United States: Virginia Enacts The Nation's Second Comprehensive Consumer Data Privacy Law

On March 2, 2021, Virginia's governor, Ralph Northam, signed the Virginia Consumer Data Protection Act (CDPA, or the Act) into law. The CDPA is set to take effect on January 1, 2023, and is the second comprehensive consumer privacy law to be enacted in the United States behind the California Consumer Privacy Act (CCPA), recently amended by the California Privacy Rights Act (CPRA). The CPRA, which is discussed at length on  technologylawdispatch.com, is also set to take effect on January 1, 2023.

In short, the CDPA works to establish a comprehensive framework for controlling and processing personal data in Virginia, drawing on both the CCPA/CPRA and the European Union's General Data Protection Regulation (GDPR).

Scope and exemptions

The CDPA applies to all businesses that (i) control or process personal data of at least 100,000 Virginia consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The Act defines the "sale of personal data" as "the exchange of personal data for monetary consideration by the controller to a third party."¹

A "consumer" is defined as "a natural person who is a resident of Virginia acting only in an individual or household context." Importantly, it does not include a natural person acting in a commercial or employment context, and, therefore, the data subject rights and protections provided will extend only to individual consumers of goods and services.

It is important to note that the scope of the CDPA differs from that of the CCPA/CPRA in several important respects, including:

• The CDPA exempts employee information, unlike the CCPA/CPRA.
• The CDPA lacks a pure revenue threshold, requiring businesses to fall into one of the two categories outlined above to be subject to the Act.
• The definition of "sale of personal data" requires monetary consideration rather than monetary or other valuable consideration as is contemplated by the CCPA.
• The CDPA applies to entities that process or control data. The CCPA does not make this explicit distinction; it applies to businesses that meet certain thresholds, one being that the business buys, receives for its commercial purposes, sells, or shares for its commercial purposes, personal information (of 50,000 or more consumers).
• The CDPA contains broad exemptions for various types of entities. Most notably, the CDPA does not apply to financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or covered entities or businesses subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act. Further, the CDPA does not apply to any body, authority, board, bureau, commission, district, or agency of Virginia or of any political subdivision of Virginia. The CCPA does not broadly exempt entities that are subject to these regulations, but instead focuses on the data and whether the data is covered by one of these regulations. For example, personal health information that is collected and used in accordance with HIPAA is exempt from the CCPA.
• Separately, the CDPA expressly exempts 14 categories of data, including, among other categories, information regulated under HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act. As mentioned above, the CCPA has similar exemptions for certain categories of information. For example, the CCPA exempts data governed by HIPAA, HITECH, CMIA, clinical trial data, FCRA, GLBA, the Driver's Privacy Protection Act, and certain vehicle information.

Consumer and data subject rights

The CDPA grants consumers a series of rights related to their personal data. The Act defines personal data as "any information that is linked or reasonably associated to an identified or identifiable natural person" and "does not include de-identified data or publicly available information." Specifically, consumers have the right to request the following from a processor:

• Access: To confirm whether or not a controller is processing their personal data and to access such personal data;
• Correction/rectification: To correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data;
• Deletion: To delete their personal data;
• Portability: To obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
• Opt-out: To opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

It is important to note that these rights expand upon those found in the CCPA in many respects, including the right to opt out of processing personal data for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. However, the CPRA does expand upon the rights granted by the CCPA. In particular, it provides consumers with the ability to opt out of cross-contextual advertising and also with the right to data portability and the right to correct their data, among others. Still, it is important to note that the right to opt out of the sale of information under the CDPA is likely more restrictive here than under California's laws, given the more narrow definition of a "sale."

Timeframe for responding to a request. Once a request is received from the consumer, the controller must respond within 45 days, although the response period may be extended once by 45 additional days when reasonably necessary. If a controller declines to take action, it must provide the consumer with 1) its justification for declining to take action and 2) instructions for how to appeal its decision, within 45 days of receipt of the request. Similar to the GDPR and CCPA, controllers must establish a workflow for processing data subject requests within that timeline. Upon receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the controller's decisions, within 60 days. If the appeal is denied, the controller must also provide consumers with an online mechanism to contact the attorney general and submit a complaint.

