Virginia Becomes Second State to Pass Comprehensive Consumer Privacy Law
On March 2, 2021, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (CDPA). In doing so, Virginia became the second state to enact a comprehensive consumer privacy law. The CDPA mirrors some of the key components of the California Consumer Privacy Act (CCPA) and EU’s General Data Protection Regulation (GDPR). The CDPA’s enactment was a surprise to many, given that it began its legislative trajectory in mid-January. Companies will have until January 1, 2023, to come into compliance. The following analysis provides an overview of some of the CDPA’s most salient provisions.
Applicability to Non-Virginia Businesses
The CDPA’s applicability is not limited to businesses in Virginia. Instead, with exceptions, the CDPA applies to any entity that conducts business in Virginia or produces products or services targeted to Virginia residents and that meets one of the following requirements:
- During a calendar year, controls or processes the personal data of at least 100,000 “consumers” (e.g., Virginia residents); or
- Controls or processes the data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.
Unlike the CCPA, the CDPA does not include a revenue threshold for applicability. Also, unlike the CCPA, the CDPA’s definition of “sale” is limited to the “exchange of personal data for monetary consideration” and does not include the CCPA’s broader (and more ambiguous) “other valuable consideration” language.
The CDPA defines “consumer” as a “natural person who is a resident of the Commonwealth acting only in an individual or household context.” As a result, the CDPA exempts the processing of data relating to consumers “acting in a commercial or employment context.”
The CDPA contains several other entity- and data-specific exemptions. Entities that are exempted from the CDPA include:
- “covered entities” and “business associates” under HIPAA and HITECH
- nonprofit organizations
- institutions for higher education
- financial institutions (or information) subject to the Gramm-Leach-Bliley Act (GLBA)
- various types of Virginia governmental and political bodies
The CDPA also exempts 14 categories of personal data, including data regulated by GLBA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and employee/job applicant data collected and used within the context of employment or recruitment. Further, through its definition of “personal data,” the CDPA exempts personal data that has been deidentified or that is “publicly available.” The CDPA definition of “publicly available” is broader than the CCPA’s. It includes personal data that “is lawfully made available through federal, state or local government records or that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.”
Controllers and Processors
The CDPA applies to “controllers” and “processors”—concepts borrowed from the GDPR. “Controllers” are those businesses that determine the purpose and means of the processing of personal data and subject to certain requirements. “Processors” are those businesses that process personal data on behalf of a controller. Controllers shoulder the burden of most of the CDPA’s obligations. Processors are required to follow the controllers’ instructions and assist them in fulfilling certain obligations under the CDPA. Further, as discussed below, controllers and processors are required to enter binding contracts that contain certain requirements.
In line with other comprehensive privacy legislation, the CDPA offers several rights to individual consumers:
- Right to confirm whether a controller is processing the consumer’s personal data
- Right to access the personal data being processed by a controller
- Right to correct inaccuracies in the consumer’s personal data
- Right to delete personal data provided by or obtained about the consumer
- Right to obtain a copy of the consumer’s personal data in a portable format
- Right to opt out of the processing (not just sale) of personal data for certain purposes, including targeted advertising and profiling
The above rights require, in a practical sense, that companies be familiar with their own data practices so as to be able to adequately respond to a consumer’s request.
Controllers are required to respond to a consumer within 45 days of receipt of a request, but this period is extendable for an additional 45-day period when reasonably necessary, so long as the controller provides the consumer notice and the reason for the extension. The CDPA also requires that controllers establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time. If an appeal is denied, the controller is also required to provide the consumer with an “online mechanism” or other method through which the consumer may submit a complaint to the Virginia Attorney General.
Data Protection Assessments
Controllers must conduct and document a data protection assessment for targeted advertising activities, the sale of personal data, profiling-related activities, the processing of “sensitive data” and any processing activities that “present a heightened risk of harm to consumers.” Businesses are directed to factor into such assessments, amongst other things, the “reasonable expectations of consumers.” The Attorney General may then request that a controller disclose its data protection assessments in the context of an investigation by the Attorney General.
Companies preparing for the California Privacy Rights Act (CPRA), which also takes effect January 1, 2023, will likely find themselves in a better position to cope with this obligation, since the CPRA similarly requires periodic risk assessments. But companies should note the CDPA’s broad scope of activities that necessitate a data protection assessment.
Data Processing Agreements
Companies subject to the CDPA may also need to assess and update their vendor contract management policies and procedures. As indicated above, a controller and processor must enter into an agreement that governs the processing activities undertaken by the processor on the controller’s behalf.
Data processing agreements must include:
- instructions for processing personal data
- the purpose of the processing
- the type of data subject to processing
- the duration of processing
- the rights and obligations of both parties
- a confidentiality obligation
- specific requirements relating to the return or deletion of personal data, among other items
These contractual obligations may mean companies need to take new or additional steps to document a service provider’s processing activities.
Transparency, Disclosures and Data Minimization
Another concept borrowed from GDPR is the concept of “data minimization.” Under GDPR, personal data shall be “adequate, relevant and limited to what is necessary” in relation to the purposes for which the data is processed. Similarly, the CDPA mandates that controllers limit the collection of personal data only to what is “adequate, relevant and reasonably necessary” in relation to the purposes for which such data is processed, but also “as disclosed to the consumer.”
Disclosure is further key in how a controller may process personal data: controllers are prohibited from processing personal data for purposes that are neither “reasonably necessary to nor compatible with the disclosed purposes” for processing. Consumer consent is required if processing is to extend past such disclosure-based standard. Further, controllers are required to post privacy policies that contain certain disclosures:
- the categories of personal data processed by the controller
- the purpose for processing personal data
- how consumers can exercise their rights under the CDPA and appeal a controller’s decision regarding a consumer request
- the categories of personal data that the controller shares with third parties
- the categories of third parties with whom the controller shares personal data
The CDPA does not, however, specify a particular format that these disclosures must follow.
The CDPA does not provide a private right of action, unlike the CCPA which contains a limited private right of action pertaining to data breaches. The Virginia Attorney General is solely responsible for enforcement of the CDPA. The Attorney General must notify a controller and provide a 30-day period to cure any violations. If the controller fails to properly cure the violations, the Attorney General may bring an enforcement action seeking injunctive relief and civil penalties of up to $7,500 for each violation.
More than ever, transparency and individual control over personal information are shaping the standards for collecting and processing consumer data. While companies subject to CCPA have likely updated their privacy policies to make their collection and disclosure practices more transparent and implemented processes for acting on consumer requests, the CDPA’s conduct limitations, data processing agreement or assessment requirements, and additional request response processes make it even more imperative to ensure that your company’s practices and disclosures—whether in its privacy notices, vendor agreements or internal policies—set forth accurate and thorough expectations for processing personal information. Doing so will allow your business to appropriately utilize the data it collects.