Virginia passes the Consumer Data Protection Act
After an extension into the 2021 special session, Gov. Ralph Northam, D-Va., signed the Virginia Consumer Data Protection Act into law March 2, 2021. In doing so, Virginia became the second state to enact comprehensive privacy legislation and the first to do so on its own initiative (California led the way in 2018. but the Legislature moved forward with the bill because they were facing a ballot initiative if they failed to do so).
The CDPA’s substance is not particularly new compared to recent privacy laws. It draws heavily from the proposed Washington Privacy Act and includes components similar to the California Consumer Privacy Act.
Perhaps the most crucial question for any organization, when faced with a new law, is whether the law even applies to them. Under the CDPA, obligations are imposed on entities that:
– Conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:
– Control or process the personal data of at least 100,000 consumers during a calendar year.
– Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.
Those familiar with the CCPA will likely notice the absence of a revenue threshold imposing obligations. This means even large businesses will not be subject to the law so long as they do not fall within one of the two categories listed above. Additionally, compared to the CCPA, the law doubles the number of residents’ data that must be collected or processed before it becomes applicable to a business.
The CDPA’s scope is also partially determined by a few key definitions. “Consumer” is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context.” Importantly, it explicitly omits a person from its definition where they are “acting in a commercial or employment context.” Thus, unlike the California Privacy Rights Act — which includes employee data — businesses need not consider the employee personal data they collect and process when evaluating the law’s applicability.
Additionally, the “sale of personal information” is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” Unlike the CCPA, under which a sale occurs where personal data is exchanged for “monetary or other valuable consideration,” the CDPA requires that the consideration must be monetary to qualify as a sale of data. The definition of sale also includes a few notable exclusions:
1. Disclosures to processors.
2. Disclosures to a third party for purposes of providing product or service requested by the consumer.
3. Disclosures to controller’s affiliate.
4. Disclosures of information that consumers (A) intentionally made available to the general public via a mass media channel and (B) did not restrict a specific audience.
5. Disclosures as part of a merger, acquisition, etcetera.
The definition of personal data is also crucial for determining scope in that it excludes any deidentified data or publicly available information. This exclusion is significant given the CDPA’s definition of “publicly available information.” Like the CCPA, the term is partially defined as “Information that is lawfully made available through federal, state, or local government records.”
However, the CDPA also includes in its definition of publicly available any “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” This language is notable in that when determining whether a piece of information is publicly available, there is an additional subjective inquiry into the business’s reasonable belief in addition to the traditional objective analysis.
Before calculating whether it meets the thresholds set forth above, an entity should first see whether it or the data it collects is exempt. There are two main categories of exemptions under the CDPA: entity-level exemptions and data-level exemptions. The CDPA provides five types of exempted entities:
1. A body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.
2. Any financial institution or data subject to the Gramm-Leach-Bliley Act.
3. A covered entity or business subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
4. A nonprofit organization.
5. An institution of higher education.
The entity-level exemptions for the CDPA regarding HIPAA and the GLBA are particularly notable. Under the law, such institutions are exempted from the law for the HIPAA and GLBA regulated data and all data they collect. This remains true even where the data itself would not necessarily be otherwise exempted.
There are 14 categories regarding exempted datasets, including specific information regulated by the GLBA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act. Additional exempted types of information include specific employee and job applicant data.
Rights and obligations
The CDPA provides consumers with six main rights.
Right to access. Consumers have the right “to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.”
Right to correct. Consumers have the right to correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing of the consumer’s personal data.
Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer.
Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
Right to opt out. To opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data and profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.
The CDPA fails to provide any exceptions to these rights. The language provided above constitutes the law’s entire discussion of consumer rights. Thus, where a business receives an authenticated request, the law, as written, mandates that the business must comply, irrespective of the hardships or impracticable nature of the request.
Right to appeal. The final right the CDPA provides to consumers is the right to appeal a business’s denial to act within a reasonable time. Under the law, a business must respond to a consumer request within 45 days of receipt of the request. Where reasonably necessary, the business may then extend the response deadline by an additional 45 days as long as they notify the consumer within the initial response window. If a business fails to do this, the CDPA mandates that a “controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable time after the consumer’s receipt of the decision.” If the appeal is denied, the controller needs to inform the consumer how they can submit a complaint to the attorney general.
Limits on collection. Like the CCPA and the EU General Data Protection Regulation before it, the CDPA includes a provision limiting the collection of data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
Limits on use. Once the data has been collected, the statute mandates a business “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” Furthermore, the act imposes limits on processing sensitive personal information such that doing so is prohibited absent consumer consent.
Technical safeguards. In addition to imposing obligations on the business’s processing activities, the CDPA, like the CCPA and GDPR, also mandates a business “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
Data protection assessments. The CDPA also requires controllers to conduct “data protection assessments” that evaluate the risks associated with processing activities. While the act specifies the types of activities that must be assessed, it fails to indicate how often they must occur and how long they must be kept.
Data processing agreements. Like the GDPR’s Article 28, the CDPA requires that processing activities undertaken by a processor on behalf of a controller be governed by a data processing agreement. Such agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The provision provides a set of enumerated terms that must be included in the agreement.
– The categories of personal data processed by the controller.
– The purpose for processing personal data.
– How consumers may exercise their consumer rights and appeal a controller’s decision regarding the consumer’s request.
– The categories of personal data that the controller shares with third parties, if any.
– The categories of third parties, if any, with whom the controller shares personal data.
Unlike other proposed state bills, however, the CDPA has no requirements regarding the time disclosures must be made or any particular format they must follow.
The CDPA lacks a private right of action, and enforcement falls solely to the attorney general. Once the attorney general decides to take action, the office must notify the controller. The controller then has 30 days to cure the violation and provide the attorney general with an “express written statement that the alleged violations have been cured and that no further violations shall occur.” If the controller fails to cure the violation, the attorney general may fine them up to $7,500 per violation.
If the CCPA has taught us anything, understanding the bill as passed is only the first step on the road to compliance. To be sure, the lack of clarity surrounding many of the CDPA’s provisions indicates that we have only a partial picture of what is to come. Here at the IAPP, we will be keeping a close eye on any developments and updating you accordingly.