Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation. Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023. But the similarities to California law don’t end there. There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand. However, there are also important distinctions between the CDPA and those laws that make it unique. This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law.
Applicability, Personal Data, and Exemptions:
The CDPA is akin to the CCPA in that both have certain threshold requirements that trigger applicability. With the CDPA, the law applies to “persons that conduct business within [Virginia] or that produce products or services that are targeted to [Virginia] residents” and that:
- During a calendar year, control or process personal data of at least 100,000 consumers; or,
- Control or process the personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data.
Similar to the CCPA, CPRA, and GDPR, Virginia’s law includes a broad definition of personal data: “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This definition does not include de-identified data, or publicly available information. “Publicly available information” is defined to include information that is “lawfully made available through federal, state, or local government records” and “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by the person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”
The exemptions from the CDPA are more extensive those in the CCPA or CPRA. Exempt from the CDPA are:
- government entities;
- data collected in the employment context;
- covered entities in regulated sectors and certain related data, including data and covered entities governed by the Health Insurance Portability and Accountability Act (HIPAA), and financial institutions and data governed by the Gramm-Leach-Bliley Act (GLBA);
- information governed under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA), and the Children’s Online Privacy Protection Act (COPPA); and
- identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as a part of human subjects research pursuant to the good clinical practice guidelines issues by The International Council for the Harmonization of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law.
Similar to the rights granted by the GDPR and the CCPA/CPRA, the CDPA grants consumers the rights to: 1) access personal data; 2) correct personal data; 3) delete their personal data; 4) obtain their data in a portable and readily useable format; and 5) opt-out of the sale of personal data, targeted advertising, and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Profiling is defined as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
Borrowing most directly from the GDPR, the CDPA establishes “controller” and “processor” roles to distinguish between entities that are responsible for determining the purposes and means of processing personal data (i.e., controllers) and those entities that process personal data on their behalf or at their direction (i.e., processors). (Side note from my colleague Tanya Forsheit – it would have been nice if the CCPA had done that, too.) The CDPA sets out several obligations for both controllers and processors. Notably, controllers will be required to set out in a privacy notice the categories of personal data shared with third parties (defined as entities other than the consumer, controller, or processor); the categories of third parties with whom personal data is shared; and, if a controller sells personal data to third parties for processing or targeted advertising, the controller must also disclose that processing and provide the right of the consumer to opt-out.
Another concept that the CDPA shares with the GDPR is the CDPA’s requirement that controllers obtain consumers “freely given, specific, informed, and unambiguous” consent prior to processing “sensitive data.” Sensitive data, which is defined separately from personal data, means: 1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or immigration status; 2) genetic or biometric data; 3) personal data collected from a child; or 4) precise geolocation data. (A “child” means any person younger than 13, as in COPPA). Notably, while this definition of sensitive data approximates that of the CPRA’s, the CPRA will require businesses provide consumers with the ability to opt-out of the processing of sensitive data, while the CDPA and the GDPR require opt-in.
Data Protection Assessments:
Data protection assessments are required by the CDPA, as they are under the CPRA and GDPR, when a controller/business processes personal data in specific contexts. Under the CDPA, those contexts include 1) when a controller is processing person data for targeted advertising; 2) selling personal data; 3) processing personal data for purposes of profiling that creates a “reasonably foreseeable risk” of (i) unfair or deceptive treatment of, or injury to consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion or the private affairs or concerns of consumers where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers; 4) processing sensitive data; or 5) otherwise engaging in processing activity that creates a “heightened risk of harm” to consumers.
Enforcement and Lack of Private Right or Action:
There is no private right of action created by the CDPA and it is enforceable through civil actions brought by the Virginia Office of the Attorney General. Like the CCPA, the CDPA includes a 30-day cure provision for covered business to address alleged violations of the act (though the CPRA will remove that cure period). A controller or processor who fails to cure may face penalties of up to $7,500, and may have to pay reasonable costs incurred by the Attorney General in the course of an investigation, including attorney’s fees.
While the addition of the CDPA to an already complex patchwork of state, federal, and international laws will present compliance challenges to some businesses, those businesses that have already developed CCPA and GDPR compliance programs should not have to completely re-invent the wheel given the overlap of the CDPA. The effective date of January 1, 2023 should also provide a comfortable runway for companies to become compliant.
Still, several other states, including Connecticut, New York, Minnesota, Washington, and more, also have privacy legislation being considered in their respective legislatures. Virginia may spur other states to enact that legislation, and if they do, this in turn will increase the pressure on Congress to pass an omnibus federal privacy law. If and when any of that legislation advances, we’ll be sure to post about it here.
I continue to struggle with the notion of how an organization that does not collect address information (and most don’t) is supposed to operationalize a program that distinguishes between CA residents, on the one hand, and VA residents, on the other. Particularly for any players in the ad tech ecosystem – publishers, advertisers, agencies, and ad tech companies – is there really any practical significance of each state passing its own law, particularly if they are less strict than existing CA law? I don’t see it. Those organizations will have to operationalize compliance by choosing the most stringent restriction from those offered by the states whose laws have come into effect come January 1, 2023 (or before). And it is not all CA – as noted above by Elliott, Virginia require opt-in for sensitive information, CA is opt-out. Stay tuned.