Virginia has enacted new privacy legislation that bears similarities to the California Consumer Privacy Act (the “CCPA”) and borrows some concepts from the European Union’s General Data Protection Regulation (the “GDPR”). In February, the Virginia legislature passed the Virginia Consumer Data Protection Act (SB No. 1392) (the “CDPA” or “Act”) and the governor signed the bill into law on March 2, 2021. This makes Virginia the second state in the country—after California—to adopt a comprehensive consumer privacy law. This article provides an overview of some of the key components of the CDPA.
To whom does the CDPA apply?
The CDPA applies to anyone conducting business in Virginia or producing products or services that are targeted to Virginia residents and meets one of the following criteria:
-
Controls or processes personal data of at least 100,000 Virginia consumers; or
-
Controls or processes personal data of at least 25,000 Virginia consumers and derives more than half of their revenue from the sale of personal data.
What information is covered by the CDPA?
The CDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition excludes personal data that has been de-identified or that is publicly available. Notably, the notion of “publicly available” information is broader under the CDPA than under the CCPA and includes information that “a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”
In addition, the CDPA also sets out “sensitive data” as a subset of personal data that includes racial or ethnic origin; religious beliefs; mental or physical health; sexual orientation; citizenship or immigration status; genetic or biometric data; children’s personal data; or precise geolocation data (defined as information that “directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.”). The CDPA imposes additional obligations on businesses that collect and process sensitive data. In particular, a busines may not process sensitive data without obtaining the consumer consent and, if a business processes such data, it must perform a data protection assessment.
What rights do consumers have under the CDPA?
Under the CDPA, consumers have the right to:
-
Seek confirmation that a business is processing the consumer’s personal data;
-
Correct inaccuracies in the consumer’s personal data that the business holds;
-
Delete the consumer’s personal data that is held by the business, subject to certain limited exceptions;
-
Obtain a copy of the personal data in a portable and, to the extent feasible, readily usable format;
-
Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that have legal or other significant impact on the consumer.
What obligations does the CDPA impose on businesses?
Among other things, the CDPA requires that businesses:
-
Comply with consumer requests concerning the rights consumers have that are enumerated above. Businesses have 45 days to respond to consumer requests. That period is extendable once by 45 days, for a total of 90 days, when “reasonably necessary, taking into account the complexity and number of the consumer’s requests” and as long as the business “informs the consumer of any such extension within the initial 45-day response period” and provides the reason for the extension.
-
Provide an appeal process if the business takes no action in response to a consumer request seeking to exercise one of the consumer’s rights under the CDPA. In particular, the business must provide an explanation to the consumer, provide a process by which the consumer may appeal the decision to the business, and, ultimately, provide a method by which the consumer can submit a complaint to the Attorney General.
-
Provide a privacy notice that describes (i) the categories of personal data processed by the controller, (ii) the purpose for processing the personal data, (iii) how consumers may exercise their rights under the CDPA (including an opt-out process for businesses that engage in sales of personal data or targeted advertising), (iv) the categories of personal data that the controller shares with third parties, and (v) the categories of third parties with whom the controller shares personal data.
-
Limit collection of personal data to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed” and “as disclosed to the consumer” in the business’s privacy policy.
-
Implement administrative, technical, and physical data practices to protect the confidentiality of personal data.
-
Not discriminate against consumers for exercising their rights under the CDPA.
-
Not process sensitive data without obtaining the consumer’s consent.
-
Contractually protect confidentiality and privacy of data shared with businesses that process personal data on behalf of a business.
-
Conduct a data protection assessment if the controller processes personal data for targeted advertising, sells personal data, processes personal data for the purposes of profiling, processes sensitive data, or engages in processing that presents heightened risk of harm to consumers.
The last obligation is notable because it is a significant difference between the CDPA and the CCPA. The CCPA, as it is currently in effect, does not require data protection assessments; however, under amendments to the CCPA that were adopted by Californians when they voted to approve the Consumer Privacy Rights Act of 2020 (the “CPRA”) in November 2020, businesses that process personal information that presents a significant risk to consumers’ privacy or security must conduct risk assessments with respect to the processing of such personal information and submit the report to regulators. Notably, these requirements are similar to GDPR’s data protection impact assessment obligations.
