09 April 2021
The Virginia Consumer Data Protection Act (HB 2307 / SB 1392) or (CDPA) passed the Virginia House of Delegates and the state Senate on February 5, 2021. The law passed with significant bipartisan support.
The CDPA is intended to be a privacy bill, which is exhaustive in nature. The legislation aims to allow residents of the Virginia Commonwealth to opt-out of the sale of their personal data and the targeting of that information in a fashion similar to California's Consumer Privacy Act (CCPA).
The bill also gives consumers the ability to acquire any data that companies collect from them, as well as correct or delete it.
The law will become enforceable on January 1, 2023.
Virginia Delegate Cliff Hayes Jr. (D) introduced the law into the Virginia House of Delegates after saying he was influenced by the European General Data Protection Regulation (GDPR) and other states' efforts. One of the reasons he gave for submitting the legislation was that the U.S. federal government had not taken action.
The Washington Post quoted him as saying:
"Who needs to worry about hackers when we're giving away and selling consumers' private identifiable information? We just want to make sure that we're protecting the consumers' data privacy rights."
The CDPA is based in general upon the most current version of the Washington Privacy Act (WPA), proposed by the Washington state senate earlier this year. However, the CDPA differs from the WPA on key points, and that many think make it more friendly toward businesses.
Major players in the tech industry like Microsoft, Amazon, and various trade groups in the tech space, have all backed the legislation. Legislators have suggested that additional protections (which the CDPA doesn't currently provide) are in the works.
The CDPA would cover the following:
According to the CDPA, a "consumer" is "a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."
However, there are some crucial exceptions to this definition.
For instance, as in the WPA, a "consumer" is not someone who acts in an employment or commercial context. Moreover, these people are exempt from the legislation's provisions for consumer rights, which we describe below.
Specific categories of personal data are designated as "sensitive personal data," which includes:
The legislation defines "consent" as "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." This is another area where the CDPA borrowed from the WPA.
When processing sensitive personal information, companies are required to obtain consent from consumers.
Finally, companies in compliance with the 1998 Children's Online Privacy Protection Act (COPPA) in terms of verifiable parental consent will also be considered in compliance with the CDPA's requirements to acquire parental consent for individuals under the age of 13.
The CDPA has several exemptions, including exceptions for higher education institutions, business associates, nonprofits, and "financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act." Exemptions are also provided for companies covered by HIPAA.
Additionally, the CDPA cannot limit a controller or processor's ability to:
The law also will not forbid controllers and processors from conducting:
"internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party."
Finally, there are specific data sets exempted from the CDPA. They include:
The CDPA provides Commonwealth of Virginia residents with specific rights concerning privacy. These include the following:
In regard to all of the above, controllers must respond to consumer requests within 45 days. However, there are some cases where businesses are exempt from complying with consumer rights requests.
Unlike the CCPA, the CDPA defines the sale of personal data as "the exchange of personal data for monetary consideration by the controller to a third party."
For the sake of comparison, the CCPA adds in the words "other monetary consideration" to its definition of "sale."
Additionally, the VCDPA excludes the following from the definition of "sale:"
To comply with the CDPA, companies must:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
Data processing agreements with third party data processors must:
Before a company begins processing personal data, which "present a heightened risk of harm to consumers," and that may include targeted advertising, specific profiling activities, the sale of data, or sensitive data, it must conduct a data protection assessment.
All data protection assessments are required to compare the possible risks to consumers' rights (lessened by security measures) with the general benefits of continuing on with processing activity.
It is crucial to note that Virginia's Attorney General can force businesses to conduct a data protection assessment without a court order. However, all assessments are exempt from Virginia's Freedom of Information Act and remain confidential.
Additionally, should the Attorney General demand a data protection assessment, work product protection regarding the contents of an assessment or attorney-client privilege is not to be considered waived.
The Virginia Attorney General's office has exclusive authority to enforce the law. It must provide companies with 30 days' notice of any violation. The offending company then has that amount of time to cure the offense.
If the company takes no action and the violation is not remedied, it could be subject to fines of up to $7,500 per violation.
Additionally, the offending company could be forced to pay "reasonable expenses incurred in investigating and preparing the case, including attorney fees."
Critics of the new legislation continue to argue that the legislation doesn't include provisions that allow consumers to sue companies that infringe upon their privacy rights. (In other words, there is no private right of action.)
Privacy advocates like Consumer Reports and the Electronic Frontier Foundation urged Virginia's lawmakers to increase protections in the VCDPA to the point that it was comparable with the CCPA.
While other states in America continue to contemplate data privacy and protection laws, Virginia has effectively made itself second only to California in its efforts to pass a comprehensive privacy law.
In light of the above, companies that do business in Virginia should begin working to comply with the CDPA if they haven't started doing so already.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.