Data Points: Privacy & Data Security Blog

With incredible speed, Virginia became the second state in the United States with a comprehensive data privacy law. Virginia’s law is called the Consumer Data Protection Act (CDPA). The CDPA is effective January 1, 2023, giving covered businesses a moment to catch their collective breaths and revise their privacy policies and vendor contracts, conduct the required data protection assessments, and design processes for consumers to exercise their rights to access, know, correct, port and delete, opt-in to processing of “sensitive” data, and opt-out of targeted advertising, the sale of personal data, and certain profiling.

Exemptions and Enforcement

But let’s level set first. The law in some ways is less onerous that California’s Consumer Privacy Protection Act (CCPA)/Consumer Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR), although Virginia’s CDPA incorporates elements of both. If your business is a financial institution subject to privacy provisions of Gramm-Leach-Bliley (GLBA, Title V), the CDPA does not apply. The CDPA also exempts data covered by Title V of GLBA. By comparison, the CCPA and the CPRA only exempt personal information subject to GLBA, not the institution itself.

Virginia’s CDPA also exempts publicly available information and personal data regulated by a number of specified laws, including consumer credit check information regulated by the Fair Credit Reporting Act (FCRA), student data regulated by FERPA, and patient and health information protected by HIPAA and other laws, as well as covered entities and business associates governed by the privacy, security and breach notification rules under HIPAA. Importantly, Virginia’s CDPA has a broad exception for personal data of employees, independent contractors and applicants, including data that is collected and used in the context of the individual’s role as such. In contrast, the CCPA/CPRA and GDPR impose varying levels of protection on employee, contractor and applicant data.

The CDPA also has a long list of limitations on the scope of the law. For example, the CDPA expressly states that it should not be construed to limit a controller’s or processor’s ability to use personal data for certain business purposes (such as a product recall or other internal operations “reasonably aligned with the expectations of the consumer”), to comply with federal, state or local laws, to comply with a government issues subpoena or investigation, to cooperate with law enforcement regarding a violation of the law, to perform a contract to which a consumer is a party, and to respond to security incidents or other specified malicious, fraudulent or illegal activity. The CDPA also contains the right of controllers and processors to take steps to protect the life and physical safety of natural persons and to engage in research if certain conditions are met.

In addition, there is no private cause of action under the CDPA, and although the Virginia’s Attorney General can enforce the law, the AG must provide 30 days’ notice of a violation and opportunity to cure and damages are limited to up to $7,500 per violation. A far cry from GDPR’s four percent of worldwide turnover.

Who is Covered?

The CDPA applies to persons conducting business in Virginia or who produce products or services targeted to residents of Virginia if such persons (i) control or process the personal data of at least 100,000 consumers in a calendar year, or (ii) control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenues from the sale of personal data.

The law protects “consumers.” Consumers are limited to natural persons who are residents of Virginia acting in an individual or household context. The CDPA expressly does not apply to natural persons acting in a commercial or employment context.

A Mix of GDPR and CCPA/CPRA

Virginia’s CDPA is an interesting mix of elements from GDPR, CCPA and CPRA.

