Virginia’s Consumer Data Protection Act Passed

On March 2, 2021, Virginia became the second state to enact comprehensive privacy legislation and the first to do so on its own initiative. California leads the way as the first US Data Protection / Privacy Law was approved in 2018 (the EU’s GDPR was approved on 14 April 2016 and came into force on 25 May 2018). However, the Legislature moved forward with the bill in California because of a potential tougher ballot initiative if the law was not enacted.

Virginia’s CDPA does not add any new privacy issues if we compare it to recent privacy laws in other parts of the world. Its spirit and application draws heavily from the proposed Washington Privacy Act and some components are quite similar to the California Consumer Privacy Act.

Scope of Virginia Consumer Data Protection Act

The Act’s scope appears to have been drafted with small businesses and non-profits in mind, which are specifically excluded: like California’s legislation (but unlike GDPR) CDPA contains exclusions for nonprofit organizations, regardless of size, and for small and many medium-sized businesses.

Similar to other privacy laws in Brazil (LGPD), Europe (GDPR), the obligations that the Virginia Data Protection Act imposes are directed to corporations, business and organizations that are based in Virginia or produce products or services that are targeted or marketed to Virginia residents.  This is highly reminiscent of GDPR in that it applies not only to businesses that are physically located in Virginia, but also to any business, regardless of location. The concept of target was introduced by GDPR to discern, for example, cases in which business had websites available to EU resident, but not targetting EU residents.

The most crucial question for businesses, then, is if the law even applies to them. If you are familiar with California’s CCPA, you will already be aware of the revenue threshold imposing obligations. This is not the case in Virginia. Your business needs to be concerned about CPDA when you

  • Either process or control personal data of at least 100,000 consumers (during a calendar year).
  • Process or control personal data of at least 25,000 consumers and derive at least 50% of your gross revenue from the sale of personal data.

In practice, the above means even large businesses will not be subject CDPA as they do not fall within one of the two categories listed above. In this way, Virginia, like California, diverges from GDPR, which applies across the board to any business, whether large or small, for-profit or nonprofit, that collects or processes EU/UK data subjects’ personal information. The analysis in Virginia will be entirely based on the volume of Virginia consumers’ personal information the business processes each year, and/or whether they are in the business of selling Virginia consumers’ personal data.

Virginia’s more lax scope is also founded in some key definitions. An important difference with California’s more strict law, refers to the sale of personal information is considered where personal data is exchanged for "monetary or other valuable consideration", Virginia’s new Data Protection Act defines it as "the exchange of personal data for monetary consideration by the controller to a third party." Therefore, CDPA requires a monetary transaction so that selling data is considered as such. However, CDPA seems to improve on CCPA/GDPR and avoid pitfalls in some areas.

Exclusions and exemptions to the concept of “selling personal data”

CDPA’s definition of the concept of data selling and data in general specifically and significantly excludes:

  1. Disclosures to processors or to a controller's affiliate.
  2. Disclosures to a third party for purposes of providing product or service requested by the consumer.
  3. A body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.
  4. A nonprofit organization.
  5. An institution of higher education.
  6. Disclosures of information that consumers (A) intentionally made available to the general public via a mass media channel and (B) did not restrict a specific audience.
  7. Disclosures as part of a merger, acquisition, etcetera.
  8. Consumer-Facing Businesses (Not B2B): The Consumer Data Protection Act defines "consumer" as "a natural person who is a resident of the Commonwealth acting only in an individual or household context." It is very relevant that it explicitly omits a person from "acting in a commercial or employment context", establishing a different legal framework to California. For example, the latter includes employee data but in Virginia businesses are not obliged to consider the employees’ personal data that they collect and process. This definition also excludes sole proprietors, as they act in their business capacity, which creates a large exclusion for companies that are large employers of Virginia residents, but whose business does not involve collection of consumer information. GDPR does not make such distinction.
  9. Businesses Subject to Federal Privacy Schemes (like HIPAA or GLBA): CDPA clearly excludes businesses that are already subject to federal privacy legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and financial institutions that are regulated by the Gramm-Leach-Bliley Act (GLBA). California’s CCPA initially created confusion by excluding only data that was subject to these federal statutes, rather than the businesses themselves, which resulted in some businesses being subject simultaneously to several privacy regimes. Personal information regulated by the federal Fair Credit Reporting Act (FCRA) is similarly excluded.

