Virginia Consumer Data Protection Act: A Growing Wave of Comprehensive State Privacy Laws
Virginia’s Consumer Data Protection Act (CDPA) is expected to be signed into law by Governor Ralph Northam and will be the second comprehensive state data privacy law in the United States after the California Consumer Privacy Act of 2018 (CCPA). The CDPA comes into effect on January 1, 2023—the same date that the California Privacy Rights Act (CPRA) amendments take effect—and will require entities subject to the law to coordinate their efforts to ensure compliance with their growing obligations under these dynamic state privacy law developments. We explore the CDPA in more detail below.
OVERVIEW OF THE CDPA
The CDPA will apply to companies that conduct business in Virginia, or that target their products and services to Virginia residents, and that either: (i) control or process personal data of at least 100,000 Virginia residents or (ii) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
As with the CCPA, the CDPA has several broad entity-type and data-type exemptions. The CDPA will not apply to nonprofits, institutions of higher education and entities governed by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). The CDPA also exempts personal data belonging to individuals acting in commercial or employment contexts, protected health information governed by HIPAA and health records governed by other healthcare-related state and federal laws, and data regulated by the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act and Farm Credit Act.
CDPA uses the term “controller” to describe the entity that determines the purpose and means of processing data. Controllers have a number of responsibilities under the CDPA that are reminiscent of the obligations that apply to “businesses” under the CCPA/CPRA and “controllers” under the General Data Protection Regulation (GDPR). Controllers must:
Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geolocation data)
Comply with data processing principles that ensure purpose limitation of personal data and data minimization
Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data
Enter into a written contract with third-party “processors” that process data on the controller’s behalf that set forth the instructions and limitations on how the processor may process personal data, including the data that are subject to processing, the duration of processing and the rights and obligations of both parties
Conduct and document a data protection assessment when processing sensitive data or conducting activities related to targeted advertising, selling personal data, profiling and other activities that present a heightened risk of harm to consumers
Inform consumers of the various privacy rights afforded to them under the CDPA and honor those rights.
Consumers have a number of privacy rights under the CDPA that, again, are reminiscent of those found in the CPRA and the GDPR. These rights include the right to:
Confirm whether the controller is processing the consumer’s personal data and right to access such personal data
Correct inaccuracies in the personal data
Delete personal data
Request that the controller port the consumer’s personal data in a readily usable format
Opt out of the processing of personal data for purposes of targeted advertising
Opt out of the sale of personal data
Opt out of profiling that results in legal or significant effects concerning the consumer (e., decisions that result in the denial of financial or lending services, housing, insurance, education, enrollment, criminal justice, employment opportunities, healthcare services or access to basic necessities).
In the event a company refuses to honor a request, consumers will have the right to appeal the company’s refusal.
Controllers are prohibited from discriminating against a consumer for exercising these rights, which includes denying goods or services, or charging different prices for goods or services or providing a different level of quality of goods or services. The caveat is that controllers may offer different prices or quality for goods or services if it is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
The Virginia Attorney General has exclusive enforcement authority under the CDPA and may issue civil penalties of up to $7,500 per violation. Unlike the CCPA, the CDPA does not create a private right of action for Virginia consumers.
HOW DOES THE CDPA COMPARE TO THE CCPA?
With the passage of the CDPA, Virginia joins California as one of two states in the country with a comprehensive data privacy law. Companies already complying with the CCPA have a head start on their compliance efforts but will need to plan adjustments to their privacy compliance program to take into account both the CPRA and the CDPA, which take effect on January 1, 2023.
Fortunately, the CDPA and CCPA share many commonalities, such as the disclosures required in privacy notices, certain consumer rights and reasonable security requirements. However, the CDPA does contain a number of meaningful differences from the CCPA and CPRA, some of which we detail in the chart below.
|Virginia Consumer Data Protection Act (CDPA)||California Consumer Protection Act (CCPA)
* indicates that this provision will come into effect January 1, 2023
|Applicability||For-profit entities that conduct business in Virginia or offer products or services targeted to residents in Virginia and (i) control or process the data of at least 100,000 consumers or (ii) control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data||For-profit entities that collect personal information from California residents and meet any of the following thresholds: (i) at least $25 million in gross annual revenue; (ii) buys, sells or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes; or (iii) derives more than 50% of its annual revenue from the sale of personal information
* (ii) above is replaced with “buys, sells or shares personal information of 100,000 or more California residents or households”; (iii) above is replaced with “derives 50% or more of annual revenue from selling or sharing California personal information”
|Covered personal information||Any information that is linked or reasonably associated to an identified or identifiable natural person||Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household|
|Sensitive data||Consent is required to process “sensitive data” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data, personal data collected from a known child and precise geolocation data||Not currently covered
* New categories of “sensitive personal information,” including Social Security numbers (SSNs), driver’s license, financial account and card numbers, precise geolocation, racial and ethnic characteristics, religious and philosophical beliefs, union membership, contents of mail, email and text messages, and genetic and biometric data
|Employee and business-to-business (B2B) exemptions||CDPA does not apply to personal data associated with individuals acting in a commercial or employment context; there is no expiration for this exemption||Exemptions are set to expire on January 1, 2023|
|Consumer rights||Rights include:
|Contracting||Requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller
The contract should include:
|Mandatory contracting requirements for “service providers” and “third parties” to whom the company does not sell data
* Mandatory contracting requirements for “contractors” to whom the company makes available personal information for a business purpose
|Data protection assessments||Yes, for the following processing activities:
|Not currently required
* Cybersecurity audits and risk assessments will be required for companies whose processing presents a significant risk to consumer privacy or security
|Enforcement authority||Enforced by the attorney general||Enforced by the attorney general
* Creation of new California Privacy Protection Agency (Agency) for enforcement, rulemaking and guidance
|Private right of action||None||Limited private right of action for breach of unredacted or unencrypted personal information due to failure to maintain reasonable security practices
* Private right of action will be available for breach of email address and password or security question and answer that would allow access to account
|Cure period||None||Yes, 30 days for Attorney General enforcement
* Removes the 30-day cure period and gives the Agency discretionary power to provide the business with a time period to cure
|Penalties and damages||Up to $7,500 for each violation||Up to $2,500 for each violation and $7,500 for each intentional violation
*Automatic $7,000 fine for a violation involving the personal information of minors
Statutory damages from $100-$750 per violation.
THE FUTURE OF US PRIVACY LAW IS STILL PENDING
Despite repeated and ongoing efforts to present and pass a comprehensive federal privacy law, as of the date of this article, there does not appear to be any particular bill that has gained significant traction in either the US House of Representatives or the Senate. In the absence of a federal standard, many states, such as Oklahoma, Washington, Florida, Minnesota and New York, have followed California’s example in introducing and considering comprehensive state data privacy bills, with varying levels of success. The common themes are predictably centered on notice, consumer privacy rights and related business obligations. Issues related to enforcement, and in particular, whether private rights of action should be permitted, have stalled bills both at the state and federal level. That said, in light of what appears to be a heightened awareness and focus on privacy and cybersecurity issues, companies can expect new or additional modifications and updates to their data privacy and security programs in the coming years.
The content of this article is based on our review of the bills passed by the Virginia General Assembly and Senate. We do not anticipate the content of the consolidated bill, or the version signed into law by the Governor of Virginia, to differ materially from the law as described herein. We will update this article, as necessary, to reflect the law as passed.
Saba Bajwa, a law clerk in our Los Angeles office, also contributed to this On the Subject.