What is considered a “sale” under the CDPA?
The concept of “sales” under both the CDPA and CCPA are important because both the CCPA and CDPA require that businesses provide consumers with the ability to opt out of sales of their personal information.
Those familiar with the CCPA are likely familiar with the broad definition of “sale” under the CCPA—“sale” is defined to include disclosing personal data for “monetary or other valuable consideration.” The broad definition under the CCPA could extend to disclosure of personal information to third parties even when there is no exchange of money. For example, the definition sweeps broadly enough to potentially include information disclosed in connection with online targeted advertising. The CDPA, on the other hand, defines “sale” more narrowly: it means the exchange of personal data for monetary consideration.
Although the CDPA’s definition of “sale” is narrower than the CCPA’s definition, the opt-out right is, to some extent, broader than under the CCPA. Under the CDPA, consumers have the right to opt out of sales (as that word is more narrowly defined), targeted advertising, and profiling in furtherance of decisions that have legal or other significant impact on the consumer.
Does the CDPA impose obligations on transfers of personal data to service providers or third parties?
Yes, the CDPA borrows the concepts of data controllers and data processors from GDPR. These concepts are similar to, though not exactly the same, as the concept of covered businesses and service providers under the CCPA. Under the CDPA, controllers are businesses that, along or jointly with others, determine the purpose and means of processing personal data. Processors are businesses that process personal data on behalf of a controller. The CDPA requires that the contract between controller and processor set forth instructions for processing personal data, the nature and purpose of processing, the type of personal data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also include terms that protect that confidentiality and privacy of the personal data.
When will the CDPA go into effect?
The CDPA takes effect January 1, 2023.
Are there any exemptions under the CDPA?
Like the CCPA, the CDPA includes both entity exemptions and data exemptions. Entities that are exempt from the CDPA are state agencies, financial institutions regulated by the Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act (“HIPAA”) covered entities and business associates, nonprofit organizations, and institutions of higher education.
Data that are exempt from the CDPA include data covered by HIPAA (and health records covered by Virginia state law), GLBA, the Federal Policy for the Protection of Human Subjects (i.e., clinical trial subjects’ data), the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act. The CDPA also exempts information and documents created for the purposes of the Health Care Quality Improvement Act as well as patient safety work product for the purposes of the Patient Safety and Quality Improvement Act.
The CDPA also exempts human resources-related data. The Act does this in two ways. First, the definition of “consumer” under the CDPA does not include “natural persons acting in a commercial or employment context.” Second, the Act has a specific exemption for data processed or maintained (i) in the course of an individual applying to, or employed by, or acting as an agent or independent contractor of a business (and so long as the data is collected and used within the context of that role); (ii) in connection with employees’ or independent contractors’ emergency contact information; and (iii) in connection with administering employee benefits.
Who enforces the CDPA?
The Virginia Attorney General has exclusive authority to enforce violations of the CDPA. Notably, there is no private right of action for data breaches as there is under the CCPA. Like the CCPA, however, where a business is alleged to have violated the CDPA, the Attorney General must provide 30-days written notice to the business and provide an opportunity for the business to cure the violation. However, under amendments to the CCPA that were adopted through the CPRA, the CCPA’s 30-day cure period will be eliminated beginning January 1, 2023.
What are the penalties under the CDPA?
If a business fails to cure or continues to violate the CDPA, the Attorney General may institute an action to recover statutory damages of $7500 per violation and may seek injunctive relief. The Attorney General may also recover attorneys’ fees.
What should companies do now?
Companies have until January 1, 2023 to get ready for CDPA compliance. During that time, companies that have gone through exercises to comply with the GDPR or CCPA should find the experience similar for the CDPA. Indeed, although the CCPA and CDPA are similar, they are not identical and companies should take care to note the differences in requirements between each of the laws. Moreover, with the passage of the CPRA, companies may consider undertaking a single initiative to meet both the CPRA and CDPA’s requirements.
Appropriate steps may include a diligence process to identify what personal data collection and processing activities the business is engaged in, a gap analysis to determine if any of these collection and processing activities do not meet the CDPA’s (and CPRA’s) requirements, a remediation process to close any gaps, a revision process for internal policies and procedures, and a revision of third-party vendor agreements.