Virginia has now become the second state in the United States to pass a comprehensive data privacy law. The Virginia Consumer Data Protection Act (“CDPA”), which passed in the Virginia House of Representatives (89-9) and Senate (39-0), and was signed into law by Governor Ralph Northam on March 2, 2021. The bill will now take effect January 1, 2023 – the same day as the newly enacted California Privacy Rights Act (“CPRA”).
The CDPA is similar in many ways to the California Consumer Privacy Act (“CCPA”) and CPRA, but also contains some key differences.
The CDPA “applies to all persons that conduct business in the commonwealth and either control or process personal data of at least 100,000 consumers or derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.”
“Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
The CDPA contains a number of exclusions that limit its applicability. It does not apply to:
- Commonwealth bodies or political subdivisions
- Any financial institution or data subject to the Gramm-Leach-Bliley Act
- Covered entities or business associates subject to HIPAA
- Higher education institutions
It also exempts different categories of data, including data already regulated by certain federal laws such as HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act, and the federal Farm Credit Act.
The law also limits the definition of the term “consumer” to a natural person “acting only in an individual or household context.” Accordingly, a person acting in a commercial or employment context is not a “consumer” whose personal data is covered by the CDPA.
The CDPA grants consumers a number of rights with respect to personal data, including the ability to:
- Confirm whether a controller is processing it and gain access to it
- Correct inaccuracies in it
- Delete it
- Obtain a portable copy of it·
Consumers also have the right to opt out of processing or personal data for purposes of targeted advertising, the sale of personal data to third parties, and profiling that produces legal or similarly significant effects on the consumer. It’s important to note that the CDPA’s opt-out requirements only apply in situations where data is provided to a third party for monetary consideration. This limitation regarding monetary consideration is different from what is found in the CCPA and CPRA, which allow a consumer to opt out in certain circumstances even in the absence of a monetary exchange.
Data Controller Responsibilities
The CDPA imposes limitations on the collection of data, without the consumer’s consent, to that which is adequate, relevant, and reasonably necessary for the disclosed purpose. To guard against the improper collection and use of data, controllers must establish “reasonable” administrative, technical, and security practices.
Data controllers are also required to conduct data protection assessments of processing activities that involve personal data being used in targeted advertising, sale of personal data, profiling, sensitive data (such as data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status), and data that presents a heightened risk of harm to consumers.
Consumers must also be provided with reasonably accessible privacy notices that disclose:
- Categories of personal data collected
- The purpose of the collection
- Categories of personal data the controller shares with third parties
- An explanation of how consumers can exercise their rights
Unlike California’s CCPA and CPRA, the Virginia CDPA does not provide for a private right of action. The power to enforce the law resides solely with the Virginia attorney general, who may seek up to $7,500 in damages per violation of the law.
With Virginia and California having adopted data protection laws, it’s likely that other states will follow suit. These laws go into effect in 2023, so it’s important that businesses begin taking steps to prepare themselves for the implementation of the laws.
If you have any questions about these data protection laws, or require assistance in evaluating or modifying your business’ practices in order to comply, please contact Brooks Kushman shareholder John Rondini (firstname.lastname@example.org).