In March 2021, Virginia’s Governor Ralph Northam signed the Consumer Data Protection Act (CDPA), making Virginia the second state to enact comprehensive data privacy protections for its residents. If you are feeling blindsided by this news, you are not alone.[1] Unlike California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) or the European Union’s General Data Protection Regulation (GDPR), which were heavily debated in both the legislature and public commentary for months on end, the Virginia legislature introduced this legislation in mid-January 2021, with Governor Northam signing the CDPA in less than two months’ time.
The CDPA will not go into effect until January 1, 2023 (ironically, the same day that most provisions of the CPRA also become effective). In the meantime, Virginia is assembling a working group to study the implementation of this act comprising “the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates … to review the provisions of this act and issues related to its implementation.” The findings of this work group are due on November 1, 2021, and that group’s notes will likely provide recommendations for compliance. While November may seem far away, businesses in Virginia or with significant Virginia consumer contacts may be wise to become familiar with the Act and the impending responsibilities.
Who must comply with the CDPA?
The first consideration before beginning compliance preparations is whether the CDPA will even apply to your business. The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:
- Control or process the personal data of at least 100,000 consumers during a calendar year; or
- Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.[2]
For those familiar with California’s CCPA’s $25 million revenue threshold, the lack of a revenue threshold here is a notable omission. The result of that omission is that even large companies can be excused from compliance because they do not process the required amount of covered consumer data, while smaller companies (such as those offering low-cost direct-to-consumer products) will be required to comply regardless of revenue levels.
The definition of “sale of personal data” is also much more restrictive than the CCPA. The CCPA generally defines “sale” as exchange of information for monetary or other valuable consideration. Conversely, the Virginia definition of “sale of personal data” is only an exchange for monetary consideration, with some notable exceptions, such as exchange of personal data during a merger or acquisition.[3]
Do any exceptions exist for certain entity types?
Yes. The CDPA does not apply to the Virginia government, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), nonprofits, or “institutions of higher learning.” However, the CDPA does appear to apply to third-party processors of government entities, nonprofits, and institutions of higher learning that meet the required data processing thresholds. Broadly speaking, there also exist certain carve outs for data subject to GLBA, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA).
Who does the CDPA protect?
The CDPA protects the personal information of “consumers”, which are defined as natural persons who are residents of Virginia “acting only in an individual or household context.” The definition explicitly excludes individuals “acting in a commercial or employment context”, which has the effect of excluding business to business communications and large amounts of human resources data. Thus, companies that only collect and hold Virginia consumer data in an employment or business to business context may be able to avoid compliance.
What personal data is protected by the CDPA?
The CDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Identified or identifiable natural person” is defined as “a person who can be readily identified, directly or indirectly.” Special protections are also included for “sensitive data”, which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data for uniquely identifying a natural person, data collected from a person known to be a younger than 13 years old, and “precise” geolocation data (locating an individual within a radius of 1,750 feet). Collecting sensitive data will require the consumer’s consent (or the consent of a parent if the consumer is under 13 years old).
The CDPA also excludes “publicly available information” from compliance and defines “publicly available” more broadly than other existing regulations. Unlike California’s limitation on “publicly available” only data that is lawfully obtainable from a government entity, the CDPA constitutes “publicly available information” to include information that a business has “a reasonable basis to believe [that the information is] lawfully made publicly available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” Information that could thus fall under “publicly available information” in Virginia would include personal information posted publicly on social media; for example, a picture of a COVID-19 vaccine card posted on a public Instagram page.
What rights are Virginia consumers granted in the CDPA?
The rights granted through the CDPA are like those in the CCPA and GDPR. Consumers will generally be granted rights to access, correct, delete or receive copies of the personal data held by applicable businesses. Consumers will be able to opt out of targeted advertising and sale of their personal data, and businesses will also be required to make additional disclosures surrounding their personal data processing activities, the rights, and how consumers may exercise their rights. The specific mechanisms through which customers are able to exercise these rights are detailed and extensive, so thorough review of the CDPA’s specific mechanisms for compliance are recommended for businesses beginning compliance preparations.
What are the penalties for non-compliance with the CDPA?
Virginia’s Attorney General will be the sole enforcement authority of the CDPA. If the Virginia AG provides notice of a violation and the non-compliant business does not cure the compliance issue within 30 days of notice, the Virginia AG can institute enforcement action which carries statutory damages of up to $7,500 per violation for intentional violations. Unlike the CCPA, there is no private right of action.
Conclusion
Much like the CCPA, businesses can expect that regulations will be generated by the Virginia AG that will provide more detail about the CDPA requirements. While the final texts of those regulations are far off, businesses that will need to comply should begin preparations now—especially if they are not currently compliant with the GDPR or CCPA. Consultation with experienced privacy counsel and consultants can provide significant assistance in compliance efforts.
******************************************************************************************************************************************************************************************************************
[1] Joseph Duball, “Challenge accepted: Initial Virginia CDPA Reactions, Considerations”, IAPP (Mar. 4, 2021) (https://iapp.org/news/a/challenge-accepted-initial-virginia-cdpa-reactions-considerations/?mkt_tok=MTM4LUVaTS0wNDIAAAF7nWl2kuMyzbn5dKcD8W3Y4fggbDxNg2PM84osNdKWpMvPYHWeJcjIqQy1i4dSpHpMQHLs0yruSK6OoqCCkkzJXqhhnHOByJMIE7AxjkbfRlLv).
[2] § 59.1-572(A).
[3] Other exceptions include disclosures: (1) to a processor; (2) to a third party for the purposes of providing a product or service requested by the consumer; (3) to a controller’s affiliate; or (4) of information generally made available by the data subject through a mass media channel that is not restricted to a particular audience. The CDPA’s definitions of “processor”, “controller”, and “third party” are virtually identical to the GDPR.
