Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPRMarch 3, 2021
On March 2, 2021, the Governor of Virginia signed the Consumer Data Protection Act (the “Virginia CDPA”), making Virginia the second state in the nation to adopt sweeping data privacy legislation. As expected, the Virginia CDPA closely resembles, in various ways, existing comprehensive data privacy laws, including the California Consumer Privacy Act of 2018 (“CCPA”) and the E.U.’s General Data Protection Regulation (“GDPR”). However, the Virginia CDPA has unique aspects, including assessments and rights related to targeted advertising. Below is a summary of the key provisions of the Virginia CDPA.
When Does the Virginia CDPA Go into Effect?
The Virginia CDPA will become effective on January 1, 2023, which is the same day that the California Privacy Rights of 2020 (“California CPRA”) will take effect (discussed in a prior alert here). While this day is a few years away, it is important for businesses that may be subject to the Virginia CDPA or the California CPRA to begin planning for their compliance now.
To Which Businesses Does the Virginia CDPA Apply?
The Virginia CDPA applies to a business meeting the following criteria:
- Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and
(a) during a calendar year, controls or processes personal data of at least 100,000 consumers (defined below); or
(b) processes or controls personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data.
The Virginia CDPA does not apply to state or local governments, government agencies, local school boards, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates subject to HIPAA and HITECH, non-profit organizations, and institutions of higher education.
Notably, the Virginia CDPA’s definition of “consumer” is narrower than the comparable definitions used in the CCPA and the GDPR. Under the Virginia CDPA, a consumer means a natural person who is a Virginia resident and is only acting in an individual or household context in providing personal data. The definition of consumer does not include any natural person providing personal data in a commercial or employment context.
What Data Does the Virginia CDPA Cover?
The Virginia CDPA covers “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data, publically available information, health records, data subject to certain federal laws, such as HIPAA, HITECH, and FERPA, or data maintained for employment record purposes, including emergency contact information, benefits-related information, and other general information relating to an individual acting as an employee, agent or independent contractor. Although the Virginia CDPA does not consider de-idenfitied data as personal data, the CDPA still limits the use of de-identified data.
Like the GDPR and the California CPRA, the Virginia CDPA also offers specific protections to “sensitive data”, which the Virginia CDPA defines as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, or sex life or sexual orientation; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal data of an individual known to be a child (under 13 years of age); and (iv) precise geolocation data.
How Do Businesses Comply?
Compliance varies by the role a business plays, specifically whether a business is playing the role of a controller or a processor under the Virginia CDPA. Similar to the GDPR, under the Virginia CDPA, a "controller" is the business that, alone or jointly with others, determines the purpose and means of processing personal data. A "processor" is the business that processes personal data on behalf of a controller. Processing is a broad term that encompasses any operation performed on personal data, such as collection, use, storage, disclosure, analysis, deletion, or modification.
Limits on Processing – The Virginia CDPA prohibits controllers from processing personal data for purposes other than those expressly list in the Virginia CDPA. Some of the permitted purposes include, among others, providing a requested product or service, conducting internal research, effectuating product recalls, repairing errors, performing internal operations, complying with law, defending legal claims, and detecting security incidents.
In addition, controllers may not process sensitive data without receiving the consumer’s consent. Consent must be through an affirmative act, specific, informed, and unambiguous. The Virginia CDPA’s consent requirement for processing of sensitive data resembles the similar requirement for special categories of personal data under the GDPR.
Processing Contracts – Similar to the CCPA and the GDPR, in order to process data on behalf of a controller, processors must enter in a binding contract with a controller. These Virginia CDPA contracts are more similar to the processor contracts under the GDPR. Under the Virginia CDPA, such a contract must set forth, among other things, the processing instructions for the processor, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, including the processor’s obligations to protect the privacy of the data.
Data Protection Assessments – Most notably, above and beyond other privacy laws in the United States, the Virginia CDPA uniquely requires controllers to perform a data protection assessment of any processing activities that involve personal data used in targeting advertising, the sale of personal data, profiling (in certain instances), sensitive data, and data that presents a heightened risk of harm to consumers. Virginia’s Attorney General can request and review a business’s data protection assessments. Note that businesses responding to such a request from the Attorney General do not waive attorney-client privilege.
What Data Rights Do Consumers Have?
The Virginia CDPA provides consumers with the right to (1) confirm whether a controller is processing its personal data, (2) access that data, (3) correct inaccuracies about that data, (4) delete its personal data, (5) obtain a copy of its personal data in a portable format, and (6) opt out of certain types of processing of its personal data.
Notably, the Virginia CDPA has broader opt-out rights than the current opt-out rights than the CCPA. Consumers can opt-out of a controller’s processing of its data if the controller uses that data for targeted advertising, for the sale of personal data, or for profiling the consumer in a way that produces legal or similarly significant effects on the consumer. “Targeted advertising” includes advertising to a consumer based on its activities across non-affiliated websites. Targeted advertising does not include, among other things, advertisements based on activities within a controller’s own website or processing personal data solely for measuring or reporting advertising performance or reach. “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party, which is more narrow that the CCPA’s definition of sale. “Profiling” includes automated processing of personal data to evaluate certain personal aspects related to a natural person, such as to analyze or predict aspects concerning that natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movement.
Unlike the CCPA, there is no required method for making consumer requests under the CDPA. When a controller receive a request from a consumer to exercise the consumer’s rights, the controller must verify that request using “commercial reasonable means.” A controller has 45 days to respond to a request, which may be extended once by an additional 45 days when reasonably necessary. A controller must also provide consumers with an appeals process if it denies a consumer’s request. The appeal process must be conspicuously available to consumers and similar to the process for submitting requests. A controller has 60 days to respond to an appeal.
What are the Virginia CDPA’s Penalties?
The Virginia Attorney General will exclusively enforce the Virginia CDPA. Like the CCPA, the Virginia CDPA does not provide for a private right of action. Upon receipt of a notice of a violation under the Virginia CDPA from the Attorney General, the controller or processor has 30 days to fix that violation. If it does not, the Virginia Attorney General may seek injunctions and fines of up to $7,500.00 per violation. The Attorney General may also recover attorneys’ fees.
Businesses that may be subject to the Virginia CDPA, especially those that are currently subject to the CCPA and/or the GDPR, should review the Virginia CDPA and make a plan for compliance. If you would like assistance with, or have any questions about, complying with the Virginia CDPA and other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys.