[co-author: Hilary Higgins]
The Virginia Consumer Data Privacy Act (CDPA)—which is set to go into effect on January 1, 2023—will likely be amended in the coming days. The Virginia House and Senate have passed four amendments which, most notably, address how businesses can process deletion requests, and reshape the scope of the law’s non-profit exemption. These bills will now be sent to Virginia’s Governor, and he will have until April 11 to review them and potentially sign them into law.
As we had previously noted, these amendments were inspired by a November 2021 report by the working group that was established under the law to suggest improvements. Because the Virginia CDPA does not provide the state Attorney General with rulemaking authority, any changes to the law must come from state legislature. If you would like to learn more about the Virginia CDPA, visit our past post here.
Amendments to Virginia’s CDPA
Expand Non-Profits Exemption. The Virginia CDPA already exempts “nonprofit organizations,” but two potential amendments expand the nonprofits exempted from the CDPA. SB 534 and HB 714 both revise the definition to include “any political organization” which they define as a “party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”
Both bills also define a nonprofit organization to include “any organization exempt from taxation under § 501(c)(4) of the Internal Revenue Code that is identified in § 52-41.” § 52-41 of the Virginia Code applies to certain insurance fraud organizations that operate in the context of the state police. Lastly, the bills define a nonprofit to include “any subsidiary or affiliate of entities organized pursuant to Chapter 9.1 (§ 56-231.15 et seq.) of Title 56.” Chapter 9.1 refers to utility consumer services cooperatives and utility aggregation cooperatives.
Deletion Requests. HB 381 and SB 393 make it easier for controllers that obtain consumer personal data from other sources (other than the consumer) to comply with the consumer’s right to delete. The amendments note that if controllers obtain consumer personal data from a source other than the consumer, a controller is in compliance with a request from the consumer to delete, if they either: (a) “retain[] a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not us[e] such retained data for any other purpose” pursuant to the CDPA; or (b) “opt[] the consumer out of the processing of such personal data for any purpose except for those exempted” pursuant to the CDPA. These amendments will assist data brokers and other companies that do not directly process consumer data to comply with requests to delete.
Deletion of Consumer Privacy Fund: SB 534 and HB 714 both eliminate the Consumer Privacy Fund. The bills note that civil penalties, expenses and fees will instead be paid to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.