On March 2, 2021, Governor Ralph Northam signed into law Virginia's Consumer Data Protection Act (CDPA). Virginia is now the second state to pass significant data privacy and security legislation, California being the first. The CDPA goes into effect January 1, 2023.
Who Does It Apply To?
The CDPA applies to persons (which includes legal entities like LLCs, corporations, etc.) that conduct business in Virginia or produce products or services targeted to residents of Virginia and either:
- Control or process the personal data of at least 100,000 consumers in a calendar year;
- Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
The CDPA includes a list of persons and data that are exempt, including:
- Any Virginia (or political subdivision of Virginia) government agency, body, authority, board, bureau, commission, etc.
- Financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA).
- Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) and protected health information subject to HIPAA.
- Nonprofit organizations.
- Data regulated under the Fair Credit Reporting Act.
- Higher education institutions and personal data regulated by the Family Educational Rights and Privacy Act (FERPA).
Notably, the CDPA exemption for financial institutions governed by the GLBA and covered entities and business associates under HIPAA and HITECH is broader than the exemption found under California's privacy laws, which only exempt the specific data subject to laws like HIPAA or GLBA, and not the entire entity itself. Accordingly, a financial institution doing business in both Virginia and California that otherwise meets the thresholds for the laws in both states to apply, would be subject to California's privacy laws with respect to personal information that is not governed by GLBA (such as website visitor data), but appears to be entirely exempt from Virginia's CDPA.
What Rights Do Consumers Have?
Under the CDPA, consumers are natural persons (i.e., not businesses, but real people) who are residents of Virginia acting only in an individual or household context. A consumer DOES NOT include individuals acting in a commercial or employment context. This is a very significant carve out which means that business to business information and employment information is not subject to the CDPA.
- Right to Know and Access: Consumers have the right to know whether a data "controller" is processing their personal data and has access to that data.
- Right to Correct: After reviewing the data collected, consumers have the right to correct any inaccuracies contained in said data.
- Right to Delete: Consumers have the right to delete data provided by the consumer itself or other personal data obtained about the consumer.
- Right to Data Portability: Related to the right to know and access, consumers have the right to obtain a copy of their personal data in a readily usable format that allows the consumer to transmit the data.
- Right to Opt Out: Consumers have the right to opt out of the processing of the personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
What Will Be Required of Me/My Organization?
- Limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.
- Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.
- Respond to consumer rights requests within 45 days; and when denying a request, provide an appeal process. Also, any provisions of a contract or agreement that purport to waive consumer rights are unenforceable.
- Don't process data in violation of state and federal laws that prohibit unlawful discrimination. Do not otherwise discriminate against consumers for exercising their rights under CDPA.
- Don't process sensitive data (which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric information, precise geolocation data and personal data collected from a known child) without a consumer's consent. Consent can only be obtained through a clear, affirmative act signifying the consumer's freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer.
- Provide privacy notices to consumers that are reasonably accessible, clear and meaningful. These notices must disclose the categories of data processed, purpose of processing, how consumers can exercise their CDPA rights, categories of data shared with third parties and the categories of third parties with whom data is shared.
- Clearly and conspicuously disclose whether you sell data and how a consumer can opt out.
- Establish ways consumers can exercise their CDPA rights and describe this method in the privacy notice.
- Ensure vendor contracts meet CDPA requirements. Data sharing with your vendors generally must be governed by a contract with specific CDPA provisions.
- Conduct data protection assessments for data that is: (a) processed for the purpose of targeted advertising; (b) sold; or (c) processed for the purpose of profiling, which profiling presents certain reasonably foreseeable risks.
- If you process data on behalf of another, you must adhere to instructions of that person and assist them in meeting their obligations under CDPA.
How Does This Compare With Other Privacy Laws?
The CDPA does have concepts similar to California's privacy laws and Europe's General Data Protection Regulation (GDPR). For example, under both the CDPA and California law, consumers have the right to know whether their data is being collected, request that their data that was collected be deleted and opt-out of the sale of their personal information. However, unlike California privacy law, the CDPA's enforcement is left solely to Virginia's attorney general and there is no private right of action for consumers.
The CDPA adopted the concepts of data "controllers" and data "processors" from the GDPR, and the CDPA’s data assessment requirements are similar to the GDPR’s data protection impact assessment requirement. But the CDPA is not nearly as comprehensive as the GDPR.
Companies that are in compliance with California’s privacy laws or the GDPR will still need to go through a separate compliance process for the CDPA.
What Are the Penalties For Non-Compliance?
Violations of the CDPA can lead to injunctions, civil penalties of up to $7,500 for each violation, and payment of reasonable expenses and attorneys' fees incurred in connection with the investigation and preparation of a case based on CDPA violations.
We Can Help!
For more information on the CDPA and other privacy updates, please be sure to attend Warner’s webinar, the “Mid-Year Data Privacy Legal Update,” on May 25, 2021. You can register here. If you need help complying with the CDPA, please contact Norbert F. Kugele, Lexi M. Woods or any other member of Warner’s Cybersecurity and Privacy Practice Group.