On March 2, 2021, Governor Northam signed the Virginia Consumer Data Protection Act (CDPA or the Act) making it the country’s second comprehensive data privacy legislation following California’s Consumer Protection Act of 2018 (CCPA). It is unlikely to be the last, emphasizing the importance for companies to adopt and maintain a proactive and comprehensive data strategy.
Set to take effect on January 1, 2023, the CDPA requires businesses to make significant changes to their privacy policies and to provide covered consumers with substantial rights. Note that the Virginia Attorney General’s office will be the sole enforcement authority as the Act does not provide a private right of action for consumers.
Covered entities and data
The CDPA applies to entities of a certain size that do business in Virginia or have users based in Virginia – those that “control or process” personal information of (1) 100,000 or more Virginia residents in a calendar year or (2) entities that make 50% or more of their gross revenue from the sale of personal data if they hold information about at least 25,000 residents. Similar to the CCPA, nonprofit organizations and institutions of higher education are exempt from the Act’s requirements.
The CDPA also provides an extensive list of definitions that includes terms like “controller” and “processor,” which are important because these two terms have different duties and obligations in relation to their respective role. Covered consumers are defined very specifically in the Act as individuals acting on their own or in a “household context,” meaning that it does not include actions “in a commercial or employment context.” In effect, this means that employee data and business-to-business data are exempt from the CDPA. “Personal data,” similar to the CCPA and Europe’s GDPR, is defined broadly as any information that is “linked or reasonably linkable to an identified or identifiable natural person.” The Act does not apply at the entity-level to financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), including insurance companies, broker-dealers and banks, nor does it apply to covered entities under the Health Insurance Portability and Accountability Act (HIPPA). These are much broader exclusions than are provided by the CCPA. It also exempts certain health data and information subject to other privacy regimes, including GLBA, the Fair Credit Reporting Act and the Family Education Rights and Privacy Act.
Consumer rights
When an interaction meets all of the required criteria, Virginia residents gain the following explicit rights for how their data is handled:
- The right to confirm if a controller has their data and, if so, to access it and/or obtain a copy of it.
- The right to correct inaccuracies in the data the controller has.
- The right to have a controller delete personal data provided by or obtained by residents.
- The right to opt out of having their data used for targeted advertising; having it sold to a third party; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the customer.
- The right to appeal a controller’s refusal to take action on a request related to these rights; the controller must also provide a link or other mechanism to contact the Attorney General to submit a complaint in the event that the resident’s appeal is denied.
Notably, the “sale of personal data” is limited to the exchange of personal data for monetary consideration. This is different from the CCPA, which defines a sale more broadly to include “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means” the personal information of a consumer to another business or third party “for monetary or other valuable consideration.” However, like in the CCPA, the CDPA does allow controllers to avoid a sale by having certain contractual provisions in place. As such, a “sale” does not include (i) the disclosure of personal data to a processor who processes the personal data on behalf of the controller; (ii) the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller; (iii) the disclosure or transfer of personal data to an affiliate of the controller; or (iv) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller's assets.
Also similar to the CCPA, the Act requires (1) controllers to provide consumers with an “accessible, clear and meaningful” privacy notice; (2) controllers to disclose if they process personal data for direct marketing or sell it to data brokers; (3) controllers to limit their data collection to what is adequate, relevant and reasonably necessary to perform the purposes for which such data is processed, as disclosed to the consumer; and (4) a written contract between controllers and processor that meets certain requirements outlined in section 59.1-575(B) of the Act. Different from the CCPA, which gives consumers an opt-out right regarding the processing of sensitive information, the CDPA requires controllers to obtain a consumer’s consent (opt-in) to process sensitive data about the consumer. The CDPA defines consent as “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer” and sensitive data as “(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; or (4) precise geolocation data.”
Additionally, like the European Union’s General Data Protection Regulation, the CDPA requires controllers to conduct a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers.
The Act allows for a 45-day response period to consumer rights requests, with one 45-day extension when reasonably necessary. In the event of a data breach, processors must reasonably assist controllers with responses to consumer rights requests, security and obligations.
Data protection assessments
As mentioned above, data controllers are required to conduct data protection assessments of any processing activities that involve personal data used in any of the following: (a) targeted advertising; (b) sale of personal data; (c) for purposes of profiling; (d) sensitive data; and (e) data that presents a heightened risk of harm to consumers. A data protection assessment should identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing as mitigated by safeguards that can be employed by the controller to reduce such risks. This is similar to, but not as specific as, the data protection impact assessment (DPIA) requirement in the GDPR, which requires an assessment to contain a description of the processing operations and the purposes of processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; and the measures envisaged to address the risks.
The Virginia Attorney General can not only request that a controller disclose data protection assessments but is also specifically tasked with evaluating the assessments for compliance with the responsibilities set out in the Act.
Enforcement
Although it mandates that controllers’ data collection practices be limited to “what is adequate, relevant and reasonably necessary,” the CDPA does not include any private right of action. Only the Virginia Attorney General’s office can pursue a case against a violating entity. The Virginia Attorney General also has rulemaking authority per the state’s administrative law. Relief under the CDPA can include injunctive relief and damages for up to $7,500 per violation, as well as “reasonable expenses incurred in investigating and preparing the case, including attorney fees.”
The CDPA also includes a provision establishing a “work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates … to review the provisions of this act and issues related to its implementation” and submit “findings, best practices, and recommendations regarding the implementation of this act … no later than November 1, 2021.”
Conclusion
This latest enhanced privacy law is unlikely to be the last, putting a premium yet again on establishing and maintaining a proactive and comprehensive data strategy. Companies may want to consider not only planning to implement the CDPA but also how to better future-proof their privacy posture in light of a rapidly evolving compliance environment.
Along those same lines, companies that already have a GDPR or CCPA compliance program likely will find themselves in a very good position to leverage that work to ensure compliance with Virginia law. Virginia expressly modeled its law on the GDPR and the CCPA, so companies looking to be more front-footed would do well to perceive the trends and get ahead of them.
[View source.]
