Soon-to-be enacted privacy bill will go further to protect Virginia residents, writes attorney David Oberly
UPDATE Governor Ralph Northam signed the Virginia Consumer Data Protection Act into law on March 2. The law will go into effect on January 1, 2023.
ANALYSIS State legislatures wasted no time in the beginning of 2021, introducing a myriad of privacy bills aimed at providing greater regulation over the collection and use of consumers’ sensitive personal data.
Virginia sped through the legislative process after introducing its Virginia Consumer Data Protection Act (CDPA) at the start of the year, the first consumer privacy bill passed into law in 2021.
With the CDPA, Virginia would become the second state in the nation to put in place a comprehensive consumer privacy law. It follows California’s 2018 enactment of its game-changing California Consumer Privacy Act (CCPA), which went into effect in early 2020.
Importantly, the overwhelming support received for the enactment of the CDPA provides a strong indication that 2021 may bring with it greater regulation over the use of consumer data across the US.
Who is impacted by Virginia’s CDPA?
The CDPA applies to any entity that conducts business in Virginia or produces products or services targeted to Virginia resident, and either controls/processes the personal data of at least 100,000 consumers, or controls/processes the personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data.
The CDPA classifies entities that process personal data as “controllers” and “processors”, and mandates different requirements for each. Controllers are those entities that determine the purpose and means of processing personal data, while processors merely process data on behalf of a controller.
What counts as ‘personal data’?
‘Personal data’ in this instance means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Importantly, the CDPA classifies certain types of data as ‘sensitive data’, which are subject to additional requirements and restrictions not applicable to other types of personal data.
Under the law, ‘sensitive data’ includes: biometric data; precise geolocation data; data of minor children; and data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
The CDPA affords consumers five fundamental rights:
- Access: The right to confirm whether a controller is processing the consumer’s data, and access to such data.
- Portability: The right to receive data that the consumer previously provided to the controller in a portable and readily-usable format that allows the consumer to transmit the data to another controller without hinderance.
- Opt-out: The right to opt out of the processing of personal data for targeted advertising, certain profiling activities, and “sales” (as defined by the CDPA as the exchange of personal data for monetary consideration by the controller to a third party).
- Correction: The right to correct inaccurate personal data.
- Deletion: The right to delete personal data concerning the consumer.
Like the CCPA, the CDPA requires controllers to comply with consumer rights requests, including informing the consumer of any action taken in response to a request, within 45 to 90 days of receiving a request from a consumer.
To facilitate consumer requests, controllers must also establish one or more means for consumers to submit requests to exercise their consumer rights, as well as an internal appeals process for consumers to challenge refusals to take action in response to their requests.
Also like the CCPA, the CDPA requires controllers to provide notice to consumers containing, at a minimum, the following information: the categories of data processed; the purposes for processing such data; how consumers can exercise their CDPA rights; the categories of data shared with third parties; and the categories of third parties with whom the controller shares personal data.
Virginia’s CDPA is expected to come into effect in 2023
Data security measures
Controllers must first obtain consumer consent before processing any sensitive consumer data, as well as before processing data that is not reasonably necessary or different from the purposes originally disclosed to the consumer.
Controllers must maintain reasonable security measures to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal data at issue.
Significantly, the CDPA requires controllers to complete data protection assessments (DPA) with respect to certain processing activities. The DPA must identify and weigh the benefits flowing from the processing of personal data against the associated potential risks to the rights of consumers, and may be restricted in engaging in some processing activities depending on the outcome of the assessment.
The CDPA also sets forth a range of requirements for processors of personal data, which include entering into a written contracts with controllers that set out the instructions to which the processor is bound, assisting controllers with fulfilling their obligations to respond to consumer requests, deleting or returning personal data to a controller upon request, and maintaining reasonable security procedures and practices to protect personal data.
Liability and enforcement
Fortunately for organizations that handle the data of Virginia consumers, the CDPA does not provide a private right of action for individuals to pursue litigation against entities for alleged violations of the law.
Rather, enforcement authority rests exclusively with the Virginia attorney general.
Companies that violate the CDPA can be subjected to civil penalties of up to $7,500 for “each violation” of the law.
Importantly, however, the CDPA includes a cure provision that provides the opportunity for companies to avoid enforcement actions if all violations are corrected within 30 days after receiving notice of non-compliance.
While it is almost certain that the CDPA will be enacted in the immediate future, the law will not go into effect until January 1, 2023.
With that said, companies should still nonetheless begin to take proactive action at this time to enhance their data privacy programs, especially as other states continue their concerted campaign to enact consumer privacy laws of their own in 2021.
In particular, organizations should consider implementing the following actions:
- Complete a data mapping and inventory exercise
- Provide written notice to all individuals at or before the time personal data is collected
- Design and implement processes and procedures for responding to consumer requests
- Implement data security measures to protect and secure personal data
- Complete a data protection assessment
- Consult with experienced privacy counsel to ensure compliance with today’s constantly-evolving privacy legal landscape.