Virginia - Personal Information Privacy Act
Personal Information Privacy Act
§ 59.1-442. Sale of purchaser information; notice required
A. No merchant, without giving notice to the purchaser, shall sell to any third person information that concerns the purchaser and that is gathered in connection with the sale, rental, or exchange of tangible personal property to the purchaser at the merchant's place of business. Notice required by this section may be by the posting of a sign or any other reasonable method. If requested by a purchaser not to sell such information, the merchant shall not do so. No merchant shall sell any information gathered solely as the result of any customer payment by personal check, credit card, or where the merchant records the number of the customer's driver's license or other document issued under Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 or the comparable law of another jurisdiction. This subsection shall not be construed as authorizing a merchant to sell to a third person any information concerning a purchaser if the sale or dissemination of the information is prohibited pursuant to § 59.1-443.3.
B. For the purposes of this section and § 59.1-443.3, "merchant" means any person or entity engaged in the sale of goods from a fixed retail location in Virginia.
1992, c. 807; 2014, cc. 789, 795; 2020, cc. 1227, 1246.
§ 59.1-443. Exceptions
Section 59.1-442 shall not apply to: (i) information gathered for purposes of extending credit or the recording and sale, rental, exchange or disclosure to others of information obtained from any public body as defined in the Virginia Freedom of Information Act (§ 2.2-3700 et seq.); (ii) the sale of information concerning a check or credit card transaction when it is incidental to the sale or other disposition of accounts receivable; (iii) the furnishing by a merchant of information on check writing activity of its customers in conjunction with check validation transactions; or (iv) information sold in connection with any sale by a business of the business's retail operations at one or more locations, provided that the information is sold only to the purchasers thereof.
1992, c. 807; 1993, c. 453; 2004, c. 241.
§ 59.1-443.1. Recording date of birth as condition of accepting checks prohibited
A. As used in this section:
"Check" shall have the same meaning as defined in § 8.3A-104.
B. Except as provided in subsection C, no person who accepts checks for the transaction of business shall, as a condition of accepting the check, record, or request or require a person to record, his or her date of birth upon the check or otherwise.
C. This section does not require a person to accept checks for the transaction of business. Nothing in this section shall apply to (i) the collection or use of a date of birth that is unrelated to accepting payment by check or (ii) a requirement that the person paying by check provide the year of his birth.
2004, c. 241; 2005, c. 839.
§ 59.1-443.2. Restricted use of social security numbers
A. Except as otherwise specifically provided by law, a person shall not:
1. Intentionally communicate another individual's social security number to the general public;
2. Print an individual's social security number on any card required for the individual to access or receive products or services provided by the person;
3. Require an individual to use his social security number to access an Internet website, unless a password, unique personal identification number or other authentication device is also required to access the site; or
4. Send or cause to be sent or delivered any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package, or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.
B. This section does not prohibit the collection, use, or release of a social security number as permitted by the laws of the Commonwealth or the United States, or the use of a social security number for internal verification or administrative purposes unless such use is prohibited by a state or federal statute, rule, or regulation.
C. In the case of any (i) health care provider as defined in § 8.01-581.1, (ii) manager of a pharmacy benefit plan, (iii) insurer as defined in § 38.2-100, (iv) corporation providing a health services plan, (v) health maintenance organization providing a health care plan for health care services, or (vi) contractor of any such person, the prohibition contained in subdivision 2 of subsection A shall become effective on January 1, 2006.
D. This section shall not apply to public bodies as defined in § 2.2-3701.
E. No person shall embed an encrypted or unencrypted social security number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the social security number as required by this section.
2005, c. 640; 2008, cc. 562, 820.
