Virginia Becomes the Second State to Pass Comprehensive State Data Privacy Law
Another state has enacted a consumer data privacy act with extraterritorial implications. The Virginia Consumer Data Protection Act (“CDPA”) was signed into law by Governor Ralph Northam on March 2, 2021, making Virginia the second state to pass a comprehensive state data privacy law after California. While enacting this law marks another step toward widespread data privacy regulation in the United States, businesses wondering whether they will be required to comply with the CDPA should be aware that Virginia’s privacy law is not as far-reaching as the California Consumer Privacy Act of 2018 (“CCPA”). However, the CDPA is still noteworthy in its unique rights for consumers and obligations for business.
Scope of the CDPA
The CDPA, which goes into effect on January 1, 2023, applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents and that either (a) control or process the personal data of 100,000 or more Virginia residents in a calendar year, or (b) control or process the personal data of 25,000 or more Virginia residents and derive more than 50 percent of their gross revenue from the sale of personal data. “Personal data” is defined under the CDPA as information that is linked or reasonably linkable to an identified natural person and excludes deidentified or publicly available information.
Consumers’ Rights Under the CDPA
The six primary consumer rights included in the CDPA are the right to access, right to delete, right to correct, right to data portability, right to opt out, and right to appeal. These rights are summarized as follows:
- Right to Access: The right to confirm whether a business is processing the consumer’s personal data and to access that data;
- Right to Delete: Allows consumers to delete the data that was provided to or otherwise obtained by a business;
- Right to Correct: Allows consumers to correct any inaccuracies in their personal data;
- Right to Data Portability: Allows consumers to obtain a copy of data they previously provided to a business in a portable format that allows the consumer to transmit their data to another business;
- Right to Opt Out: The ability to opt out of data processing used for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce “legal or similarly significant effects” concerning the individual; and
- Right to Appeal: A consumer can appeal a company’s refusal to provide personal data.
Similarly to the CCPA and Europe’s GDPR, the CDPA includes a provision limiting the collection of data to data that is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” A business may not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the business obtains the consumer's consent.
Additionally, covered companies must obtain opt-in consent from the consumer to collect or process sensitive personal data. This includes data such as race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation. This opt-in requirement for any processing of sensitive personal data is stricter than that of the CPRA, which provides only an opt-out right to consumers for this type of data, beginning in 2023.
Additional CDPA Requirements
- Establishing a privacy policy. The privacy policy requirement is particularly noteworthy, as it creates a legal obligation to publish an accessible, clear, and meaningful privacy notice. The privacy notice must disclose the categories of personal data collected, the purpose of the processing, how a consumer can exercise their rights with respect to their personal data, the categories of personal data shared with third parties, the categories of third parties with whom the business shares personal data, whether personal data is sold to third parties and how to opt out, and whether personal data is used for targeted advertising and how to opt out;
- Conducting data protection assessments;
- Implementing “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;”
- Implementing a data processing agreement for any processing activities undertaken by a processor on a company’s behalf. The agreement must include instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
Unlike the CCPA, Virginia’s law does not include a private right of action and enforcement is left exclusively to the state attorney general. Virginia’s attorney general will be able to enforce the law with potential fines of $7,500 per violation.
Differences Between Virginia’s CDPA and California’s CCPA
The scope of the CDPA is narrower than the CCPA in several respects. First, unlike the CCPA, which went into effect on January 1, 2020, Virginia’s CDPA does not include a revenue threshold that would make large businesses subject to the law even if they did not control or process a significant amount of data of Virginians.
Second, several of the definitions under Virginia’s CDPA are narrower than their counterparts under California’s CCPA:
- CDPA defines “consumer” as a natural person who is a resident of Virginia acting only in an individual or household context. The definition explicitly excludes a person who is acting in a “commercial or employment context.” Contrary to the CCPA, businesses will not need to consider employee personal data when determining whether the law applies to them;
- The definition of the “sale of personal information” under CDPA is also narrower than that of the CCPA. While the CCPA finds that a sale occurs whenever personal data is exchanged for “monetary or other valuable consideration,” the CDPA definition includes only monetary consideration. The CDPA’s definition of “sale” also excludes disclosures to processors, disclosures to a third party for purposes of providing products or services requested by the consumer, disclosures to the company’s affiliate, disclosures of information that consumers intentionally made available to the general public through a mass media channel and did not restrict to a specific audience, and disclosures as part of a merger, acquisition, or other restructuring.
- Similar to the CCPA, the definition of “publicly available” data that is not regarded as personal data includes information lawfully made available through federal, state, or local government records. However, the CDPA definition also includes “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” This incorporates a unique subjective element into the personal data definition, allowing businesses to consider their reasonable belief when determining whether certain information is publicly available.
Exemptions under Virginia’s CDPA
There are two primary categories of exemptions under the CDPA: entity-level exemptions and data-level exemptions. The following types of entities are exempted: (1) a body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision, (2) any financial institution or data subject to the Gramm-Leach-Bliley Act (“GLBA”), (3) a covered entity or business subject to HIPAA, (4) a nonprofit organization, and (5) an institution of higher education. There are fourteen categories of data level exemptions, including including specific information regulated by the GLBA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act, as well as specific employee and job applicant data.
The passage of the CDPA will likely influence other states to pass similar privacy regulation, with bills currently in development in Washington, Oklahoma, New York, and other states. For more information on the CDPA’s requirements, the final text of the bill may be viewed here.
Although the CDPA does not go into effect for some time, it is never too early to start assessing your company’s data privacy obligations and begin working toward compliance. Koley Jessen will continue to monitor developments related to the CDPA and advise as updates become available. If you have questions on whether your business needs to comply with the CDPA or what steps you must take to comply with the CDPA, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.