What Small Business Owners Should Know About The New Virginia Consumer Data Protection Act

On March 2, 2021, Virginia became the second state to enact a comprehensive state privacy law when Governor Northam signed the Virginia Consumer Data Protection Act (the “CDPA”) into law. The CDPA creates consumer rights, similar to California’s Consumer Data Protection Act, but also imposes security and assessment requirements for businesses. While it will not go into effect until January 1, 2023, preparations to comply with the new law should begin sooner rather than later. Here are a few key provisions of the CDPA:

• Scope & Exemptions. The CDPA applies to businesses that (1) conduct business in Virginia or produce products or services that target Virginia consumers, and (2) meet one of the following requirements during a calendar year:

1. 1. Control or process personal data of at least 100,000 consumers; or
      
   2. Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Businesses should note that the CDPA does not have a revenue threshold. Accordingly, small businesses that hold a substantial amount of consumer data will be subject to this law.

Although the CDPA is quite broad, there are a few listed exemptions. First, it expressly exempts the following entities:

1. 1. Virginia public entities;
      
   2. GLBA-covered entities;
      
   3. HIPPA-covered entities;
      
   4. Nonprofit organizations; and
      
   5. Higher education institutions.

The CDPA also exempts certain data, including data protected by federal laws like HIPPA, the GLBA, FERPA, and the Fair Credit Reporting Act. The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain or administer benefits for another individual.

• Controller vs. Processor Distinction. The CDPA distinguishes between entities that process personal data as “controllers” and “processors.” The law mandates different requirements for each – generally speaking, controllers are entities that determine the purpose and means of processing personal data, and processors process data on behalf of a controller. The relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.
  
• Broad definition of personal data. The CDPA defines personal data broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person”. Publicly available information and de-identified data are excluded from this definition. Further, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data to uniquely identify a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. This sensitive data is subject to additional requirements and restrictions (i.e., controllers may only process sensitive data with the consumer’s consent).
  
• Individual Rights. Consumers have the following rights under the CDPA:
  

1. 1. Right to access. Consumers have the right to confirm whether a controller is processing their personal data and obtain access to that data.
      
   2. Right to correct. Consumers have the right to correct inaccuracies in their personal data.
      
   3. Right to delete. Consumers have the right to delete their personal data.
      
   4. Right to data portability. Consumers have the right to obtain a copy of their personal data in a portable and readily usable format.
      
   5. Right to opt-out. Consumers have the right to opt-out of the processing of their personal data for: (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Businesses must respond within 45 days of receipt of any such request from a consumer; however, a business may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day period. Additionally, businesses must establish procedures for consumers to appeal a failure to act on a request within a reasonable period and inform consumers how they can submit a complaint to the Attorney General if the appeal is denied.

• Enforcement. The Virginia Attorney General has the exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. However, businesses can avoid an enforcement action by properly remedying the violation within 30 days of receiving notice. Note that the CDPA does not provide a private right of action. However, the CDPA requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA.

While 2023 may seem distant, efforts to comply with privacy laws have proven to be time-consuming—requiring time to carefully plan, assess gaps in current compliance mechanisms, and implement new policies and processes. Accordingly, it is not too early to start preparing to comply with the CDPA. Business owners should consult with their legal and IT advisors to ensure compliance with these evolving privacy laws and consider:

1. Completing a data mapping and inventory exercise;
   
2. Providing a publicly available privacy policy;
   
3. Providing written notice to all individuals at or before the time personal data is collected;
   
4. Drafting processes and procedures to respond to consumer requests concerning personal data; and
   
5. Implementing data security measures to protect and secure personal data.

If you would like to read the full statute in its entirety, click here. Please do not hesitate to reach out if you have questions regarding the CDPA. To discuss further, e-mail or call Eric Perkins at [email protected] or (804) 205-5162.