Virginia has now passed a significant new law with respect to consumer privacy. The new law, known as the Virginia Consumer Data Protection Act (“CDPA”), was signed into law by Governor Ralph Northam on March 2, 2021. The CDPA is currently set to take effect on January 1, 2023.
Virginia’s new law shares many similarities with the California Consumer Protection Act of 2018 (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”), as well as similar laws that are proposed in other states, such as Washington and Utah. The Virginia law, however, does not go quite as far as the CCPA or GDPR in many respects. For example, unlike to the CCPA and GDPR, the CDPA does not apply personal data collected from individuals acting in a commercial or employment context.
Nevertheless, like the other new laws, the CDPA still raises new risks and imposes new obligations on business’ handling of personal information of Virginia residents acting “in an individual or household context,” i.e., “Consumers” as defined under the Act. Businesses should also be aware that because the CDPA differs from the CCPA and the GDPR in many respects, compliance with the CCPA or GDPR does not necessarily equal compliance with the new Virginia law. Below are the key takeaways for business owners.
When Does the CCPA Take Effect?
The law becomes effective on January 1, 2023.
Which Businesses Are Subject to the CDPA?
The businesses covered by the law include those that conduct business in Virginia or that produce products or services targeted to Virginia residents and that:
- During a calendar year, control or process personal data of at least 100,000 Virginia consumers; or
- Control or process personal data of at least 25,000 Virginia consumers and derive over 50% of gross revenue from the sale of personal data.
Under the CDPA, entities and businesses not subject to the law are:
- Any body, authority, board, bureau, commission, district, or agency of Virginia or of any political subdivision of Virginia;
- Financial institution or data subject to the Gramm-Leach-Bliley Act;
- Any covered entity or business associate subject to the Health Insurance Portability and Accountability Act (“HIPAA”) the Health Information Technology for Economic and Clinical Health Act
- Any nonprofit organization; or
- Any institution of higher education.
Businesses should keep in mind that, like the CCPA, Virginia’s new law is not limited solely to online or digital data collection and can apply to any collection or other handling of any personal data, whether offline or online (such as through a web site).
What Does “Personal Data” Include?
The CDPA broadly defines “personal data” as consisting of “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include de-identified data or publicly available information, although companies may still have ongoing obligations with respect to de-identified data, discussed below.
With respect to “publicly available information,” this includes information “lawfully made available through federal, state, or local records.” Notably, however, the definition further excludes “information that a business has a reasonable basis to believe is lawfully made available to the general public” through the media, by the consumer, or an individual or entity to whom such consumer has disclosed their information without restriction as to the particular audience. This looks at whether a business had a reasonable basis to believe the personal data was not covered by the Act. What constitutes a “reasonable basis” is unclear and may be further clarified in the regulations required by the Act.
What Are the Rights of Virginia Consumers?
Under the CDPA, consumers have certain rights with respect to their personal information, including the right to (1) confirm if a controller is processing their personal data, (2) have their persona data corrected, (3) have their persona data deleted, (4) to obtain a portable and useable copy of their personal data, and (5) to opt out of the processing of their personal data for certain purposes, such as targeted advertising, the sale of such information to third parties, and certain types of profiling. Consumers may submit requests to controllers to exercise their rights (and appeal refusals of same), to which controllers are obligated to respond and fulfill, subject to verification and certain limitations.
What Are the Key Requirements for Businesses?
Businesses subject to the Virginia law have certain obligations depending upon whether they are “controllers” (entities that determine the means of processing personal data) or “processors” (entities that process personal data on a controller’s behalf), which similar to the GDPR in many respects. Such businesses will be subject to new obligations regarding disclosure, oversight, retention, documentation and management of consumer personal data. Notable obligations for such businesses include the following:
- Controllers must provide consumers with privacy policies disclosing certain information, including categories of data processed, purposes of processing, whether such data is shared or sold (and to which categories of third parties), as well as disclosing how customers may exercise their rights under the CDPA, including specifying means of submitting requests, which is subject to certain considerations and qualifications.
- Controllers must verify and fulfill consumers’ requests to exercise their rights (including confirmation or opting out of processing of personal data, as well as deletion or providing copies of personal data) within 45 days of such requests (which deadline may be extended), subject to certain limitations and exceptions.
- Controllers mush establish a “conspicuously available” process for a consumer to appeal any rejection of such consumer’s personal data request, subject to certain requirements.
- Controllers must conduct and document data protection assessments with respect to certain types of processing (targeted advertising, sale of data, certain profiling, sensitive data, processing that presents heightened risk of harm to consumers) to weigh the benefits of such processing against the potential risks to the consumer’s rights. The timing, frequency and duration of document retention for such assessments is not clear.
- Controllers must obtain prior consent from consumers for processing of “sensitive data,” which includes personal data related to race, religious beliefs, health information, sexual orientation, citizenship or immigration status, personal data of children, precise geolocation data and the processing of biometric data for the purpose of uniquely identifying a natural person.
- Controllers must obtain prior consent for uses of personal data that are neither reasonably necessary to nor compatible with the purposes of processing disclosed in the entity’s privacy notice.
- Controllers must ensure that de-identified data cannot be associated with an individual and publicly commit to maintaining and not attempt to re-identify the data, contractually obligate recipients of such data to comply with the CDPA, and further to “exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.”
- Similar to the GDPR, any controller that provides personal data to a processor for processing on the controller’s behalf must also have a written contract governing the processing of such information that clearly sets for the instructions for processing personal data, the nature and purpose of the processing, the type of data subject to and duration of and the rights and obligations of the parties, along with certain other terms specified under the Act.
- Like the GDPR and CCPA, businesses subject to the CDPA must: (a) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data,” and (b) limit collection of personal data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed."
- Like the CCPA, controllers are generally prohibited from discriminating against Virginia consumers for exercising their rights under the Act.
- A processor must comply with the instructions of the controller and assist the controller with complying with the CDPA.
What Are the Penalties for Violating the CCPA?
The CDPA does not provide for private causes of action. Only the Virginia Attorney General can enforce the Act. Once the Attorney General makes a determination to enforce the Act against a controller, the controller will have 30 days to cure the violation and confirm such cure in writing. Uncured violations may result in injunctive relief and penalties up to $7,500 per violation as well as reasonable expenses, including attorneys’ fees, related to the Attorney General’s investigation of the violations.
Are There any Exemptions under the Act?
The CDPA provides for certain limited exemptions for personal data regulated, collected or processed pursuant to certain state and federal privacy-related laws, such as HIPAA, Gramm-Leach-Bliley, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, the Family Educational Rights and Privacy Act, and also exempts employee and job applicant data, among other related types of data.
What are Next Steps for Businesses?
As stated above, compliance with California’s consumer privacy law or GDPR does not mean a business is also compliant with Virginia’s new privacy act. Businesses should therefore assess whether the CDPA may apply to them and begin developing a plan to bring their operations into compliance by January 1, 2023. Such steps may include updating privacy policies, web sites and internal information technology systems and procedures.
We will continue to monitor developments on the CDPA and other privacy laws that may impact your business and are available to answer any questions that you may have.
Luis F. Ruiz