On January 8, 2020, the “Virginia Privacy Act” (HB 473), was introduced for consideration to the General Assembly of Virginia. The proposed legislation includes notice requirements similar to the California Consumer Privacy Act’s (CCPA), provides consumers with rights similar to those under the EU’s General Data Protection Regulation (GDPR), and unlike either the CCPA or the GDPR, would require data controllers to perform and document a privacy risk assessment for every processing activity.
Scope. The proposed legislation would apply to any entity that:
(i) conducts business in Virginia or produces products or services intentionally targeted to Virginia residents, and
a. controls or processes personal data of 100,000 or more consumers (which is defined as Virginia residents but excludes residents acting in a commercial or employment context); or
b. derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.
The legislation defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes publicly available or deidentified data, and exempts personal data governed by the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Report Act, Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act, and contained in employment records.
Notice & Consumer Rights. Under the proposed legislation, a “controller” (“person that, alone or jointly with others, determines the purposes and means of the processing of personal data”) must be transparent about their processing activities and make available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that includes:
the categories of personal data collected by the controller;
the purposes for which the categories of personal data are used and disclosed to third parties, if any;
a list of the rights that consumers may exercise pursuant to § 59.1-574, which include the right to access, correction, deletion, restriction of processing, objection to processing;
the categories of personal data that the controller shares with third parties, if any; and the categories of third parties, if any, with whom the controller shares personal data.
Controllers are required to process consumer rights requests “without undue delay” and no later than 30 days from a verified request with an option to extend that period an additional 60 days depending on the number and complexity of requests, similar to the standard under the EU’s GDPR.
Selling. If a controller sells personal data to data brokers or processes personal data for targeted advertising, it shall disclose such processing, as well as the manner in which a consumer may exercise the right to object to such processing, in a clear and conspicuous manner. The definition of “sale” in the proposed legislation is more limited than under the CCPA, and is aligned with the “sale” definition in Nevada’s new law effective October 1, 2019, to mean “the exchange of personal data for monetary consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”
Risk Assessments. The proposed legislation also requires that controllers perform a risk assessment of each of its data processing activities that involves personal data, and requires the controller make the risk assessment available to the Attorney General upon request. Such risk assessments must identify and weigh the benefits of such processing the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.
Enforcement. Pursuant to the proposed legislation, controllers would have 30 days to cure any alleged violation of the Act. However, violations and enforcement of the Act would be subject to the Virginia Consumer Protection Act, which permits a private cause of action for violations of the Act to recover actual damages, or $500, whichever is greater, and if the trier of fact finds that the violation was willful, it may increase damages to an amount not exceeding three times the actual damages sustained, or $1,000, whichever is greater. The Act would permit the allocation of liability to processors according to comparative fault principles.