The Virginia Consumer Data Protection Act (CDPA) became law earlier this week when the state’s governor signed a bill recently adopted by the state’s legislature, making Virginia the second state in the nation with a comprehensive privacy law. The law also continues a concerning pattern of unoriginal state privacy law acronyms that should bother privacy lawyers everywhere.
As with any comprehensive privacy law, there is a lot to digest. For now, this post summarizes seven key aspects of the CDPA for privacy lawyers and organizations to keep in mind when thinking about the work that lies ahead.
The law’s scope is broad, but so are the exceptions. The CDPA applies to persons that:
- either (i) conduct business in Virginia or (ii) produce products or services that are targeted to Virginia residents; and
- in a calendar year, either (i) control or process personal data of at least 100,000 Virginia residents acting in an individual or household context or (ii) control or process personal data of at least 25,000 Virginia residents acting in an individual or household context and derive over 50 percent of their revenue from personal data sales.
But the statute also contains several broad and useful entity-level exceptions, including for financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education.
The statute also exempts various specific categories of data and activities from its scope, including personal data regulated by FERPA, PHI as defined by HIPAA, certain clinical trial data, and certain personal data processing regulated and authorized by the FCRA. There is also a broad exception for employment-related personal data processing.
Personal data is defined broadly. The law defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” De-identified and publicly available information, however, are excluded from the definition.
Direct application to both controllers and processors. The CDPA’s requirements distinguish between controllers and processors, but the statute applies directly to both. The law’s requirements for controllers include specific notice and transparency obligations, affirmative data security responsibilities, a requirement to provide individuals an opportunity to exercise individual rights (described below), a requirement limiting processing scope and purposes in accordance with CDPA standards, and conducting data protection assessments (also described below). Processors, by contrast, are required to comply with the controller’s instructions and assist with the controller’s CDPA compliance, including by assisting with individual rights requests, processing personal data securely, notifying controllers of data breaches, and assisting with data protection assessments. Controllers and processors will also need to enter into contracts that address specific CDPA-mandated concepts.
California-style individual rights, but also an opt-in consent right for processing sensitive data. The CDPA provides several individual rights to Virginia residents, most of which are conceptually similar to those enjoyed by Californians under the CCPA and CPRA. Those rights include (1) the ability to access, amend, or delete personal data, (2) a data portability right, and (3) opt-out rights for targeted advertising, sales of personal data, and certain profiling decisions about the individual.
But the CDPA also requires controllers to obtain opt-in consent to process “sensitive data,” which is defined as including (1) “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status,” (2) “processing of genetic or biometric data for the purpose of uniquely identifying a natural person,” (3) “personal data collected from a known child” under the age of 13, and (4) “precise geolocation data.” Consent requires “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer” in writing, electronically, or through “any other unambiguous affirmative action.”
Data protection assessments. The CDPA will require controllers to conduct and document data protection assessments for certain kinds of processing activities. Those activities include targeted advertising, personal data sales, profiling, sensitive data processing (as described above), and “processing activities involving personal data that present a heightened risk of harm to consumers.” These assessments are required to weigh the risks and benefits of the processing, must consider the potential for use of de-identified data instead of personal data, and factor in consumers’ reasonable expectations. The statute also provides that the Virginia attorney general may request and obtain data protection assessments for investigations of suspected noncompliance, but also states that disclosing a data protection assessment to the Virginia attorney general will not waive attorney-client privilege or work product protection over the assessment.
No private right of action, but AG enforcement with a mandatory notice-and-cure period. The CDPA does not include a private right of action—enforcement authority is exclusively granted to the Virginia attorney general. The attorney general can obtain injunctive relief, civil penalties up to $7,500 per violation, and recover attorney fees and other costs of investigating and bringing an enforcement action.
Before commencing an enforcement action, however, the attorney general is required to provide 30 days written notice to the controller or processor. If the controller or processor cures the violation and provides “an express written statement that the alleged violations have been cured and that no further violations shall occur” within the 30-day cure period, the statute provides that “no action shall be initiated against the controller or processor.”
Effective on January 1, 2023. The CDPA becomes effective on January 1, 2023, the same effective date as the CPRA, which will no doubt make privacy lawyers’ 2022 winter holidays the happiest ever.