• Controllers, Processors, Processing, and Data Protection Assessments. The CDPA uses the concepts of “controller”, “processor” and “processing” from GDPR and requires controllers to conduct data protection assessments (similar to the GDPR concept of a data protection impact assessment) if the controller processes “sensitive data” or if it processes any personal data for targeted advertising, the sale of personal data, or certain profiling (including if the profiling creates a reasonably foreseeable risk of financial, physical or reputational injury to, or unfair or deceptive treatment or disparate impact on, consumers), or if the processing presents a “heightened risk of harm to consumers.” The data protection assessment must identify and weigh various factors, including (i) the benefits from the processing to the controller, the consumer, the public and other stakeholders against the potential risks to the rights of the consumer, (i) safeguards and mitigating measures to reduce such risks, (iii) the use of de-identified data, and (iv) the relationship between the controller and the consumer.
• FIPPS. The CDPA includes familiar fair information practice principles, including data minimization (limiting collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is collected), use limitations (prohibiting processing that is “neither reasonably necessary to nor compatible with” the purposes disclosed to the consumer), proportionality (requiring the processing is reasonably necessary and proportional to the purposes listed in the CDPA), notice and consent (including notice to consumers of the purpose and scope of collection and processing, and requiring consent to processing of sensitive data and processing of personal data beyond the purpose disclosed by the covered person), and security (requiring the controller to have reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data). Consent requires an affirmative act showing the consumer’s “freely given, specific, informed and unambiguous” consent. Therefore, like GDPR, pre-ticked boxes won’t work.
• Broad Definition of Data and Special Requirements for “Sensitive” Data. Like the GDPR, the CCPA and the CPRA, the Virginia CDPA has a broad definition of “personal data.” Personal data under the CDPA covers information linked or reasonably linkable to an identified or identifiable natural person. The CDPA also has special protections for “sensitive data.” Sensitive data includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data for uniquely identifying a natural person, data collected from a person known to be a younger than 13 years old, and “precise” geolocation data (locating an individual within a radius of 1,750 feet). Processing of sensitive data requires the consumer’s consent (or in the case of a child under 13, the parent’s consent).
• Special Obligations for Persons Who Engage in the Sale of Personal Data. Like the CCPA and the CPRA, the CDPA imposes special requirements if the covered person engages in the “sale” of personal data. However, the CDPA provides relief for those who struggle with California’s broad and vague definition of “sale” and its application to sharing personal data with services like Google Ads. Under the CDPA, “sale” is limited to the exchange of personal data for monetary consideration. Like the CCPA, the CDPA excludes from sale the disclosure of personal data to a processor or service provider in specified circumstances. Consumers have the right (i) to notice of the controller’s sale of their personal data, and (ii) to opt out of such sale. In addition, controllers must conduct a data protection assessment if they engage in the sale of personal data.
• Special Obligations for Targeted Advertising and Profiling. Like California and the EU, Virginia recognizes the need to protect consumers from use of their personal data for targeted advertising and profiling. Targeted advertising is specifically defined by the CDPA as covering advertisements displayed to a consumer based on personal data obtained from the consumer over time and across nonaffiliated websites or online applications to predict the consumers preferences or interests. It does not include, however, displaying advertisements based on the consumer’s activities on the controller’s own website or online applications, search queries, or processing personal data solely for measuring or reporting advertising performance, reach or frequency. Profiling covers automated processing of personal data to analyze, evaluate or predict a natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location or movement. Consumers have the right to (i) notice of the controller’s processing for these purposes and (ii) opt out of targeted advertising and profiling. In addition, the controller must conduct a data protection assessment, as discussed above.
• DSAR. Like GDPR and California’s laws, Virginia’s CDPA gives consumers the right to know whether the controller is processing their personal data, to access that personal data, to correct inaccuracies, to obtain a copy of the personal data that the consumer provided to the controller (in a portable, and if feasible, readily usable format), and to deletion of personal data provided by or obtained about the consumer. The controller must describe at least one “secure and reliable” method by which consumers can access these rights, and like the CCPA, that method must take into account the way in which the consumer normally interacts with the controller but the controller cannot require the consumer to set up a new account to exercise the rights. The consumer’s rights cannot be waived by contract.

The controller must respond to the consumer’s request “without undue delay”—and no later than 45 days after receipt of the request, which can be extended by an additional 45 days if “reasonably necessary” if the controller notifies the consumer of the extension and the reason for the extension. The consumer has the right to the requested information free of charge up to two times a year, but the covered person can charge a fee or decline to act on the request if the request(s) are “manifestly unfounded, excessive, or repetitive.” The covered person also can deny the request if it cannot authenticate the consumer. Authenticate is defined by the CDPA as verifying through reasonable means that the consumer is the same consumer. If the controller denies the request, it must give the consumer both the reason for the denial and instructions on how to appeal. The appeal rights also must be “conspicuously” set forth in the covered person’s privacy policy. Appeals must be processed within 60 days, and if the appeal is denied, the covered person must provide an online or other method for the consumer to contact Virginia’s Attorney General to complain.

• Opt-Out Rights. The CDPA gives data subjects the right to opt out of the processing personal data for targeted advertising, sale of personal data, or profiling “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The process for opting out must be set forth in the covered person’s privacy policy.
• Privacy Policies. Like California, the CDPA requires that the covered person’s privacy policy set forth the categories of personal information processed by the controller, the categories shared with third parties (and the categories of third parties with whom the data is shared), the purpose of the processing, whether the controller sells personal data to third parties or processes personal data for targeted advertising, how the consumer can exercise their rights to know, access, delete, port, and opt-out, and appeal of a denial of their rights.

Further, although de-identified information is excluded from the definition of personal data, the controller must publicly commit to not attempt to re-identify the data and contractually obligate recipients of the de-identified data to comply with the CDPA. For this and other reasons, covered businesses will need to revise their vendor agreements or add a data processing addendum covering the CDPA.

• Vendor Contracts. Like GDPR, the CDPA requires a contract between the controller and the processor governing and specifying the obligations of the processor. The requirements are very similar to Article 28 of the GDPR.
• Nondiscrimination. The CDPA prohibits discrimination against consumers in a manner that violates other state or federal laws or for exercising their rights under the CDPA. Like the CCPA, the CDPA permits offering preferred terms (such as preferred pricing or selection of goods or services) related to a consumer’s voluntary participation in a bona fide loyalty or rewards program.

Like the CCPA and CPRA, we can expect regulations that provide more detail on the requirements of the CDPA. We also anticipate that for the most part, those regulations will track the interpretations and guidance on similar provisions under the GDPR, CCPA and CPRA. Although January 2023 may seem far off, businesses who are not already GDPR and CCPA compliant should start now to assess their data collection and processing practices and put plans in place to comply with the CDPA.