Last week, Virginia’s governor signed into law the Consumer Data Protection Act, which will take effect on January 1, 2023. This makes Virginia the second state in the US to pass a comprehensive data privacy law. California became the first with the enactment of the California Consumer Privacy Act of 2018, which took effect on January 1, 2020.
Who must comply with the CDPA?
The CDPA applies to businesses that, whether or not based in Virginia, conduct business in Virginia or produce products or services that are targeted to residents of Virginia and either (a) control or process personal data of at least 100,000 Virginia residents during a calendar year or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
The CDPA does not apply to state governmental bodies, nonprofit organizations, financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the privacy, security and breach notification rules under the Health Insurance Portability and Accountability Act of 1996, or certain higher education institutions.
What information does the CDPA cover?
The CDPA applies to the processing of “personal data,” which means “any information that is linked or reasonably linkable to an identified or identifiable natural person” but does not include de-identified data or information that is publicly available. De-identified data includes data that “cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.”
Importantly, the CDPA’s substantive requirements apply only to personal data about “consumers,” which are defined as Virginia residents acting in an individual or household capacity. As such, the requirements do not extend to information about individuals acting in a commercial or employment context. The CDPA exempts several categories of information regulated by other laws and standards, including protected health information under HIPAA and various other categories of regulated health-related personal data, certain data about clinical trial participants, certain information regulated by the Fair Credit Reporting Act, information regulated by the federal Driver’s Privacy Protection Act, student information regulated by the federal Family Educational Rights and Privacy Act, and personal data processed in compliance with the Farm Credit Act.
In addition, the CDPA exempts certain information processed in the context of human resources and benefits administration, including certain information about employees, job applicants, emergency contacts and beneficiaries.
What does the CDPA require?
Like the General Data Protection Regulation and the CCPA, the CDPA distinguishes between organizations that process personal data for their own purposes and those that process personal data on behalf of another company (usually to provide a service). Similar to the GDPR, the CDPA defines a “controller” as an entity that, alone or jointly with others, determines the purpose and means of processing personal data. The CDPA defines “processor” as an entity that processes personal data on behalf of a controller. Like the CCPA, the CDPA also includes the notion of a “third party,” which it defines as an entity, natural or legal person, public authority, agency or body other than the consumer, controller, processor or an affiliate of the processor or the controller.
Under the CDPA, the controller’s responsibilities include:
- providing “clear and meaningful” privacy notice
- limiting the collection of personal data to that which is reasonably necessary
- not processing personal data for reasons that are not reasonably necessary
- not processing sensitive personal data without consent
- protecting personal data using reasonable and appropriate administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data
- taking steps to ensure de-identified data is protected, including taking reasonable steps to prevent reidentification, making a public commitment not to attempt to reidentify the data and contractually prohibiting recipients from reidentifying the data
Controllers must also honor rights that the CDPA grants to consumers that include the rights to:
- determine whether or not their personal data is being collected or processed
- request a copy of their data
- request deletion of personal data
- require the correction of inaccuracies
- opt out of the processing of their personal data that may be used for targeted advertising, sale or consumer profiling
In addition, the CDPA requires controllers to conduct a data protection assessment for several activities, including targeted advertising, the sale of personal data, profiling that “presents a reasonably foreseeable risk” of different kinds of injury to consumers, processing of sensitive data and processing that creates a “heightened risk of harm to consumers.” Such data protection assessments must assess the balance between the benefits to all stakeholders (including the consumer, the controller and the public) and the potential risks to the rights of the consumer, taking into account any mitigations that the controller has in place. The Virginia attorney general may request data protection assessments from controllers, who must produce them pursuant to an investigative civil demand.
A processor must “adhere to the instructions of the controller” and assist the controller with its activities. Such assistance includes helping to meet the controller’s obligations related to responding to consumer requests, providing data breach notifications and conducting data protection assessments. All obligations between the controller and the processor must be documented in a binding agreement between the parties that must specify:
- the controller’s data processing instructions
- the nature and purpose of the processing, the type of data to be processed and the duration of the processing
- the parties’ rights and obligations
- that the processor is subject to a duty of confidentiality with respect to the personal data
- that the processor must, as instructed by the controller, delete or return to the controller all personal data at termination
- that the processor must demonstrate compliance and subject itself to reasonable assessments by the controller
- that any subcontractor must be subject to the same contractual requirements as the processor
How is the CDPA enforced?
Enforcement of the CDPA lies exclusively with the Virginia AG, who must provide either a controller or processor a written notice of a violation of the CDPA. Such notice starts a 30-day period within which the violation may be cured, in which case the controller or processor must provide “an express written statement that the alleged violations have been cured.” Upon such notice, the AG will not take any action for statutory damages. However, following the 30-day cure period, if the violation persists, the AG may seek damages of $7,500 for each violation under the CDPA. Civil penalties collected by the AG will be paid into a Consumer Privacy Fund used to support enforcement of the CDPA.
The CDPA emulates the GDPR and the CCPA in certain respects but the laws differ, and compliance with those laws does not equate to compliance with the CDPA. Businesses now face differing comprehensive privacy laws in two states, which will increase their compliance costs and exposure to consumer complaints and legal action. Several other states (including Washington, New York and Minnesota) are considering comprehensive privacy legislation that may add to that burden, which will put increasing pressure on the US Congress to harmonize consumer privacy requirements through federal legislation. In any event, a holistic approach to privacy compliance will remain necessary for businesses to efficiently address their legal obligations in California, Virginia, Europe and any other relevant jurisdictions. This is especially so given that most businesses preparing for the CDPA to take effect on January 1, 2023, will also be subject to the California Privacy Rights Act of 2020, which will substantially expand the CCPA’s requirements and is effective the same day.