Earlier this year, the Virginia House of Delegates and Senate passed the Virginia Consumer Data Protection Act (“CDPA”). While the CDPA is currently awaiting the Governor’s signature, Virginia will likely be the second state (behind California) to formally adopt a consumer-friendly data privacy law.
The CDPA includes several noteworthy provisions, including:
- Applicability. As it stands, the law will apply to “persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia that: (1) during a calendar year, control or process personal data of at least 100,000 Virginia residents or (2) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data.”
- Controller vs. Processor Distinction. The CDPA distinguishes between entities that process personal data as “controllers” and “processors.” The law mandates different requirements for each – generally, controllers are entities that determine the purpose and means of processing personal data, and processors process data on behalf of a controller.
- Exemptions. There are some exceptions to this “comprehensive” privacy law, including an exemption for “financial institutions . . . subject to the Gramm-Leach-Bliley Act” or any “covered entity or business associated governed by HIPAA.” There is also an exemption for information subject to most other federal laws, like information regulated by the Family Education and Privacy Act, the Children’s Online Privacy Protection Act, and the Driver’s Privacy Protection Act.
- Broad definition of personal data. The CDPA defines personal data broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person” (emphasis added). Publicly available information and de-identified data are excluded from this definition.
- Inclusion of sensitive data category. The CDPA defines sensitive data as (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) biometric data; (4) personal data collected from a child; or (4) precise geolocation data. This sensitive data is subject to additional requirements and restrictions (i.e., controllers may only process sensitive data with the consumer’s consent).
- Creation of individual rights. The CDPA creates five individual rights for Virginia residents, including: (1) the right to access; (2) the right to correct; (3) the right to delete; (4) the right to data portability; and (5) the right to opt-out of the processing of personal data for targeted advertising, certain profiling activities, and sales.
- Privacy notice. The CDPA requires controllers to provide notice to consumers. At minimum, the notice must provide: (1) the categories of data processed; (2) the purposes for processing such data; (3) how consumers can exercise their rights; (4) the categories of data shared with third parties; and (5) the categories of third parties with whom the controller shares personal data.
- Data protection assessments. The CDPA requires controllers to perform data protection assessments to “identify and weigh the benefits that may flow” from processing the personal data against the associated risks to the rights of consumers, and the controller may be restricted from engaging in some processing activities depending on the outcome of the assessment.
- Enforcement. The CDPA is exclusively enforceable through civil actions brought by the Virginia Attorney General (i.e., there is no private right of action under the CDPA). However, it does include a 30-day cure provision for potential violations. If the violations are not cured, the CDPA includes fine amounts of up to $7,500 per violation.
Once signed into law by the Governor, the CDPA is scheduled to go into effect January 1, 2023, thus giving companies plenty of time to prepare. Accordingly, businesses should start to take proactive measures to enhance their current data privacy programs (especially as other states continue to enact these types of consumer-friendly privacy laws of their own in the future).
Going forward, businesses should consult with their legal and IT advisors to ensure compliance with these evolving privacy laws and consider the following action:
- Completing a data mapping and inventory exercise;
- Providing written notice to all individuals at or before the time personal data is collected;
- Drafting processes and procedures to respond to consumer requests concerning personal data; and
- Implementing data security measures to protect and secure personal data.
We will keep you posted on any significant updates. Please do not hesitate to reach out if you have any questions regarding the CDPA. To discuss further, e-mail or call Eric Perkins at [email protected] or (804) 205-5162.