Keypoint: The Virginia Privacy Act would create CCPA-like rights for Virginia residents while the Sale of Personal Data Act would create rights vis-à-vis “data sellers.”

Lawmakers in Virginia have proposed two bills that, if enacted, would create a number of privacy rights for Virginia residents and compliance burdens for covered entities.

The first bill – the Virginia Privacy Act (HB 473) – was prefiled on January 3, 2020, and offered on January 8, 2020. It would create CCPA-like rights for Virginia residents and new obligations on businesses such as a requirement to conduct risk assessments.

The second bill – which is unnamed but for our purposes will be referred to as the Sale of Personal Data Act (SB 641) – was prefiled on January 7, 2020, and offered on January 8, 2020. Among other things, it would require data sellers to implement reasonable security measures to protect personal data, respond to certain types of privacy requests, and notify Virginia residents of data breaches.

In addition to Virginia, lawmakers have proposed consumer privacy legislation in Florida, Illinois, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.

Below is our analysis of Virginia’s proposed legislation (as introduced). We will first analyze the Virginia Privacy Act and then separately analyze the Sale of Personal Data Act.

2020 Virginia Privacy Act

To Whom Does it Apply?

“Consumers,” which is defined as natural persons who are residents of the Commonwealth of Virginia acting only in an individual or household context. It does not include natural persons acting in a commercial or employment context.

What Entities are Covered?

Any legal entity that conducts business in Virginia or produces products or services that are intentionally targeted to Virginia residents and that (1) controls or processes the personal data of at least 100,000 consumers or (2) derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.

Excluded from the Act’s scope are state, county, city or town governments and local school boards.

What Information is Covered?

“Personal data,” which is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The term does not include deidentified data or publicly available information.

What Rights are Created?

The Act contains a number of qualifications and exceptions to the rights it establishes. If the legislation is passed, those provisions will need to be more closely analyzed. However, the rights can be generally summarized as follows:

• Right to Access. Consumers would have the right to confirm whether or not their personal data is being processed by the controller, including whether such personal data is sold to data brokers and, where personal data is being processed by the controller, request and be provided access to such information.
• Right to Correction. Consumers would have the right to correct inaccurate personal data that the controller maintains.
• Right to be Forgotten. Consumers would have the right to request that controllers delete their personal data, subject to a number of exceptions.
• Right to Restrict Processing. Consumers would have the right to request that controllers restrict the processing of personal data that the controller maintains in identifiable form if the purpose for which the personal data is processed is (i) not consistent with a purpose for which the personal data was collected, (ii) not consistent with a purpose disclosed to the consumer at the time of collection or authorization, or (iii) unlawful. Consumers also would have the right to object to the processing of their personal data for targeted advertising, which includes the sale of personal data concerning consumers to third parties for purposes of targeted advertising.

Are there Any Exemptions?

Yes. For example, the Act would not apply to information that meets the definition of HIPAA protected health information; personal data collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, if the collection, processing, sale or disclosure is in compliance with the GLBA; and data maintained for employment record purposes.

Would Companies Need to Update their Online Privacy Policies?

Yes. The Act would require businesses to provide a privacy notice with the following information:

• The categories of personal data collected by the controller;
• The purposes for which the categories of personal data are used and disclosed to third parties, if any;
• The rights that consumers may exercise pursuant to the Act, if any;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties, if any, with whom the controller shares personal data; and
• If a controller sells personal data to data brokers or processes personal data for targeted advertising, it shall disclose such processing, as well as the manner in which a consumer may exercise the right to object to such processing.

Subject to a number of exceptions, the Act defines “sale” as “the exchange of personal data for monetary consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”

How Would it be Enforced?

Violations would constitute a prohibited practice under Virginia’s Consumer Protection Act (VCPA) and be subject to any of its enforcement provisions. Section 204 of the VCPA permits any “person who suffers loss as the result of a violation of [the VCPA] to initiate an action to recover actual damages, or $500, whichever is greater. If the trier of fact finds that the violation was willful, it may increase damages to an amount not exceeding three times the actual damages sustained, or $1,000, whichever is greater.” Litigants also could be awarded reasonable attorneys’ fees and costs. Violations also would be enforceable by the Attorney General’s office, which could seek civil penalties of not more than $2,500 for willful violations.

When Would it be Effective?

The Act does not contain an effective date. Virginia Code § 1-214 establishes a presumptive effective date of July 1, unless a date is specified in the legislation.

Anything Else?

Controllers would be required to conduct risk assessments on each of their processing activities involving personal data. If the risk assessment determines that the potential risks of privacy harm to consumers are substantial and outweigh the interests of the controller, consumer, other stakeholders, and the public in processing the personal data of the consumer, the controller would only be permitted to engage in such processing with the consent of the consumer or if another exemption applies. Risk assessments would need to be provided to the state Attorney General upon request.

2020 Sale of Personal Data Act

To Whom Does it Apply?

“Consumers,” which is defined as “a natural person who is a resident and domiciliary of the Commonwealth.”

What Entities are Covered?

“Data sellers,” which is defined as “a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee.”

What Information is Covered?

“Personal data,” which is defined as “any information that could be used to identify an individual consumer, including such consumer’s date of birth, social security number, credit card information (including account number, expiration date, and security code), passwords, personal identification numbers (PINs), or information about an individual consumer’s character, habits, spending, hobbies, or personal interests.”

What Rights are Created?

Data sellers would be required to:

• implement and maintain reasonable security procedures and practices to protect the confidentiality of a consumer’s personal data and the accuracy of public record information;
• implement processes to obtain the express consent of a parent or guardian of a minor before selling the personal data of such minor;
• implement procedures for consumers to submit a request to obtain any of their own personal data maintained by the data seller, including, at a minimum, a toll-free telephone number, and to obtain a copy of such data or any of such data sold to another entity by the data seller regarding the consumer;
• refrain from maintaining or selling personal data about a consumer that it knows to be inaccurate;
• provide a link on the homepage of the website of the data seller labeled “Do Not Sell My Personal Information” that directs a consumer to a webpage enabling him or her authorized representative to opt out of the sale of the consumer’s personal data; and
• in the event of a data breach, notify all affected consumers via mail or email within 30 days of the discovery of the breach and send a copy of the notice to the Attorney General’s office.

Are there Any Exemptions?

The Act would not apply to the Commonwealth or any agency, commission, instrumentality, or political subdivision thereof; any clerk of court; any organization that is tax exempt pursuant to § 501(c) or 527 of the Internal Revenue Code; or the activity of any consumer reporting agency that is subject to civil liability pursuant to 15 U.S.C. § 1681.

Would Companies Need to Update their Online Privacy Policies?

Maybe. The Act does not specifically require data sellers to revise their online privacy policies but some of its provisions may result in data sellers making revisions to explain the rights provided under the Act and the mechanisms for making requests.

How Would it be Enforced?

The Attorney General or an attorney for the Commonwealth could seek $2,500 for each unintentional violation and up to $7,500 for each intentional violation. The Act also would provide consumers with a private right of action against data sellers. Consumes could recover up to $1,000 per violation, in addition to actual damages caused by such violation, punitive damages in cases in which the data seller’s conduct was willful, and reasonable attorney fees, expert witness expenses, and costs. The Act also would specifically authorize class actions.

When Would it be Effective?

The Act does not contain an effective date. Virginia Code § 1-214 establishes a presumptive effective date of July 1, unless a date is specified in the legislation.