Virginia Now Second State To Pass Comprehensive Data Privacy Law
On March 2, 2021, the Virginia governor signed into law the Consumer Data Protection Act ("CDPA"), following in the footsteps of California and becoming the second state to pass a comprehensive data privacy law. Organizations must comply with the CDPA if they conduct business in Virginia or produce products or services targeted to a certain number of Virginia residents.
The Virginia Attorney General has the exclusive authority to enforce the CDPA, with civil penalties for non-compliance of up to $7,500 per violation.
While the law takes effect on January 1, 2023, we recommend that organizations begin to tackle changes to their internal procedures and their privacy policies well in advance of that date. Given that the Virginia bill introduces some concepts that are similar to the European Union's General Data Protection Regulation (“GDPR”), compliance may require additional time to implement.
Will the CDPA Apply to My Business?
The CDPA may apply to your organization even if you are not located in Virginia. The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents in Virginia and, during a calendar year, either control or process personal data of at least (a) 100,000 Virginia consumers, or (b) 25,000 Virginia consumers and derive over 50% of gross revenue from the sale of personal data.
The CDPA incorporates concepts from the California Consumer Privacy Act of 2018 ("CCPA") and the GDPR, which are also comprehensive data privacy laws.
The CDPA adopts certain concepts from the GDPR, such as the definition of data "controller" and "processor." The CDPA applies to both the organization that determines the means and purposes of processing personal data (the "Controller"), as well as other organizations (e.g., service providers) that process personal data on the first organization's behalf (the "Processor").
What Type of Data Is Regulated?
The CDPA regulates "personal data" defined as "any information that is linked or reasonably linkable to an identified or identifiable natural person." The CDPA also regulates a sub-category of personal data called "Sensitive Data.” Sensitive Data cannot be processed without the consumer's consent. Securing consent is a high standard, similar to the GDPR's definition of consent - "freely given, specific, informed, and unambiguous agreement."
The CDPA also includes a broad list of exceptions and exemptions, such as certain personal data that is regulated under federal law. Notably, nonprofits and educational institutions are also exempt.
Key Requirements of the CDPA
For those familiar with California privacy law, the Virginia CDPA covers many of the same topics:
Privacy Notice: The CDPA requires each controller to provide a privacy notice. The notice must include the categories of personal data processed; the purpose for processing; how a consumer may exercise their rights; the categories of personal data that the controller shares with third parties; and the categories of third parties with whom personal data is shared.
Limited Processing of Data: A controller may not "process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes" unless the controller secures the consumer's consent.
Rights of Virginia Residents: Under the CDPA, Virginia residents have broad rights with respect to their personal data, including the right to:
- confirm whether a controller is processing the consumer's personal data;
- access personal data;
- correct inaccuracies in personal data;
- delete personal data;
- obtain a copy of personal data in a portable, readily usable format; and
- opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) the profiling of personal data.
Data Protection Assessment: Another new concept for U.S.-based organizations may be the need to perform a data protection assessment. If a controller performs certain data processing activities that are considered high-risk under the CDPA, such as selling personal data, performing targeted advertising, profiling or processing sensitive personal data, then the controller must perform a data protection assessment for each such activity. A data protection assessment requires a controller to weigh the benefits of the data processing with the risks to the rights of the consumer. Controllers must document that they have thoughtfully considered all of these issues before performing any high-risk processing of personal data.
Other New Provisions: The CDPA also addresses issues of security, non-discrimination, response times for addressing data subject requests, authentication of data subjects, and other requirements similar to (but not identical to) those found in the CCPA and/or GDPR.
What To Do Next?
Start by analyzing the scope of the CDPA to determine if it applies to your organization, or whether your organization falls into one of its exceptions or exemptions.
To learn more about how the CDPA may affect your organization, please contact your Quarles & Brady attorney or: