Subcommittee carries data‑broker registration bill after industry questions on CDPA overlap
February 04, 2026 | 2026 Legislature VA, Virginia
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The subcommittee discussed a broad substitute that would regulate data brokers by prohibiting acquisition or use of personally identifiable information for stalking, harassment, fraud or unlawful discrimination and by requiring registration and disclosures.
Delegate Maldonado said the bill closes gaps left by the current Virginia Consumer Data Protection Act (CDPA), noting the substitute would require registrants to disclose categories of data collected, whether data is shared with foreign governments or AI developers, whether minors’ data is held, and the number of security breaches experienced.
The substitute contains a delayed effective date—December 2027—to give companies time to prepare, a 30‑day cure period before AG enforcement, and civil penalties of up to $7,500 per violation. Enforcement rests with the Attorney General and does not include a private right of action.
Industry witnesses warned the bill’s definitions may be overbroad and could sweep in companies not intended to be data brokers and suggested potential conflicts with CDPA definitions. William Janis Martinez, counsel for a security coalition, described the bill as “over inclusive” and asked the committee to study interactions with existing statutes.
Given those concerns, the committee voted to carry the measure to 2027 for further study and alignment with the CDPA.
Delegate Maldonado said the bill closes gaps left by the current Virginia Consumer Data Protection Act (CDPA), noting the substitute would require registrants to disclose categories of data collected, whether data is shared with foreign governments or AI developers, whether minors’ data is held, and the number of security breaches experienced.
The substitute contains a delayed effective date—December 2027—to give companies time to prepare, a 30‑day cure period before AG enforcement, and civil penalties of up to $7,500 per violation. Enforcement rests with the Attorney General and does not include a private right of action.
Industry witnesses warned the bill’s definitions may be overbroad and could sweep in companies not intended to be data brokers and suggested potential conflicts with CDPA definitions. William Janis Martinez, counsel for a security coalition, described the bill as “over inclusive” and asked the committee to study interactions with existing statutes.
Given those concerns, the committee voted to carry the measure to 2027 for further study and alignment with the CDPA.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
