First Europe installed a strict data privacy scheme when it enacted its General Data Protection Regulation (GDPR), then the trend crossed the Atlantic as California lawmakers passed their own data privacy law known as the California Consumer Privacy Act (CCPA). Up next is …Virginia? The Commonwealth of Virginia is poised to enact the Consumer Data Protection Act (CDPA), which would take effect and impact many businesses across the state beginning in January 2023. What do you need to know about this impending shift?

The CDPA (currently pending as two identical bills, one adopted by the Virginia House on January 29, 2021 and one approved by the Virginia Senate on February 5, 2021) is seen to be more business-friendly than its California counterpart, as the Virginia legislation applies only to businesses that control or process personal data of at least 100,000 consumers per year. Businesses which process the data of at least 25,000 consumers per year and make more than half of their gross revenue from selling personal data will also be affected, but businesses must be based in Virginia or serving Virginians to come under the law’s requirements.

Although Virginia’s CDPA has similarities to both the GDPR and CCPA, it also has important differences. Like the CCPA, the Virginia law will allow consumers to opt out of the sale of their personal data (defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person”), receive a copy of their online data, amend or delete the data pertaining to them, and provide portability rights. Unlike the CCPA, however, consumers will not be permitted to opt out of the sharing of their personal data where the personal data is shared but no money is exchanged. More importantly for workplace law purposes, employment data falls outside of the scope of the current Virginia legislation.

Similar to concepts found in the GDPR, data controllers following Virginia’s law must limit the collection of personal data to that which is relevant, adequate, and reasonably necessary to the purpose for which the data is processed under the current version of the CDPA. Data controllers will also be required to maintain reasonable security practices to protect the data under their control. The processing of sensitive data will require consumer consent, which is defined as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement” to process their data. The CDPA will also require that notice be given to consumers to clearly disclose the categories of personal data collected, the purpose for the collection, the categories of data shared with third parties, and the means by which consumers can exercise their rights under the CDPA. The bill also requires that affected businesses perform data protection assessments, which could be requested by the Virginia Attorney General at any time, and requires that there must be data processing agreements in place between data controllers and processors.

Another positive for the business community: while the Virginia attorney general’s office would be responsible for enforcement, there is currently no private right of action that would otherwise create a minefield of potential court actions.  This is controversial, however, and could be subject to amendment before 2023.

In preparation, affected businesses will want to be sure to understand the consumer data they currently process and store to ensure that no more data is collected than necessary, and current security practices protecting that data should be reviewed and updated if necessary.  Businesses will also need to begin reviewing their agreements with data processing vendors.  To the extent an affected business does not have such agreements in place, it is a good idea to begin putting formal agreements in place.  Affected businesses will also want to consider how to manage consumers’ requests regarding their personal data, as well as how sensitive data consent will be collected. 

Fisher Phillips will continue to monitor the progress of the CDPA, which is awaiting reconciliation and then will be sent to Governor Northam for signature, likely sometime this month.  The Governor is expected to sign the bill, which had broad bipartisan support.