With Virginia Gov. Ralph Northam’s signature on March 2, 2021, Virginia, a bit surprisingly, became the second state to set comprehensive rules for how companies handle and share personal information. Virginia’s Consumer Data Protection Act (CDPA) will go into effect on Jan. 1, 2023, incidentally the same day as the California Privacy Rights Act (CPRA), a ballot measure that will strengthen the landmark California Consumer Privacy Act (CCPA). While Virginia’s CDPA and California’s CCPA share several features, each law takes a somewhat different approach.
As a starting point, Virginia’s CDPA will largely avoid the “moving target” issue created by multiple rounds of rulemaking and revisions in California and may provide a clearer model for other states considering similar legislation. However, the CDPA certainly adds some complexity to the confusing and, at times, contradictory patchwork of data and information privacy laws. For businesses that fall within its scope, the CDPA’s implementation will add several distinct compliance requirements to any privacy program, requirements that should be addressed well in advance of the 2023 effective date.
Extraterritorial reach with broader sectoral exemptions
Like California’s CCPA, if certain thresholds are met, the CDPA’s reach will extended beyond Virginia. Once effective, the CDPA will apply to any entity that conducts business in Virginia and either (i) controls or processes the personal data of at least 100,000 consumers (defined as Virginia residents) or (ii) controls or processes the data of at least 25,000 consumers and generates 50 percent or more of its gross revenue from the sale of personal data. Yet, despite its extraterritorial reach, Virginia’s CDPA appears to have been purposefully crafted to avoid imposing obligations on small businesses and non-profits. Further, compared to California’s CCPA, the CDPA also includes a broader sectoral exemption for Gramm-Leach-Bliley Act (GLBA) regulated financial institutions, not just GLBA regulated information.
Compared to the CCPA, the CDPA also has different definitions for several key terms, making operational compliance slightly more complex for companies with existing CCPA programs. Even if a business has already evaluated the applicability of California’s CCPA, variations mean that it will be important for businesses to undertake a similar evaluation for Virginia. For example:
- Personal Data: the CDPA definition includes “any information that is linked or reasonably linkable to an identified or identifiable natural person.” What information is “reasonably linkable” to a natural person will depend on the circumstances and privacy programs will need to account for this element. However, unlike the fairly unclear provisions of California’s CCPA, the CDPA definition only applies to consumer data and completely excludes employee data, business to business data, de-identified data and publically available information, as well as the ambiguous linkable to a “household” language found in California’s CCPA.
- Sale: under the CDPA, sale means the exchange of personal data for monetary consideration by a controller to a third party and excludes transfer to affiliates. In comparison, this avoids the open-ended “other valuable consideration” component found in the CCPA and CPRA.
- Pseudonymous Data: unlike California’s CCPA, where this type of data may qualify as personal information, the CDPA exempts pseudonymous data from consumer rights requests. Pseudonymous data (generally defined by the CDPA as personal data that cannot be attributed to a specific person without the use of additional information) must be kept separately and subject to effective technical and organizational controls that prevent the controller (defined as any person or entity that “determines the purpose and means of processing personal data”) from accessing such information. However, the CDPA places an operational burden on controllers who disclose pseudonymous data to ensure controls are established and documented. Additionally, controllers who wish to use the exemption covering pseudonymized data must monitor any downstream recipients and ensure controls are observed—an element which might present significant operational challenges if data is widely dispersed.
- Sensitive data, opt-in for processing: the CDPA does not include financial information in its definition of sensitive data. However, the CDPA includes racial or ethnic origin, religious beliefs, mental and physical health diagnosis, and precise geolocation in its definition of sensitive data. In turn, this broad definition may create a challenge for entities subject to the CDPA because sensitive data is subject to an opt-in requirement for processing. That said, because the CDPA defines this term more precisely and does not include elements like contents of communications, email account credentials, philosophical beliefs or union membership found in California’s CCPA and CPRA, the universe of sensitive data under the CDPA is narrower.
