out the administration of a state or federal program pursuant to state or federal law;

3. To comply with a subpoena, court order, or administrative proceeding;

4. To the extent necessary to ensure fulfillment of the obligations of a purchase or contract made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.) or a memorandum of understanding or management agreement made in accordance with the Restructured Higher Education Financial and Administrative Operations Act (§ 23.1-1000 et seq.);

5. When the data subject has given consent; or

6. To the extent necessary to accomplish a proper purpose of the agency.

§ 2.2-3809. Injunctive relief; civil penalties; attorneys' fees.

Any aggrieved person may institute a proceeding for injunction or mandamus against any person or agency that has engaged, is engaged, or is about to engage in any acts or practices in violation of the provisions of this chapter. The proceeding shall be brought in the district or circuit court of any county or city where the aggrieved person resides or where the agency made defendant has a place of business.

In the case of any successful proceeding by an aggrieved party, the agency enjoined or made subject to a writ of mandamus by the court shall be liable for the costs of the action together with reasonable attorneys' fees as determined by the court.

In addition, if the court finds that a violation of subsection A of § 2.2-3808 was willfully and knowingly made by a specific public officer, appointee, or employee of any agency, the court may impose upon such individual a civil penalty of not less than $250 nor more than $1,000, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500. For a violation of subsection A of § 2.2-3808 by any agency, the court may impose a civil penalty of not less than $250 nor more than $1,000, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500. If the court finds that a violation of subdivision A 11 of § 2.2-3803 was willfully and knowingly made by a specific public officer, appointee, or employee of any agency, the court may impose upon such individual a civil penalty of not less than $500 nor more than $2,500, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $2,500 nor more than $10,000.