¡Su navegador no admite JavaScript!

Anuncios especiales

Changes to Virginia's Data Privacy Law (GDCDPA)

Virginia's Government Data Collection and Dissemination Practices Act (GDCDPA) has been updated through HB1161, which Governor Spanberger signed on 4/13/2026. These changes strengthen privacy protections for Virginia residents and add new restrictions on when state and local agencies can share personal information. 

What is the Government Data Collection and Dissemination Practices Act? 

Virginia's Government Data Collection and Dissemination Practices Act has been the legal framework governing how state and local agencies collect, maintain, use, and share personal information since 1976. The law establishes baseline privacy protections and operational requirements for any agency handling personal data about Virginia residents. 

The Act defines personal information broadly to include any data that can identify an individual: Social Security numbers, driver's licenses, state ID cards, medical records, employment history, financial information, educational records, and even political or religious affiliations.  

Core requirements under the Act include collecting only information that is legally permitted or necessary for proper agency functions, maintaining information with accuracy and timeliness, implementing appropriate security measures and access controls, establishing procedures for individuals to review and correct their information, documenting dissemination practices and maintaining lists of who has regular access, and preventing information collected for one purpose from being used for another without legal authorization. 

What Changed with HB1161? 

HB1161 makes several significant changes to strengthen privacy protections and add accountability. The most notable changes are: 

  1. Expanded definition of personal information - The updated law now explicitly includes the following as personal information: USCIS alien registration numbers, tax identification number, national origin, voting history, immigration status, biometric data like faceprints, eye retinas, and iris scans, as well as physical or digital photographs, videos, and audio recordings. 
  2. No selling personal information (§ 2.2-3800(A)(11))  - Agencies are now explicitly prohibited from selling personal information under any circumstances. 
  3. Limited dissemination -(§ 2.2-3803.11(a)-(f)) - The law establishes clear boundaries for when agencies can share personal information, moving from general principles to specific enumerated conditions.  Agencies may only disseminate personal information in these six circumstances: 
    • Legal compliance - To the extent necessary to comply with state or federal law, including HIPAA and other regulatory requirements 
    • Program administration - To the extent necessary to carry out the administration of a state or federal program pursuant to state or federal law 
    • Legal process - To comply with a subpoena, court order, or administrative proceeding 
    • Procurement and educational agreements - To the extent necessary to ensure fulfillment of obligations under contracts made in accordance with the Virginia Public Procurement Act OR memoranda of understanding or management agreements made under the Restructured Higher Education Financial and Administrative Operations Act 
    • Individual consent - When the data subject has given consent (now defined as "a clear affirmative act signifying a data subject's freely given, specific, informed, and unambiguous agreement")
    • Proper agency purpose - To the extent necessary to accomplish a proper purpose of the agency (which includes specific activities like streamlining services, preventing fraud, conducting research, and performing data analytics) 
  4. Stricter Standard for Individual Authorization- HB1161 makes an important terminological change throughout the statute, replacing the word "permission" with "consent" and establishing a formal definition. Under the previous law, agencies could disseminate information with a data subject's "documented permission." The new law requires "consent," which is now defined as "a clear affirmative act signifying a data subject's freely given, specific, informed, and unambiguous agreement to disseminate personal information." 

The law also strengthens enforcement. Courts may now impose civil penalties on specific public officers, appointees, or employees who willfully and knowingly violate the dissemination restrictions. For violations of the dissemination provisions, individual penalties range from $500 to $2,500 for a first offense, and $2,500 to $10,000 for subsequent violations. This creates direct individual accountability beyond agency-level compliance. 

Important Data Sharing Exception: Commonwealth Data Trust 

Section 2.2-203.2:4(E) of the Code of Virginia establishes that ODGA is considered an agent of any executive branch agency that shares information with the Office, and interagency data shared through this mechanism does not constitute a disclosure or release under statutory or administrative law governing the data. 

This means agencies can continue to participate in Commonwealth Data Trust initiatives for cross-agency collaboration, analytics, and data-driven decision making without triggering the dissemination restrictions in HB1161.  

What This Means for Your Agency 

These changes require agencies to carefully evaluate current data sharing practices and policies. Data sharing that may have been routine under previous interpretations must now fit within one of the six listed categories, and agencies must be prepared to document the legal basis for any dissemination. 

Key operational considerations: 

  • Review existing data-sharing agreements and practices to ensure they align with one of the six permitted dissemination categories 
  • Document the legal basis for any dissemination, particularly routine sharing arrangements 
  • Understand the Commonwealth Data Trust exception - sharing through ODGA is not considered dissemination and remains a valuable tool for interagency collaboration 
  • Update consent forms and notices to reflect the new definition of consent and enhanced notification requirements 
  • Revise privacy policies on agency websites to reflect the prohibition on selling personal information and the limited dissemination framework 
  • Update training materials to ensure staff understand both the new restrictions and the individual liability implications of willful violations 
  • Consult legal counsel before establishing new data-sharing arrangements, particularly with federal agencies or private entities, or when responding to data requests that fall outside the six categories 

The law doesn't eliminate necessary data sharing for legitimate governmental purposes - it simply requires that sharing fit within defined parameters and that agencies can articulate which of the six conditions applies. The "proper purpose" category (condition 6) retains flexibility for inter-agency collaboration to improve services, prevent fraud, and conduct research, but agencies should document how specific sharing arrangements accomplish these purposes. 

¿Preguntas? 

Our office is available to help agencies understand how these changes affect their specific data governance practices and information systems. For questions about HB1161's application to your agency's operations, please reach out to odga@odga.virginia.gov