Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

On March 2, 2021, the Governor of Virginia signed the Consumer Data Protection Act (the “Virginia CDPA”), making Virginia the second state in the nation to adopt sweeping data privacy legislation. As expected, the Virginia CDPA closely resembles, in various ways, existing comprehensive data privacy laws, including the California Consumer Privacy Act of 2018 (“CCPA”) and the E.U.’s General Data Protection Regulation (“GDPR”). However, the Virginia CDPA has unique aspects, including assessments and rights related to targeted advertising. Below is a summary of the key provisions of the Virginia CDPA.

When Does the Virginia CDPA Go into Effect?

The Virginia CDPA will become effective on January 1, 2023, which is the same day that the California Privacy Rights of 2020 (“California CPRA”) will take effect (discussed in a prior alert here). While this day is a few years away, it is important for businesses that may be subject to the Virginia CDPA or the California CPRA to begin planning for their compliance now.

To Which Businesses Does the Virginia CDPA Apply?

The Virginia CDPA applies to a business meeting the following criteria:

  • Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and

(a) during a calendar year, controls or processes personal data of at least 100,000 consumers (defined below); or

(b) processes or controls personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data. 

The Virginia CDPA does not apply to state or local governments, government agencies, local school boards, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates subject to HIPAA and HITECH, non-profit organizations, and institutions of higher education.

Notably, the Virginia CDPA’s definition of “consumer” is narrower than the comparable definitions used in the CCPA and the GDPR. Under the Virginia CDPA, a consumer means a natural person who is a Virginia resident and is only acting in an individual or household context in providing personal data. The definition of consumer does not include any natural person providing personal data in a commercial or employment context.

What Data Does the Virginia CDPA Cover?

The Virginia CDPA covers “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data, publically available information, health records, data subject to certain federal laws, such as HIPAA, HITECH, and FERPA, or data maintained for employment record purposes, including emergency contact information, benefits-related information, and other general information relating to an individual acting as an employee, agent or independent contractor. Although the Virginia CDPA does not consider de-idenfitied data as personal data, the CDPA still limits the use of de-identified data. 

Like the GDPR and the California CPRA, the Virginia CDPA also offers specific protections to “sensitive data”, which the Virginia CDPA defines as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, or sex life or sexual orientation; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal data of an individual known to be a child (under 13 years of age); and (iv) precise geolocation data.

How Do Businesses Comply?

Compliance varies by the role a business plays, specifically whether a business is playing the role of a controller or a processor under the Virginia CDPA. Similar to the GDPR, under the Virginia CDPA, a "controller" is the business that, alone or jointly with others, determines the purpose and means of processing personal data. A "processor" is the business that processes personal data on behalf of a controller. Processing is a broad term that encompasses any operation performed on personal data, such as collection, use, storage, disclosure, analysis, deletion, or modification.

Privacy Policy – As part of compliance, controllers must respect the rights the law grants to consumers, detailed below, and must post a privacy policy reasonably accessible to consumers that, among other things, details the categories of personal data processed, the purposes for processing that data, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom the controller shares that data.

Limits on Processing – The Virginia CDPA prohibits controllers from processing personal data for purposes other than those expressly list in the Virginia CDPA. Some of the permitted purposes include, among others, providing a requested product or service, conducting internal research, effectuating product recalls, repairing errors, performing internal operations, complying with law, defending legal claims, and detecting security incidents.

In addition, controllers may not process sensitive data without receiving the consumer’s consent. Consent must be through an affirmative act, specific, informed, and unambiguous. The Virginia CDPA’s consent requirement for processing of sensitive data resembles the similar requirement for special categories of personal data under the GDPR.

Controllers must also limit the collection of data to what is reasonably necessary for the purposes for which the data was processed, as disclosed to the consumer in the privacy policy or elsewhere, and may not process data that is neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, unless the controller obtains the consumer’s consent. Controllers also must implement administrative, technical, and physical safeguards to protect the data.

Processing Contracts – Similar to the CCPA and the GDPR, in order to process data on behalf of a controller, processors must enter in a binding contract with a controller. These Virginia CDPA contracts are more similar to the processor contracts under the GDPR. Under the Virginia CDPA, such a contract must set forth, among other things, the processing instructions for the processor, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, including the processor’s obligations to protect the privacy of the data.

Data Protection Assessments – Most notably, above and beyond other privacy laws in the United States, the Virginia CDPA uniquely requires controllers to perform a data protection assessment of any processing activities that involve personal data used in targeting advertising, the sale of personal data, profiling (in certain instances), sensitive data, and data that presents a heightened risk of harm to consumers. Virginia’s Attorney General can request and review a business’s data protection assessments. Note that businesses responding to such a request from the Attorney General do not waive attorney-client privilege.

What Data Rights Do Consumers Have?

The Virginia CDPA provides consumers with the right to (1) confirm whether a controller is processing its personal data, (2) access that data, (3) correct inaccuracies about that data, (4) delete its personal data, (5) obtain a copy of its personal data in a portable format, and (6) opt out of certain types of processing of its personal data.

Notably, the Virginia CDPA has broader opt-out rights than the current opt-out rights than the CCPA. Consumers can opt-out of a controller’s processing of its data if the controller uses that data for targeted advertising, for the sale of personal data, or for profiling the consumer in a way that produces legal or similarly significant effects on the consumer. “Targeted advertising” includes advertising to a consumer based on its activities across non-affiliated websites. Targeted advertising does not include, among other things, advertisements based on activities within a controller’s own website or processing personal data solely for measuring or reporting advertising performance or reach. “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party, which is more narrow that the CCPA’s definition of sale. “Profiling” includes automated processing of personal data to evaluate certain personal aspects related to a natural person, such as to analyze or predict aspects concerning that natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movement.

Unlike the CCPA, there is no required method for making consumer requests under the CDPA. When a controller receive a request from a consumer to exercise the consumer’s rights, the controller must verify that request using “commercial reasonable means.” A controller has 45 days to respond to a request, which may be extended once by an additional 45 days when reasonably necessary. A controller must also provide consumers with an appeals process if it denies a consumer’s request. The appeal process must be conspicuously available to consumers and similar to the process for submitting requests. A controller has 60 days to respond to an appeal.

What are the Virginia CDPA’s Penalties?

The Virginia Attorney General will exclusively enforce the Virginia CDPA. Like the CCPA, the Virginia CDPA does not provide for a private right of action. Upon receipt of a notice of a violation under the Virginia CDPA from the Attorney General, the controller or processor has 30 days to fix that violation. If it does not, the Virginia Attorney General may seek injunctions and fines of up to $7,500.00 per violation. The Attorney General may also recover attorneys’ fees.

Conclusion

Businesses that may be subject to the Virginia CDPA, especially those that are currently subject to the CCPA and/or the GDPR, should review the Virginia CDPA and make a plan for compliance. If you would like assistance with, or have any questions about, complying with the Virginia CDPA and other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More