Virginia Creates a New Comprehensive Privacy Framework Affecting Businesses NationwidePDF
On March 2, Virginia Gov. Ralph Northam signed into law the Consumer Data Protection Act. Following the landmark California Consumer Privacy Act enacted last year, this makes Virginia the second state or commonwealth in the United States to have enacted comprehensive privacy legislation of general applicability. Modeled on the CCPA, the new privacy law from Virginia will affect businesses across the United States when it goes into effect on Jan. 1, 2023.
Scope and Applicability
Virginia’s CDPA establishes a comprehensive framework for businesses that control or process the personal data of Virginia residents. The law will apply to persons or entities conducting business in Virginia or producing products or services targeted to Virginia residents, but only if the person or entity (i) controls or processes the personal data of at least 100,000 consumers during a year or (ii) controls or processes the personal data of at least 25,000 consumers and derives at least 50% of gross revenue from the sale of personal data. Unlike under the CCPA, which includes a revenue threshold, even large businesses will be covered by the CDPA only if they fall into one of these two categories.
Similar to the paradigm created by the EU’s General Data Protection Regulation, the CDPA speaks of “processing” personal data, and the law applies differently to “controllers” and “processors” of personal data. “Processing” basically means any type of operation that can be performed on data, such as collecting, using, storing, analyzing, deleting or modifying the data – just to name a few examples. “Controller” refers to the business responsible for determining the purpose and means of processing personal data, whereas “processor” means a service provider or other entity that processes the data on behalf of the controller.
Under the CDPA, “personal data” is broadly defined to include “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but does not include de-identified or publicly available information (even information a business had a “reasonable basis” to believe was public). “Consumer” means a natural person who is a Virginia resident “acting only in an individual or household context” and specifically excludes people acting in a commercial or employment context. Finally, “sale of personal data” generally covers the “exchange of personal data for monetary consideration” – notably narrower than the CCPA, which states “monetary or other valuable consideration.” Also, the definition of sale excludes certain types of disclosures, such as a controller’s disclosure of personal data to a processor.
A number of exceptions further limit the scope of the CDPA. For example, the new law will not apply to (i) the Commonwealth of Virginia or political subdivisions; (ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act; (iii) covered entities or business associates governed by the Privacy, Security, and Breach Notification Rules issued pursuant to HIPAA; (iv) nonprofit organizations; and (v) institutions of higher education. In addition to these entity exceptions, the CDPA also describes 14 specific types of data that are excluded from the statute, including specific information regulated by the Fair Credit Reporting Act, the Drivers Privacy Protection Act, and the Family Educational Rights and Privacy Act.
Similar to the CCPA and GDPR, Virginia’s CDPA will create a number of new rights for consumers regarding their personal data, including rights of access, correction, deletion, data portability and opting out of sales. Specifically, the CDPA grants to consumers the right to each of the following:
- “To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data”;
- “To correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data”;
- “To delete personal data provided by or obtained about the consumer”;
- “To obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance …”; and
- “To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
Businesses controlling personal data will be required to comply with a consumer’s authenticated request to exercise any of these privacy rights. Furthermore, businesses will need to provide one or more secure means for consumers to submit such requests. Also they must respond to consumer requests within 45 days and “establish a process” for consumers to appeal denied requests.
In addition to the privacy rights exercised by consumers, Virginia’s CDPA will impose a variety of new obligations on those covered by the law. Among other things, businesses controlling personal data will be required to do the following:
- Establish, implement and maintain “reasonable administrative, technical, and physical data security practices” in order to protect the confidentiality, integrity and accessibility of personal data;
- Provide consumers with “a reasonably accessible, clear, and meaningful privacy notice” that describes (i) the categories of personal data processed, (ii) the purposes of processing, (iii) how consumers may exercise their privacy rights under the CDPA, (iv) the categories of personal data shared with third parties and (v) the categories of those third parties;
- Limit the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to the purposes” of processing disclosed to the consumer, and then process that personal data only in ways reasonably necessary and compatible with what was disclosed to the consumer (unless the consumer has consented);
- Refrain from processing “sensitive data” without obtaining the consumer’s consent – including (i) genetic or biometric data used to uniquely identify someone, (ii) data from a known child under 13 years of age, (iii) precise geolocation data, and (iv) personal data revealing race, ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- Ensure that processing activities undertaken by a processor on behalf of a controller are governed by a binding agreement that “clearly set[s] forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties,” including various specific requirements for processors; and
- Conduct and document a “data protection assessment” covering various topics, including (i) the processing of personal data for targeted advertising, (ii) the sale of personal data, (iii) certain processing of personal data for purposes of profiling, (iv) the processing of sensitive data and (v) any processing activities involving personal data that present a heightened risk of harm to consumers.
In general, the nature and structure of the CDPA’s obligations will be familiar to businesses that already comply with the CCPA or GDPR – although the requirement for a data protection assessment goes beyond the CCPA. However, those doing business in Virginia that have not needed to comply with the CCPA or GDPR should give themselves plenty of time to prepare for the CDPA going into effect on Jan. 1, 2023. For example, businesses covered by the law will need to become able to recognize and track the flow of any personal data they collect or have stored, review agreements with any service providers processing personal data, and develop a mechanism for consumers to submit authenticated requests to exercise their privacy rights.
Enforcement and Penalties
The CDPA contains no private right of action. Instead, the Virginia attorney general has the exclusive right to bring enforcement actions. The attorney general may seek injunctive relief and damages up to $7,500 per violation – plus investigation expenses and attorney’s fees. However, before initiating an enforcement action for violations of the CDPA, the Virginia attorney general must give the violator 30 days' written notice of the specific provisions that have been or are being violated, and allow 30 days for the violations to be cured. If the violations are cured within this period, no action will be initiated against the violator.
Virginia’s CDPA marks another major step in the rapid expansion of privacy law in the United States and will affect businesses throughout the country – especially all those in the Southeast doing a significant amount of business in Virginia. While the plain language of the CDPA may be clear in some places, the statute still leaves a lot of gray area and uncertainty about how the law will be construed and applied. Compliance, therefore, will be an evolving process. For more information about the CDPA and how it could affect your business, please contact any member of Robinson Bradshaw’s Cybersecurity and Privacy Practice Group.