What Virginia’s New Privacy Law Means for Organizations in the Healthcare Industry
The National Law Review
Matthew M. Shatzkes, Julia K. Kadish
Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), i.e., the California Privacy Rights Act (“CPRA”)). While CDPA has fairly broad exemptions for entities regulated by other laws, such as HIPAA, there is also a new “opt-in” requirement for collecting “sensitive data.”
Our sister blog goes into a more detailed discussion of the requirements under Virginia’s law. Here, we cover highlights of the law relevant to companies operating in the healthcare space.
Requirements for Collecting “Sensitive Data”
The CDPA requires “freely given, specific, informed, and unambiguous” consent (i.e., an opt-in requirement) in order for any entity or person to collect or process “sensitive data.” Among other itemized examples, “sensitive data” includes...