Virginia has joined California as the second state to enact a comprehensive data privacy law. On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA does not go into effect until January 1, 2023, but the broad privacy mandate will have an immediate impact on compliance efforts for many Virginia businesses.
The law includes elements similar to those found in the California Consumer Privacy Act (CCPA) and the newly enacted California Privacy Rights Act (CPRA), such as provisions granting Virginia residents the right to access, correct, delete, know about, and opt out of the sale and processing of their personal information for “targeted advertising” purposes. Similar to the European Union’s privacy analog, the General Data Protection Regulation (GDPR), the VCDPA imposes data security and consumer response obligations on the data “controller” and “processor” for certain businesses handling personal data belonging to Virginia consumers. However, the VCDPA differs from the CCPA, CPRA, and GDPR in several notable ways. Most importantly, unlike the CCPA, the VCDPA does not apply to employee data and does not create a private right of action for protected consumers.
Entities and Individuals Covered Under the VCDPA
The VCDPA applies to entities conducting business in Virginia or producing products or services targeted at Virginia residents “that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” The delineated scope is broad, covering most entities regularly engaged in consumer transactions involving residents within the Commonwealth. The law includes a carve-out for certain categories of businesses, including state entities; nonprofits; higher education institutions; and entities that are governed by federal privacy regimes such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Health Information Technology for Economic and Clinical Health Act.
The rights granted under the VCDPA apply to a “consumer,” which is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context.” As noted above, this definition expressly excludes “a natural person acting in a commercial or employment context.” This broad exclusion appears to avoid many of the headaches created by privacy compliance requirements in the employment context.
Potential Ambiguity in Coverage Regarding Some Employment Data
It should be noted that the rights granted to consumers under the VCDPA include the right to opt out of processing of personal data for “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Under the privacy law, the phrase “decisions that produce legal or similarly significant effects” encompasses a decision made by the controller that “results in the provision or denial by the controller of … employment opportunities.” The definition of “consumer”—which expressly excludes individuals in the “employment context”—may prevent the opt-out right from being applied to employers handling data from applicants or employees. However, Virginia employers may want to note the potential ambiguity and evaluate it as the effective date of the VCDPA approaches.
Information Covered and Rights Created Under the VCDPA
Notwithstanding the exception for employment data, Virginia employers—especially those doing business with Virginia consumers—may want to be mindful of the information covered and rights created by the VCDPA. The law identifies the following categories of information as falling within its purview:
- “Personal data” is defined broadly to include “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes employment data, pseudonymous data (a GDPR-borrowed term to mean personal data that cannot be attributed to an individual “without the use of additional information”), and “de-identified data or publicly available information.”
- The VCDPA also sets out specific protections and responsibilities for the processing of “sensitive data,” which includes “[p]ersonal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”; “genetic or biometric data” processed “for the purpose of uniquely identifying a natural person”; “personal data collected from a known child”; “and [p]recise geolocation data.” Before processing sensitive data, a “controller” under the VCDPA must obtain consent—defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”
The VCDPA also enumerates a series of consumer rights and associated obligations for those entities handling consumer information. Consumers have the rights to:
- access, correct, and delete information, and have a secure and reliable means for exercising their rights;
- data portability (i.e., the ability to move personal data from one environment to another without affecting its usability);
- protection from discrimination based on exercising the rights created by the VCDPA; and
- opt out of the sale and processing of personal data. Of note, the right to opt out of any processing of personal data goes beyond the protections afforded under the CPRA and includes the right to opt out of any processing for the purpose of “targeted advertising” or “profiling … [for] decisions that produce legal or similarly significant effects.”
Consumers also have the right to appeal a denial of an attempt to exercise rights under the VCDPA. A business must respond to any consumer request made under the VCDPA “within 45 days of receipt of the request.” Where reasonably necessary, the business may then extend the response deadline by an additional 45 days, so long as the business notifies the consumer within the initial response window. If a business fails to do this, the VCDPA mandates that the “controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision.” If the appeal is denied, the law requires the controller to inform the consumer regarding how to submit a complaint to the Virginia attorney general.
Security, Transparency, and Notice Obligations for Controllers and Processers
Like the CCPA and GDPR, the VCDPA directs controllers to implement security and transparency measures, including:
- restricting “collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer”;
- prohibiting processing of personal data for purposes that are inconsistent with or beyond the scope for which it was intended at the time of disclosure, “unless the controller obtains the consumer’s consent”;
- “[e]stablish[ing], implement[ing], and maintain[ing] reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data”;
- “conduct[ing] and document[ing] data protection assessments” to evaluate the risks associated with processing activities;
- entering into contracts to govern the processing of data by a third-party processor on behalf of the controller that “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties”; and
- providing consumers with a privacy notice that identifies:
- “[t]he categories of personal data processed by the controller”;
- “[t]he purpose for processing personal data”;
- “[h]ow consumers may exercise their consumer rights” under the VCDPA;
- “[t]he categories of personal data that the controller shares with third parties, if any; and”
- “[t]he categories of third parties, if any, with whom the controller shares personal data.”
Although the VCDPA does not directly impact employee data or create any private right of action, it represents a dramatic shift in Virginia’s privacy landscape that is likely to continue as Virginia and other states become increasingly active in their data security efforts.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to report on the VCDPA and any future developments involving state data privacy laws on Ogletree Deakins’ Cybersecurity and Privacy blog.