Proposed state data privacy laws are springing up across the country as states race to enact comprehensive data privacy laws and regulations. California passed the highly anticipated California Consumer Privacy Act (CCPA) in 2018. This November, the state significantly amended the CCPA when state voters passed the California Privacy Rights Act (CPRA), which goes into effect on Jan. 1, 2023. California has long been the lone state with a comprehensive data privacy law in the U.S. However, on March 2, 2021, Virginia Governor Ralph Northam signed the comprehensive Virginia Consumer Data Protection Act (VCDPA). The VCDPA will go into effect on January 1, 2023.
Scope of the VCDPA (§59.1-572)
The VCDPA applies to the personal information of “consumers.” A “consumer” is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context.” The Consumer definition in the CDPA “. . . does not include a natural person acting in a commercial or employment context.”
The VCDPA is applicable only to persons and entities that conduct business in the Commonwealth of Virginia or produce products or services that target residents of the Commonwealth. Additionally, to be subject to the VCDPA, a business must either (1) control or process the personal data of at least 100,000 consumers during a calendar year or (2) control or process the personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
The VCDPA is not applicable to any “(i) body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth; (ii) financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); (iii) covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5); (iv) nonprofit organization; or (v) institution of higher education.”
Additionally, VCDPA §59.1-572(C) outlines a large amount of data that is not subject to its scope, such as health information protected under The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and several other types of health records and documents covered under federal law. The VCDPA also does not cover federal sensitive information under the Fair Credit Reporting Act (FRCA), personal data collected, processed, sold or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA), and personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act (FCA).
Enforcement and Right to Cure (§59.1-579-80)
The Virginia Attorney General’s office has “exclusive authority” to enforce the VCDPA. The Attorney General has the authority to initiate a “civil investigative demand” if there is “reasonable cause” that a person is engaged, has engaged or is about to engage in a violation of the VCDPA. Additionally, distinguishable from the CCPA and CPRA, consumers have no private rights of action for data breaches.
In the event a potential violation is identified, the Virginia Attorney General’s office shall “provide a controller or processor 30 days written notice identifying the specific provisions … being violated.” If a Business cures the noticed violation and provides the Attorney General with an express written statement that alleged violations have been cured and no further violations shall occur, no action for statutory damages shall be initiated against the Business. Businesses that continue to violate the law in breach of an express written statement to the Attorney General or that fail to cure noticed violations during the 30-day cure period are subject to an injunction and up to a $7,500 fine per violation. The Virginia Attorney General can also recover reasonable expenses incurred in investigating and preparing its case, including attorney fees. All civil penalties collected will be paid into a Consumer Privacy Fund, which shall be used to support the work of the Virginia Attorney General in enforcing the law.
Key Terms Defined (§59.1-571)
The VCDPA defines “personal data” broadly, as does the CCPR and CPRA. “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The VCDPA also clarifies that “‘personal data’ does not include de-identified data or publicly available information.”
The VCDPA also includes a subcategory of personal data called “sensitive data” which is defined as: “1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 3. The personal data collected from a known child; or 4. Precise geolocation data.”
All processing of sensitive data requires consent from the consumer. (§59.1-574(A)). The VCDPA defines “consent” as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
Controller and Processor Obligations (§59.1-574-75)
Additionally, controllers must provide consumers with reasonably accessible, clear, and meaningful privacy notice including: (1) The categories of personal data processed; (2) The purposes for processing; (3) How consumers can exercise their rights; (4) The categories of personal data the controller shares with third parties; (5) The categories of third parties with whom the controller shares personal data; and (6) The manner in which consumers may submit consumer rights requests. Controllers are required to “clearly and conspicuously” disclose any selling of personal data to third parties or processing of personal data for targeted advertising, as well as the manner in which a consumer may opt out of such processing.
Processors, defined as “natural or legal entity that processes personal data on behalf of a controller,” are required to adhere to controllers’ instructions and assist controllers in accomplishing their obligations, including assisting with consumer rights requests, secure processing of personal data and notifying of breaches; and data protection assessments.
Consumer Personal Data Rights (§59.1-573)
The VCDPA sets forth a comprehensive list of consumer personal data rights that is similar to what is provided for in the CPRA. VCDPA consumer rights include rights to:
- Know and access personal data;
- Correct inaccuracies in personal data;
- Delete personal data;
- Personal data portability;
- Opt out of targeted advertising;
- Opt out of the sale of personal data; and
- Opt out of consumer profiling that results in legal of significant effects concerning the consumer.
Targeted Advertising Limitations (§59.1-571, 573)
As noted above, the VCDPA allows consumers to opt out of targeted advertising. Under the VCDPA, “targeted advertising” is defined as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.” Targeted advertising does not include any advertisements based on activities within a controller’s own websites or online applications or the context of a consumer’s current search query, a visit to a website, or online application. Targeted advertising also does not include advertisements directed to a consumer in response to the consumer’s request for information or feedback or personal data processed solely for purposes of measuring or reporting advertising performance, reach, or frequency.
Data Protection Assessments (§59.1-576)
The VCDPA requires entities covered by the law to conduct data protection assessments under specified circumstances. These assessments help processors identify and minimize the data breach risks of a transaction or project. Data protection assessments must be done when:
- Personal data is processed for targeted advertising;
- Personal data is sold;
- Sensitive personal data is processed;
- Processing for purposes of profiling where profiling presents a reasonably foreseeable risk in specified areas; or
- Any personal data processing activities that present a heightened risk of harm to consumers.
The data protection assessments “. . . shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.” When conducting a data protection assessment, the controller must factor in “[t]he use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.”
Data Processing Contracts (§59.1-575)
The VCDPA requires that a contract be formed between the controller and processor involving the governance of the processor, before any personal data is processed. These contracts must include terms relating to the following topics:
- Controller’s instructions for processing personal data;
- Nature and purpose of personal data processing;
- Planned duration of processing;
- Type of data subject to processing;
- Duration of the processing;
- Rights and obligations of both parties;
- Provision describing the duty of confidentiality with respect to the personal data;
- Deletion or return of all personal data at the end of the provision of services (at the controller’s direction and unless retention is required by law);
- Provision of information necessary to demonstrate processor’s compliance with the VCDPA;
- Cooperation with reasonably assessments of policies and technical and organizational measures demonstrating compliance with VCDPA obligations; and
- Engagement of subcontractors pursuant to written contracts that comply with the VCDPA.
The VCDPA mirrors aspects of both the CCPA and the GDPR, but varies enough from both laws that compliance with either law will not equate to compliance with the VCDPA. Businesses that conduct business in the Commonwealth of Virginia or produce products or services that target residents of the Commonwealth should begin preparing to meet their compliance obligations under the VCDPA.
Fey LLC will continue to closely monitor developments in state, federal, and global privacy laws and regulations. To ensure you don’t miss out on any articles and alerts we prepare on this or other significant data protection laws and developments, you can follow our LinkedIn page here.
Will Davis, a law clerk with Fey LLC and a law student at the University of Florida-Levin College of Law, and Keith Geekie, an information analyst with Fey LLC, contributed to this post.