Do you or your clients sell goods from a retail location in Virginia? Do you collect and sell the information you collect about your purchasers? Do your purchasers know?

A recent, newsworthy First Amendment case in the 4th Circuit provides an opportunity to visit these questions. Incidentally, the case involved a privacy activist who was concerned about being charged under the Virginia Personal Information Privacy Act, VA CODE §§ 59.1-442 - 444 for putting up a website that highlighted public documents bearing social security numbers, including those of certain government officials. The court found First Amendment protections in that case, as may be seen in the above links.

But the scope of the Personal Information Privacy Act is not limited to social security numbers.

Some common marketing practices of average retailers may have a bit more difficulty under the Personal Information Privacy Act. This statute requires merchants to give notice to its purchasers when it sells information about its purchasers:

No merchant, without giving notice to the purchaser, shall sell to any third person information which concerns the purchaser and which is gathered in connection with the sale, rental or exchange of tangible personal property to the purchaser at the merchant's place of business.

Id. § 59.1-442. Online or ecommerce merchants - who often transact business in multiple jurisdictions - generally expect to face such a requirement, and are well advised to include such notice within their website privacy policies. However, this statute defines a merchant as “any person or entity engaged in the sale of goods from a fixed retail location in Virginia.” Id. A suggested approach for compliance is the posting of a sign (or any other reasonable method of giving notice). The image inspired is that of a brick and mortar business posting a busy sign detailing a fine print privacy policy. Of course, financial and certain other regulated institutions may already provide something similar in seeking to comply with the financial privacy notice requirements (e.g., Gramm Leach Bliley Act).

Under the Virginia Personal Information Privacy Act., an aggrieved person may be entitled to $100 per violation, reasonable attorney’s fees, and court costs. Id. § 59.1-442. Violations are also considered a prohibited practice under the Virginia Consumer Protection Act, which offers additional remedies.