Virginia Poised to Enact Comprehensive Consumer Privacy Law
Virginia's legislature has set the stage for the Commonwealth to join California as one of two states with comprehensive consumer privacy legislation. The Virginia Consumer Data Protection Act (VCDPA) pulls certain policy concepts from each of the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) (which amended and supplemented the CCPA), the EU General Data Protection Act (GDPR), and the proposed Washington Privacy Act (WPA)—but is not a copycat of any of these laws.
The bill received overwhelming support in the Virginia General Assembly, passing the Senate by a vote of 32-7, and the House by a vote of 89-9. If Governor Ralph Northam signs the bill or fails to act on it within seven days, it will become law and go into effect on January 1, 2023—the same day as the CPRA. The Virginia Attorney General has sole enforcement authority after giving a business 30 days to cure an alleged violation and may seek injunctive relief and significant civil penalties of up to $7,500 per violation. The law does not contain a private right of action.
The VCPDA does not provide for rulemaking, though it does direct the Chairman of the General Assembly's Joint Commission on Technology and Science to create a working group of government officials, business representatives, and privacy advocates to produce recommendations related to implementation of the act by November 1, 2021.
How Is the VCDPA Different From the Laws That Inspired It?
The VCDPA uses the GDPR's terminology (e.g., controller, processor, personal data) and adopts the principle of data minimization, but it does not impose some of the GDPR's more onerous obligations such as requiring controllers to establish a lawful basis for processing, appoint designated data protection officers, or implement privacy-by-design.
The VCDPA offers the same standard consumer rights (access, deletion, correction, and opt out of sale and targeted advertising) as the CPRA. And like the CPRA, it requires that controllers conduct data protection assessments for high-risk processing activities.
The scope of such assessments is unclear, however. The VCDPA expressly requires such assessments for targeted advertising, profiling, sales of personal data, the use of sensitive data, and activities that "present a heightened risk of harm," suggesting that there are processing activities beyond the listed activities for which companies will need to conduct assessments.
But while the contours of these risk assessments under the CPRA can be established through rulemaking, there is no such process in the VCDPA. Therefore, companies doing business in Virginia will need to look elsewhere to determine what processing activities Virginia regulators might deem "high risk."
Another key distinction is that the VCDPA imposes a more expansive obligation regarding "sensitive data" than the CPRA. Specifically, the VCDPA will require opt-in consent for the processing of "sensitive data," which is:
- (1) Personal data revealing "racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;"
- (2) Biometric data used "for the purpose of uniquely identifying a natural person;"
- (3) Data collected from a known child; or
- (4) Precise geolocation data. By contrast, the CPRA adopts an opt-out regime for "sensitive data," giving consumers the right to limit the processing of "sensitive personal information," but only when controllers process such data for profiling.
The VCDPA is similar to the draft WPA which is currently being debated in the Washington State Legislature. The biggest difference between the two is that the WPA adds a section related to privacy of health data in a public health emergency.
What Information Would Be Subject to the VCDPA?
The VCDPA applies to "personal data," defined as "any information that is linked or reasonably linkable to an identified or identifiable natural person." This is similar to the definition of personal data under the GDPR but narrower than the very expansive definition of "personal information" under the CCPA.
Data is out of scope if it has been properly de-identified or if it is publicly available either because it came from a government record or because it was lawfully made available to the general public through "widely distributed media" or the consumer. The VA CDPA defines "publicly available" in a similar manner to CPRA but, like the California law, does not define "widely distributed media." Thus, it is not clear which information available to the public on the internet would satisfy the definition.
Employee data is exempt, as is data processed or maintained in the context of an individual acting as an employee of a third party.
What Organizations Are Covered?
Businesses are subject to the VCDPA if they meet either of two criteria:
- (1) Control or process personal data of at least 100,000 Virginia residents during a calendar year; or
- (2) Control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data.
Non-profits, government agencies, and institutes of higher education are exempt, as are institutions regulated by certain federal privacy laws. The VCDPA will apply to businesses that produce products and services targeted to Virginia residents regardless of whether they do business in Virginia, potentially making the law applicable to national or global businesses.
What Rights Do Consumers Have?
Under the VCDPA, consumers have the right to:
- Access personal data that a business processes about them;
- Correct inaccuracies in that data, taking into account the nature of the data and the purpose of the processing;
- Delete personal data provided or obtained about the consumer, subject to certain exceptions;
- Opt out of the sale of personal information, processing of personal information for targeted advertising, and profiling that produces legal or similarly significant effects; and
- Opt in to the processing of sensitive data, unless the processing activity is an internal operation "reasonably aligned" with the expectations of the consumer or in furtherance of provision of a product or service specifically requested by the consumer.
The consumer's ability to exercise these rights is limited by a number of exceptions, such as a business's ability to use personal data for security purposes.
The VCDPA requires businesses to let individuals opt out of the sale of personal data to third parties as well as "targeted advertising," regardless of whether data is shared in order to deliver the ad. To the extent that cookies are used to facilitate advertising on third-party platforms, businesses will have to offer consumers the ability to opt out.
A business could still use the personal data of an individual who opted out to deliver advertisements directly (e.g., through email or mail), or for the purpose of ad attribution. And if the business sells display ads, contextual advertising based solely on the content of the page which the individual visited, or the individual's activity on only that platform is outside the scope of the definition of "targeted advertising" and, therefore, not subject to an opt-out. Though the consumers' rights with regard to advertising are worded differently in the CPRA, the scope of the opt-outs in each law is quite similar.
Even if a consumer does not opt out of targeted advertising, however, businesses may still need to curtail their advertising activities. As noted above, the VCDPA requires businesses to obtain opt-in consent before processing a consumer's "sensitive data." Businesses should consider whether any advertising profiles they develop or use may be based on web-browsing activity that would reveal "sensitive data" and, if so, ensure that they obtain any necessary consents.
Finally, to the extent that a business shares de-identified or pseudonymous data with processors for purposes of advertising, it will have a new requirement to exercise "reasonable oversight" to "monitor compliance" with any contractual commitments to which such data are subject and take appropriate steps to address any non-compliance with such obligations.
What Data Management Obligations Does My Organization Face Under the VCDPA?
To meet the requirement of data minimization, organizations will have to tighten their data retention policies and ensure that personal data is, in fact, securely disposed of when it reaches the end of its retention period.
Though the VCDPA does not explicitly require a processing register, businesses would do well to maintain a data inventory and some baseline process for identifying the risk of processing activities in which the business engages in order to demonstrate compliance with notice, data minimization, and data protection assessment requirements.
What About Companies Subject to HIPAA/GLBA/FCRA, etc.?
Financial institutions and entities covered by HIPAA's privacy, security, and breach notification requirements are exempt from the VCDPA entirely. This is a broader exemption than exists under the CCPA/CPRA, which subject such entities to the law to the extent they process data that is not covered by the specific federal laws.
The VCDPA also offers additional exceptions for protected health information processed by other entities as well as information protected under the GLBA, FERPA, FCRA, or the Drivers' Privacy Protection Act. Data that has been de-identified pursuant to the procedures set forth in HIPAA is also exempt.
My Company Is Subject to the VCDPA. What Do I Do Now?
Take two aspirin and call your DWT attorney in the morning.
The VCDPA is not a significant departure from the CPRA, but the two collectively could have significant operational impact, particularly on data analytics and advertising activities. Businesses should not delay in conducting gap assessments to create compliance to-do lists.