Virginia has just become the second U.S. state with a comprehensive privacy law, with Governor Ralph Northam’s signing of the Virginia Consumer Data Protection Act (“VCDPA”) on March 2, 2021. The VCDPA bears a strong resemblance to the California Consumer Privacy Act (“CCPA”). It also pulls U.S. law in the direction of its overseas cousin, the European Union’s General Data Protection Regulation (“GDPR”).

The VCDPA will take effect on January 1, 2023. That gives businesses almost two years to plan for compliance. Perhaps the biggest decision will be whether companies should adopt a “highest common denominator” approach — that is, voluntarily treating the data of all consumers regardless of location as if it were subject to all of these increasingly stringent privacy laws. With more laws like VCDPA seeming likely to be enacted elsewhere, could highest common denominator now be the most operationally sensible way to go?

Continue reading. . .