CDPA consumer rights and opt-out requirement
For entities that will fall within its reach, the CDPA grants consumers the right of access, correction, deletion, portability and the right to opt-out of the processing of personal data for certain purposes, Notably, however, access, deletion and portability rights do not apply to pseudonymous data. Additionally, the CDPA’s opt-out right is somewhat more specific than the opt-out right found under California’s CCPA and CPRA. Specifically, the CDPA grants opt-out rights only for:
- Targeted advertising;
- The sale of personal data; and
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (e.g. data used to make determinations for granting or denying items like financial services, housing, insurance, education enrollment, employment opportunities and health care services).
Operational impact for businesses that will be subject to the CDPA
Given its reach and the rights granted to consumers, the CDPA will involve additional operational challenges for businesses that fall within its scope. In relation to California’s CCPA, the comparatively broader affirmative consent or opt-in requirement means businesses will need to present consumers with a means to consent before any collection or processing of “personal data.” Similarly, the right to opt out of targeting advertising, sales of personal data and profiling decisions that produce legal or similarly significant effects will require establishing a processes to follow through on consumer requests. Further, this opt-out right, combined with the right to deletion of personal information not only collected from, but also “obtained about,” a consumer and the opt-in requirement for data processing, will require a significant degree of data structuring and retrievability. Businesses should also be aware of several other CDPA compliance requirements that may have an operational impact.
Conspicuous notice of and mandatory right to appeal: Related to consumer requests, the CDPA will require that controllers establish an appeals process for refusal to take action on a consumer’s request. As part of the process, within 60 days of receipt of an appeal, a controller must provide a written description of any action taken or not taken in response to the appeal and must include an explanation. Additionally, the appeals mechanism must inform the consumer of the option and method to file a complaint with the Virginia attorney general. Compliance with the “right to appeal” mandate may require changes to automated processes that many companies have implemented to handle consumer requests. In other words, establishing an appeals mechanism may well require additional compliance costs for human review of responses to consumer appeals.
Data protection assessments and legal privilege: Beyond California’s CCPA and more akin to Europe’s GDPR, Virginia’s CDPA mandates that covered entities conduct internal impact assessments on the risks posed by certain activities related to personal data and potential mitigation steps. Specifically, data protection assessments will require a cost-benefit analysis when processing of personal data constitutes:
- Targeted advertising;
- A sale of personal data;
- Processing of sensitive data; or
- Profiling that presents:
- A reasonably foreseeable risk of unfair or deceptive treatment;
- An “intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person;” and
- Other processing that presents a “heightened risk of harm to consumers.”
Notably, these assessments can be developed with the benefit of legal privilege and, although the Virginia attorney general may obtain a copy by issuing a civil investigative demand, privilege is not waived if this occurs.
Contractual and vendor impacts: Somewhat in line with Europe’s GDPR and California’s CPRA, entities that process personal data on behalf of a controller must adhere to controller instructions. This will help to ensure downstream compliance with, for example, controls for the treatment of pseudonymous data. In turn, to satisfy its obligations under the CDPA, upon controller request, a processer must demonstrate compliance with its obligations (including contractual agreements with the controller) and cooperate with or furnish an independent assessment of the processor’s control framework. Consequently, the CDPA will likely require changes to vendor agreements and management programs as they relate to data processing.
Enforcement of the CDPA and conclusion
Only the Virginia attorney general is authorized to take civil action against controllers and processors for violations of the CDPA. Subject to a 30-day cure period, the attorney general can levy fines of up to $7,500 per violation. While the law explicitly precludes a private right of action, even where an entity just meets the jurisdictional threshold for application of the CDPA, the specter of potentially heavy fines will certainly provide an incentive to ensure compliance.
Taking a step back, additional broad, multi-right and comprehensive privacy legislation will almost certainly come to fruition. While Virginia is only the second state to enact such a law, other states are considering similar provisions. Colorado, Connecticut, Florida, New York, Minnesota, Oklahoma, Ohio and Washington each have privacy bills working their way through the legislative process. The CDPA certainly adds further complexity to a patchwork of requirements and exceptions, but given the halting and ambiguous rollout of California’s CCPA, Virginia’s CDPA might provide a more stable and predictable model of legislation to come. Nevertheless, absent some major shift towards uniformity or federal legislation, the expanding patchwork of privacy laws may push businesses further away from a jurisdiction-by-jurisdiction strategy toward a global streamlined approach to privacy and data protection—albeit one that requires local variation.