§ 59.1-443.3. Scanning information from driver's license or other document; retention, sale, or dissemination of information
A. No merchant may scan the machine-readable zone of a driver's license or other document issued by the Department of Motor Vehicles under Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 or the comparable law of another jurisdiction, except for the following purposes:
1. To verify authenticity of the driver's license or other document or to verify the identity of the individual if the individual requests a service pursuant to a membership or a service agreement, pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
2. To verify the individual's age when providing age-restricted goods or services to the individual if there is a reasonable doubt of the individual having reached 18 years of age or older;
3. To prevent fraud or other criminal activity if the individual returns an item or requests a refund or an exchange and the merchant uses a fraud prevention service company or system. Information collected by scanning an individual's driver's license or other document pursuant to this subdivision shall be limited to the individual's name, address, and date of birth and the number of the driver's license or other document;
4. To comply with a requirement imposed on the merchant by the laws of the Commonwealth or federal law;
5. To provide to a check services company regulated by the federal Fair Credit Reporting Act, (15 U.S.C. § 1681 et seq.), that receives information obtained from an individual's driver's license or other document to administer or enforce a transaction or to prevent fraud or other criminal activity; or
6. To complete a transaction permitted under the federal Gramm-Leach-Bliley Act, (15 U.S.C. § 6801 et seq.), or the federal Fair Credit Reporting Act, (15 U.S.C. § 1681 et seq.).
B. No merchant shall retain any information obtained from a scan of the machine-readable zone of an individual's driver's license or other document except as permitted in subdivision A 1, 3, 4, 5, or 6. The merchant shall destroy the retained information when the purpose for which it was provided and retained under this section has been satisfied.
C. No merchant shall sell or disseminate to a third party any information obtained from a scan of the machine-readable zone of an individual's driver's license or other document for any marketing, advertising, or promotional purpose. This subsection shall not prohibit a merchant from disseminating to a third party any such information for a purpose described in subdivision A 3, 4, 5, or 6.
D. Any waiver of a provision of this section is contrary to public policy and is void and unenforceable.
2014, cc. 789, 795; 2020, cc. 542, 1227, 1246.
§ 59.1-444. Damages
A person aggrieved by a violation of any provision of this chapter, except § 59.1-443.2, shall be entitled to institute an action to recover damages in the amount of $100 per violation. In addition, if the aggrieved party prevails, he may be awarded reasonable attorney's fees and court costs. Actions under this section shall be brought in the general district court for the city or county in which the transaction or other violation that gave rise to the action occurred. A violation of the provisions of § 59.1-443.2 is a prohibited practice under the Virginia Consumer Protection Act (§ 59.1-196 et seq.).
1992, c. 807; 1993, c. 453; 2004, c. 241; 2005, c. 640.
§ 59.1-442. Sale of purchaser information; notice required
A. No merchant, without giving notice to the purchaser, shall sell to any third person information that concerns the purchaser and that is gathered in connection with the sale, rental, or exchange of tangible personal property to the purchaser at the merchant's place of business. Notice required by this section may be by the posting of a sign or any other reasonable method. If requested by a purchaser not to sell such information, the merchant shall not do so. No merchant shall sell any information gathered solely as the result of any customer payment by personal check, credit card, or where the merchant records the number of the customer's driver's license or other document issued under Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 or the comparable law of another jurisdiction. This subsection shall not be construed as authorizing a merchant to sell to a third person any information concerning a purchaser if the sale or dissemination of the information is prohibited pursuant to § 59.1-443.3.
B. For the purposes of this section and § 59.1-443.3, "merchant" means any person or entity engaged in the sale of goods from a fixed retail location in Virginia.
1992, c. 807; 2014, cc. 789, 795; 2020, cc. 1227, 1246.
§ 59.1-443. Exceptions
Section 59.1-442 shall not apply to: (i) information gathered for purposes of extending credit or the recording and sale, rental, exchange or disclosure to others of information obtained from any public body as defined in the Virginia Freedom of Information Act (§ 2.2-3700 et seq.); (ii) the sale of information concerning a check or credit card transaction when it is incidental to the sale or other disposition of accounts receivable; (iii) the furnishing by a merchant of information on check writing activity of its customers in conjunction with check validation transactions; or (iv) information sold in connection with any sale by a business of the business's retail operations at one or more locations, provided that the information is sold only to the purchasers thereof.
1992, c. 807; 1993, c. 453; 2004, c. 241.
§ 59.1-443.1. Recording date of birth as condition of accepting checks prohibited
A. As used in this section:
"Check" shall have the same meaning as defined in § 8.3A-104.
B. Except as provided in subsection C, no person who accepts checks for the transaction of business shall, as a condition of accepting the check, record, or request or require a person to record, his or her date of birth upon the check or otherwise.
