March 4, 2021
On Tuesday, March 2, 2021, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (“CDPA”) into law, making Virginia the second state in the nation to adopt its own “comprehensive” data privacy law. The CDPA combines elements of the California Consumer Privacy Act (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”). The CDPA will go into effect on January 1, 2023, the same effective date as the California Privacy Rights Act (“CPRA”), which will strengthen California’s current data privacy framework under CCPA.
Virginia’s CDPA establishes a “comprehensive” framework governing the collection and use of “personal data” of Virginia residents (“consumers”). It applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” The CDPA does not contain an “annual revenue” threshold despite the definitional scope congruent to the CCPA’s definitional structure of “business.”
Below, we highlight some key features of and compliance obligations under the CDPA—some of which are lessons learned from the CCPA regulations. As we will discuss further, there will not be any regulations promulgated by the Attorney General, leaving organizations with only the law for any guidance on compliance requirements.
A. Personal Data and Sensitive Data
The CDPA protects not only “personal data” but also “sensitive data,” which includes (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (3) personal data collected from a known child younger than 13 years of age; and (4) precise geolocation. This list parallels the “special categories of personal data” under Article 9 of the GDPR and is broader than most other state or federal privacy related laws and regulations currently found in the U.S.
It is notable that the CDPA applies both to entities that conduct business in Virginia and also to any organization, regardless of location, that handles personal data of Virginia state residents, encompassing quite a broad range of potentially affected entities. Such entities subject to the CPDA should endeavor to conduct data mapping at an early stage to identify the scope and types of sensitive data they may have. Wide scale data mapping should be followed by establishing corresponding policies to appropriately handle this data and reviewing contracts to ensure that necessary obligations are passed down to vendors.
B. Controller and Processor
The CDPA adopts GDPR’s concept of “controller” and “processor.” Controller (the CDPA equivalent of CCPA’s “service provider”) is “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data” and processor is a “natural or legal entity that processes personal data on behalf of a controller.” Controllers must limit their personal data collection to what is “adequate, relevant, and reasonably necessary in relation to” the purposes for which the data is processed, and the controller must disclose those specific purposes of processing, among others, to Virginia consumers under its privacy notice. The CDPA also requires a controller to enter into a contract with a processor outlining not only the nature, purpose, and duration of data processing, but also the obligations and responsibilities of both parties, similar to the requirement set forth under Article 28 of the GDPR.
Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect personal data; obtain consumer’s consent before processing any sensitive data concerning the consumer; and inform the consumer of any “sale” of personal data to third parties or processing of personal data for targeted advertising, and the manner in which a consumer may exercise the right to opt out (see Section D below).
C. Applicable Exceptions
There are fewer exemptions under the CDPA that organizations can leverage than under CCPA. Under the CDPA, personal data subject to certain federal privacy laws including, among others, HIPAA, the Gramm-Leach-Bliley Act, and the Family Education Rights and Privacy Act, are exempt. The CDPA also expressly provides some context-specific exemptions, such as those in the employment context. Notably, the CDPA definition of “consumer” excludes individuals “acting in a commercial or employment context,” which is broader in scope than the business to business exception for employee personal data found in CCPA. Additionally, the CDPA does not apply to “(i) [any government body] of the Commonwealth; (ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C § 6801 et seq.); (iii) covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5); (iv) nonprofit organizations; or (v) institutions of higher education.”
D. Consumer Rights and Enforcement
Virginia consumer rights under the CDPA include the right to delete, access and correct personal data, data portability, and non-discrimination for consumers exercising their CDPA rights. Additionally, Virginia consumers may also opt-out of (i) the processing of their personal data for targeted advertising, (ii) sale of their personal data to third parties, and (iii) “profiling in furtherance of decisions that produce legal or similarly significant effects” for the consumer. The CDPA does not grant consumers a private right of action; instead, similar to HIPAA, the Attorney General has the exclusive authority to enforce violations of CDPA. Similar to the CCPA, any violation may be cured within 30 days of written notice of the violation from the Attorney General, but if a controller fails to cure the violation, the Attorney General may issue a fine of up to $7,500 per violation.
As mentioned above, unlike the CCPA, the CDPA does not authorize the Attorney General to promulgate regulations on how organizations may implement compliance measures. In essence, the Virginia legislature has had the final word on the CDPA. In the near term, guidance for organizations as to how the new Virginian consumer data protection framework should be implemented will therefore be found in legislative history, at least until courts are asked to rule on disputes regarding the CDPA.
Given the potentially wide-ranging application of privacy protections established by the CDPA, organizations covered by the CDPA should begin to consider necessary internal measures to achieve compliance. Organizations that have already invested in CCPA/CPRA and GDPR compliance may apply lessons learned from these laws, and should take the steps such as starting the data mapping process, organizing and reviewing service provider agreements, and reviewing and amending public-facing privacy policies or notices.
Please contact Linda A. Malek at lmalek@MOSESSINGER.COM, Jason E. Johnson at jjohnson@MOSESSINGER.COM or Kiyong Song at ksong@MOSESSINGER.COM if you have any questions regarding the Virginia’s Consumer Data Protection Act.