Data controller and processor responsibilities

The CDPA borrows from GDPR terminology, declining to take on the "service provider" definition contemplated by California. The CDPA imposes obligations on data controllers when processing data that are familiar concepts seen in other international privacy laws. These require companies to:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is being processed (data minimization);
• Not process data for purposes that are not reasonably necessary to the disclosed purposes for which it is processed, unless the companies obtain consumer consent (purpose limitation);
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data (adequate safeguards);
• Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers (nondiscrimination requirement); and
• Not process sensitive data concerning a consumer without obtaining the consumer's consent (opt-in for sensitive data processing).

Privacy notice requirements. Notably, the CDPA requires that businesses provide consumers with a reasonably accessible, clear, and meaningful privacy notice explaining what categories of personal data are collected, and why. If the business shares personal data with a third party, the privacy notice must state what categories of data are being shared, and with what category of third party. The notice must also detail how data subjects may exercise their data subject rights and how to appeal a declining of their request. If the business sells personal data or uses personal data for targeted advertising, it must "clearly and conspicuously" disclose this, and describe how to opt out of it.

Data protection assessment requirement. The CDPA requires that a controller conduct a "data protection assessment" of the risks and benefits related to certain processing activities, including the processing of personal data for the purposes of targeted advertising, sale of personal data, profiling in certain contexts, or processing of sensitive data or data that presents a heightened risk of harm to consumers. This represents a new requirement for a business to document in a CDPA compliance file (preferably prior to undertaking the processing activity), as the attorney general may request to review it by way of an investigative civil demand. However, the law notes that review by the attorney general's office does not make the data protection assessment subject to disclosure under Virginia's Freedom of Information Act, nor does it constitute a waiver of attorney-client privilege.

Controller and processor relationships. The Act requires processors to "adhere to the instructions of a controller" and assist the controller in meeting its obligations under the Act. This includes appropriate technical and organizational measures and helping the processor respond to data subject requests. Importantly, the CDPA provides specific contractual measures above and beyond what California contemplates for "service providers." The Act requires particular elements of a valid controller/processor agreement, including:

• Specifying the nature and purpose of the processing;
• Specifying the type of data subject to processing;
• Clear instructions for processing the data;
• The duration of the processing;
• The rights and obligations of the parties, which must include processor responsibilities of:
  • Subjecting all those processing the personal data to the duty of confidentiality;
  • Deleting or returning all personal data to the controller upon request after provision of service has ended (unless retention is required by law);
  • Cooperating with reasonable audits and assessments by the controller of its technical and organizational measures (or alternatively, providing an audit and assessment carried out by a qualified and independent assessor); and
  • Providing all information required to prove its compliance with the CDPA, upon request.

If the processor engages a contractor to handle the personal data from the controller, the contractor must also be bound by the above requirements.

Enforcement and penalties

No private right of action. The attorney general retains exclusive authority to enforce CDPA violations. Businesses will be given a 30-day cure period after receiving notice of the specific provisions that are alleged to have been violated, and if these are not addressed, will be subject to a maximum $7,500 fine per violation (plus possible reimbursement of costs and reasonable attorneys' fees incurred by the attorney general). All civil penalties collected under the CDPA will be paid into the newly created Consumer Privacy Fund, which will be used to support the attorney general's enforcement of the CDPA.

Comparison of key provisions – CCPA/CPRA and CDPA

For ease of reference, we have provided below an overview of the key provisions companies should consider under both the CCPA/CPRA and CDPA when reviewing their compliance programs, privacy notices, and data subject request workflows around authentication, assessment, and response.

Both the CPRA and CDPA are set to take effect on January 1, 2023 – less than two years away. As companies that have been subject to the CCPA and GDPR know, comprehensive compliance programs require time and coordination across different departments (legal, compliance, IT, information governance, etc.). Accordingly, it is imperative that companies consider their obligations under both the CPRA and CDPA as soon as practicable.

Footnote

1. The CDPA's definition of "sale" also expressly excludes disclosures to processors; disclosures to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer; disclosures or transfers to an affiliate of the controller; disclosures that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; and disclosures or transfers to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

This article is presented for informational purposes only and is not intended to constitute legal advice.