C. This section does not require a person to accept checks for the transaction of business. Nothing in this section shall apply to (i) the collection or use of a date of birth that is unrelated to accepting payment by check or (ii) a requirement that the person paying by check provide the year of his birth.
2004, c. 241; 2005, c. 839.
§ 59.1-443.2. Restricted use of social security numbers
A. Except as otherwise specifically provided by law, a person shall not:
1. Intentionally communicate another individual's social security number to the general public;
2. Print an individual's social security number on any card required for the individual to access or receive products or services provided by the person;
3. Require an individual to use his social security number to access an Internet website, unless a password, unique personal identification number or other authentication device is also required to access the site; or
4. Send or cause to be sent or delivered any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package, or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.
B. This section does not prohibit the collection, use, or release of a social security number as permitted by the laws of the Commonwealth or the United States, or the use of a social security number for internal verification or administrative purposes unless such use is prohibited by a state or federal statute, rule, or regulation.
C. In the case of any (i) health care provider as defined in § 8.01-581.1, (ii) manager of a pharmacy benefit plan, (iii) insurer as defined in § 38.2-100, (iv) corporation providing a health services plan, (v) health maintenance organization providing a health care plan for health care services, or (vi) contractor of any such person, the prohibition contained in subdivision 2 of subsection A shall become effective on January 1, 2006.
D. This section shall not apply to public bodies as defined in § 2.2-3701.
E. No person shall embed an encrypted or unencrypted social security number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the social security number as required by this section.
2005, c. 640; 2008, cc. 562, 820.
§ 59.1-443.3. Scanning information from driver's license or other document; retention, sale, or dissemination of information
A. No merchant may scan the machine-readable zone of a driver's license or other document issued by the Department of Motor Vehicles under Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 or the comparable law of another jurisdiction, except for the following purposes:
1. To verify authenticity of the driver's license or other document or to verify the identity of the individual if the individual requests a service pursuant to a membership or a service agreement, pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
2. To verify the individual's age when providing age-restricted goods or services to the individual if there is a reasonable doubt of the individual having reached 18 years of age or older;
3. To prevent fraud or other criminal activity if the individual returns an item or requests a refund or an exchange and the merchant uses a fraud prevention service company or system. Information collected by scanning an individual's driver's license or other document pursuant to this subdivision shall be limited to the individual's name, address, and date of birth and the number of the driver's license or other document;
4. To comply with a requirement imposed on the merchant by the laws of the Commonwealth or federal law;
5. To provide to a check services company regulated by the federal Fair Credit Reporting Act, (15 U.S.C. § 1681 et seq.), that receives information obtained from an individual's driver's license or other document to administer or enforce a transaction or to prevent fraud or other criminal activity; or
6. To complete a transaction permitted under the federal Gramm-Leach-Bliley Act, (15 U.S.C. § 6801 et seq.), or the federal Fair Credit Reporting Act, (15 U.S.C. § 1681 et seq.).
B. No merchant shall retain any information obtained from a scan of the machine-readable zone of an individual's driver's license or other document except as permitted in subdivision A 1, 3, 4, 5, or 6. The merchant shall destroy the retained information when the purpose for which it was provided and retained under this section has been satisfied.
C. No merchant shall sell or disseminate to a third party any information obtained from a scan of the machine-readable zone of an individual's driver's license or other document for any marketing, advertising, or promotional purpose. This subsection shall not prohibit a merchant from disseminating to a third party any such information for a purpose described in subdivision A 3, 4, 5, or 6.
D. Any waiver of a provision of this section is contrary to public policy and is void and unenforceable.
2014, cc. 789, 795; 2020, cc. 542, 1227, 1246.
§ 59.1-444. Damages
A person aggrieved by a violation of any provision of this chapter, except § 59.1-443.2, shall be entitled to institute an action to recover damages in the amount of $100 per violation. In addition, if the aggrieved party prevails, he may be awarded reasonable attorney's fees and court costs. Actions under this section shall be brought in the general district court for the city or county in which the transaction or other violation that gave rise to the action occurred. A violation of the provisions of § 59.1-443.2 is a prohibited practice under the Virginia Consumer Protection Act (§ 59.1-196 et seq.).
1992, c. 807; 1993, c. 453; 2004, c. 241; 2005, c. 640.