The definition of personal data is also crucial in Virginia’s case because it also excludes any already de-identified data or, importantly, publicly available information. Just as in CCPA’s case, publicly available information is understood to be "Information that is lawfully made available through federal, state, or local government records" only.

However, the CDPA also includes in its definition of publicly available any "information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience." This language is notable in that when determining whether a piece of information is publicly available, there is an additional subjective inquiry into the business's reasonable belief in addition to the traditional objective analysis.

Consumer Rights Under CDPA

Virginia residents are given the right to:

  • View the personal data held by a covered entity.
  • Correct errors in the personal data held by a covered entity.
  • Delete personal data held by a covered entity.
  • Obtain a copy of the personal data held by a covered entity.
  • Opt out of processing of personal data for targeted advertising purposes.
  • Appeal the denial of a business to act on a request within a reasonable time frame (45 days). A response to any appeal must be provided within 45 days.

Enforcement of Virginia Consumer Data Protection Act

Enforcement falls solely to the Attorney General as CDPA lacks a private right of action. Once the Attorney General decides to take action, the office must notify the controller. The controller then has 30 days to cure the violation and provide the Attorney General with an "express written statement that the alleged violations have been cured and that no further violations shall occur." The Attorney General may fine them up to $7,500 per violation if the controller fails to cure the violation.

Steps for businesses that receive a request to exercise CDPA

Businesses must develop processes to allow consumers to exercise their rights. These provisions closely replicate the California requirements and will be easy for companies already in compliance with CCPA to implement.

  • Businesses have 45 days to respond:Businesses which are affected by the Act must respond to requests by consumers to exercise these rights without “undue delay” and in all cases within 45 days of receipt. An additional 45-day extension is available if it is deemed reasonable for the business to comply. In this case, the business must reply to the consumer during the first 45-day period and explain the reason for the delay.
  • Two free inquiries annually for each consumer:Consumers may query their data twice a year to a business, but the business may charge a reasonable fee to cover administrative costs if the requests are excessive, manifestly lacking ground or repetitive (more than the two free requests per year).
  • Ability to decline to respond: If the business cannot authenticate the consumer’s identity, if the data requested is not of a nature that is subject to the Act (employment data, for example), the business may decline to take the action requested by the consumer. In such situations, the business must provide both the reason for declining and the instructions about how to appeal the decision, all within 45 days of receipt of the initial request from the consumer. Appeals must be decided within 60 days of receipt and a written explanation must be provided to the consumer, together with a method (online or otherwise) for the consumer to contact the Attorney General to submit a complaint.
  • Contractual Control of Downstream Processors: CDPA enshrines the concept already incorporated into both GDPR and CCPA (and in other state data security laws), that controllers are responsible for their vendors or other third parties (“processors”) with whom they share personal data. CDPA requires that there must be a contract between any controller and processor, and that it must include, at a minimum, provisions that address:
  • The type of personal data to be shared;
  • The duration of the processing;
  • A duty to maintain the confidentiality of the personal information by both parties;
  • Instructions detailing the processing to be done by the recipient of the personal data;
  • An obligation for the processor to delete or return the data to the controller at the end of the services unless the processor is legally required to retain it;
  • A right of the controller to assess the processor’s policies by itself, or by using a designated assessor, and its technical and organizational measures with respect to compliance with the Act and the right of the controller to receive a report on same requiring the processor to flow down these obligations to downstream vendors and subcontractors.

A contract for services involving personal data cannot be handled with a simple purchase order. Companies subject to the Virginia Act will need to have standard personal data contract language with any vendor.