On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“CDPA”) into law, making Virginia the second state, behind California, to enact comprehensive privacy legislation. The CDPA, which goes into effect on January 1, 2023, does not contain any substantially new privacy concepts. Instead, the CDPA is largely a combination of independent elements from the California Consumer Privacy Act (“CCPA”) (including amendments to the CCPA under the California Privacy Rights Act (“CPRA”) approved by California voters in November 2020) and the European Union General Data Protection Regulation (“GDPR”). This combination results in a regulatory framework that falls somewhere in between the CCPA and the GDPR with respect to consumer rights and business obligations.
The CDPA’s scope takes a similar approach to the CCPA, with some key differences that will likely result in a narrower application of the law. With respect to individuals, the CDPA only applies to individuals who are Virginia residents, or consumers, but only to the extent those individuals are acting in an individual or household capacity, specifically excluding individuals acting in a commercial or employment context from the CDPA’s scope.
From a compliance perspective, entities are required to comply with the CDPA if they conduct business in Virginia or produce products or services that are targeted to Virginia residents and either: (1) control or process personal data of at least 100,000 consumers during a calendar year; or (2) control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenues from the sale of personal data. Notably, the thresholds do not include a gross annual revenue threshold. Thus, unlike the CCPA, large businesses (i.e., those with more than $25M in gross annual revenues), are not automatically subject to the CDPA simply due to their gross revenues, and, instead will only be subject to the CDPA based on the volume of the personal data they collect or process.
Additionally, the CDPA grants certain exemptions that will likely further narrow the scope of entities that are required to comply with CDPA. Like the CCPA, the CDPA expressly exempts 14 categories of data that are subject to certain federal and state laws, including HIPAA, the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and others. However, unlike the CCPA, which still applies to entities with respect to the operations that are not directly subject to these laws, the CDPA provides entity-wide exemptions to financial institutions subject to the Gramm-Leach Bliley Act and covered entities or business associates governed by the privacy, security and breach notification rules under HIPAA and HiTECH.
The CDPA adopts the GDPR’s nomenclature for entities subject to the CDPA, defining a “controller” as the entity that, alone or jointly with others, determines the purpose and means of processing personal data and a “processor” as the entity that processes personal data on behalf of a controller. The obligations imposed on controllers under the CDPA are similar in many respects to those under GDPR and CCPA (especially as amended by the CPRA), including, placing restrictions on the amount of personal data a controller collects and the processing of that personal data; requiring controllers to obtain consent from consumers before processing sensitive data about those consumers; requiring controllers to establish, implement, and maintain appropriate administrative, technical, and physical safeguards designed to protect personal data; and requiring controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that identifies the categories of personal data processed and the purposes for the processing, how consumers can exercise their rights under the CDPA, and information about sharing personal data with third parties.
The CDPA also imposes obligations on controllers that sell personal data and/or process personal data for targeted advertising, including clearly disclosing that they do so and providing customers with at least one option to opt out of these activities. However, where the CDPA takes a narrower approach lies in how it defines “selling” personal data, limiting it to the exchange of personal data for monetary consideration. In addition to omitting the CCPA’s inclusion of exchanges of personal data for “other valuable consideration”, the CDPA also expressly provides that selling personal data does not include: (a) disclosing personal data to a third party that processes data on behalf of the entity; (b) disclosing personal data to a third party for purposes of providing a product or service requested by the consumer; (c) disclosing or transferring personal data to an affiliate of the entity; (d) disclosing information that a consumer intentionally made available to the general public via a channel of mass media and did not restrict that information to a specific audience; or (e) disclosures or transfers of personal data to a third party as an asset as part of a merger, acquisition, bankruptcy or other transaction with the third party assumes control over all or part of the entity’s assets.
Similar to the approach in the CPRA, the CDPA also requires controllers to conduct and document data protection assessments for certain processing activities involving personal data, including: (a) processing personal data for the purposes of targeted advertising; (b) selling personal data; (c) processing personal data for purposes of profiling if the profiling presents certain reasonably foreseeable risks to consumers; (d) processing sensitive data; and (e) any other processing activities involving personal data that present a heightened risk of harm to consumers.
The CDPA also imposes familiar obligations on processors, including requiring processors to adhere to the instructions of a controller; to assist controllers in meeting their obligations under the CDPA with respect to the protection of personal data and responding to consumer rights requests; and to provide necessary information to the controller to conduct and document data protection assessments.
Additionally, the CDPA requires that for any engagement by a controller of a processor to process personal data on behalf of the controller, the engagement must be subject to a contract that governs the processor’s processing of the personal data that clearly sets forth the instructions for processing the personal data, the nature and purpose for the processing, the types of personal data subject to the processing, the duration of the processing and the rights and obligations of both parties.
The rights granted to consumers under the CDPA are similar in most respects to those under the CCPA, either now or once the CPRA goes into effect, and the GDPR. Those rights are:
- Access – consumers have the right to confirm whether or not a controller is processing the consumer’s personal data and to such personal data.
- Correction – consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing;
- Deletion – consumers have the right to have their personal data collected by the controller deleted;
- Portability – where processing is carried out by automated means, consumers have the right to obtain a copy of the personal data they provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance;
- Opt-Out – consumers have the right to opt out of the processing of their personal data for purposes of: (a) targeted advertising; (b) the sale of personal data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers are required to comply with authenticated requests (i.e., requests where the controller has verified that the consumer making the request is the same consumer with respect to the personal data at issue) by responding within 45 days of their receipt of the request. This time period can be extended for one additional 45-day period when reasonably necessary. Information provided in response to a request must be provided free of charge, up to twice annually per consumer.
If a controller declines to take action on any request, the controller is required, no more than 45 days after the controller received the request, to notify the consumer of its decision not to take action on the request, its justification for its decision, and information about how the consumer can appeal the decision.
Unlike the GDPR and the CCPA, no private right of action exists under the CDPA. The Virginia Attorney General has the exclusive authority to enforce the CDPA. Violations of the CDPA can carry civil penalties of up to $7,500 for each violation. However, entities have 30 days to cure any alleged violations, as notified to them by the Attorney General, before any action can commence.
If the process from enactment to enforcement for the CDPA is anything like the CCPA, it is reasonable to expect significant changes to the CDPA and any underlying regulations between now and January 1, 2023. Michael Best will continue to monitor and provide updates on the progress of the CDPA. For additional information on the CDPA as well as assistance in complying with existing privacy laws, please contact a member of our Privacy & Cybersecurity Team.