What You Should Know About Virginia’s Consumer Data Protection Act
UPDATE: Governor Ralph Northam signed the Virginia CDPA into law on March 2nd, making Virginia the second US state (after California) to enact a comprehensive privacy law. It will go into effect on January 1st, 2023.
In the absence of broad federal regulations on personal information privacy, US privacy advocates are pushing states to pass their own. The next one to come online is Virginia’s Consumer Data Protection Act (VA CDPA); it’s been passed by the Virginia House and Senate, and the Governor is expected to sign it. It’s similar to California’s CPRA, both in its specifics and in the sense that it was put together quickly, though some key differences exist. Chief among those for many businesses will be the ability for individuals to opt-out of the use of their data for targeted marketing or sale to third parties and the requirement for opt-in consent if processing data defined by the law as sensitive.
When does it take effect?
January 1st, 2023.
To whom does it apply?
It applies to natural or legal persons who conduct business in Virginia and either:
- control or process data of 100,000 consumers during a calendar year, or
- derive 50% of their gross revenue from selling personal data and control or process data of 25,000 consumers
Unlike CCPA, there is no revenue threshold. Certain types of organizations are exempt, such as higher education, non-profits, and Commonwealth agencies. Organizations which are regulated by HIPAA or GLBA are also exempt.
What data does it cover?
It regulates “personal data,” defined in the law as “any information that is linked or reasonably associated to an identified or identifiable natural person.” It does not regulate de-identified or publicly available data (which is pretty broadly defined) or data about people acting in a commercial or employment context. In other words, professional information (e.g., business contact information) which the GDPR or CCPA would cover is not protected by the VA CDPA.
Also, even if data would otherwise fall under the regulation, it is exempt if the data already falls under GLBA, HIPAA, FERPA, the Driver’s Privacy Protection Act, the Farm Credit Act, and in a few other contexts, which are hard to summarize. Unlike CCPA, which caused some concern in the healthcare world, CDPA explicitly exempts data that has been de-identified under HIPAA.
Special categories of data
Following the lead of the GDPR, the VA CDPA (like the CPRA) designates special categories of “sensitive data.” Unlike the CPRA, the CDPA requires opt-in consent for processing these:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- Personal data collected from a known child;
- Precise geolocation data (defined as within 1,750 feet).
The VA CDPA provides individuals with a set of rights that are roughly similar to those we’ve seen in other privacy laws – they have the right to:
- Confirm whether a controller has their personal data and see the data;
- Correct inaccuracies in their personal data;
- Delete their personal data;
- Obtain a copy of their personal data in a portable format;
And finally, this one is a bit different from what we see elsewhere:
- Opt-out of processing their data for targeted marketing, sale (for money), or profiling which can have “legal or similarly significant effects.”
When an individual exercises one of these rights, the data controller generally has 45 days to respond.
Responsibilities of Controllers and Processors
Here, the VA DCPA is closely based on other laws. Organizations that handle personal data are classified as Controllers or Processors based on decision-making.
Controllers have the standard set of responsibilities:
- Respond to consumers who are exercising their rights within the deadlines and have an appeal process available for initial denials;
- Be transparent about processing, i.e., limit collection to what is necessary for its purposes, disclose those purposes to the consumer, and not process data outside that scope without consent;
- Have reasonable administrative, technical, and physical data safeguards in place, scaled to the volume and nature of the data (this is a case where privacy-enhancing technologies can be used to good effect!);
- Not discriminate against consumers for exercising their rights or for any other illegal reason;
- Not process sensitive data (see above) without consent and, if the individual is a child, process it in accordance with COPPA;
- Provide a clear and accessible privacy notice explaining what the controller processes, for what purposes, what categories of data are shared with third parties and which third parties (this must be clearly and conspicuously disclosed), and how consumers can exercise their rights, along with a reliable method for submitting requests.
Processors broadly must support the controller in those activities while maintaining appropriate data security measures.
The CDPA does require controllers to perform a data protection assessment (DPA) similar to those required by the GDPR if they’re going to process personal data for targeted advertising, sell personal data for money, or process it for profiling (with some conditions). They also must perform a DPA if they’re going to process sensitive data for any reason or conduct processing activities that “present a heightened risk of harm to consumers.”
Enforcement and penalties
The VA Attorney General will enforce the CDPA. The law allows companies 30 days to cure a violation and then provides for fines of up to $7,500 per violation and injunctive relief. It does not provide for a private right of action under any circumstances (unlike the GDPR and the CCPA).
What does this mean for the future?
At this point, US data privacy law is sectoral: laws protect the privacy of personal data within a specific industry or otherwise limited scope. US laws are reactive, too. Some happen because of a series of publicized problems in a field (for example, HIPAA, where numerous instances of employers firing employees with expensive medical conditions drove the addition of the Privacy and Security Rules to a regulation that wasn’t even about privacy). Others are provoked by a single incident (the use of Robert Bork’s video rental records at his Supreme Court confirmation hearing prompted the passage of the Video Privacy Protection Act of 1988). The FTC has broad jurisdiction to address privacy violations concerning companies that fail to keep their promises to protect consumers’ data and have an incident, but even that’s not overarching privacy law.
The US didn’t have the EU’s cultural drivers when they passed the GDPR – strong memories of the misuse of personal data during World War II, augmented in recent years with a mistrust of the US Patriot Act and suspicions of the US internet giants. So while some Americans have advocated for such a law, businesses have largely opposed the idea, and efforts haven’t gone anywhere. One thing which could change that, and quickly, is a situation where companies operating within the US are forced to comply with a rapidly-growing array of state laws, all different enough to require separate accommodation. A federal law could pre-empt and effectively replace existing state laws, creating a unified set of rules. With California already requiring redevelopment of websites and processes, Virginia joining the fray with slightly different requirements, and other states not far behind, this could well tip the balance toward federal regulation. We’re already seeing involvement from tech giants in the drafting of the Washington state law, and we see a lot more support from businesses toward the idea. Companies will prefer opt-out vs. opt-in consent and no private right of action, while privacy advocates and those who want harmony with GDPR will want the opposite, so a final regulation will require some debate.