As elsewhere, in Virginia there is growing public concern about the use of personal data online. In response to this concern, the state of Virginia passed a law enhancing data privacy rights for consumers. On March 2, 2021, Governor Northam signed into law the Virginia Consumer Data Protection Act (CDPA). The Act incorporates concepts from the EU’s General Data Protection Regulation (GDPR) and California’s two data privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It also could be a precursor to data privacy laws passed by other U.S. states in the near future.
Legislative Background of Data Privacy Law
The Virginia bill came amid increasingly widespread calls for governmental action on the misuse of personal data online. Cliff Hayes is a member of the Virginia House of Delegates who co-sponsored the comprehensive data privacy legislation. Hayes explained that “consumers should have the right to know what is being collected about them” and “no matter who you are as an organization, you need to be responsible when it comes to handling data of consumers.”
The Virginia General Assembly voted to send the bill to Governor Northam’s desk for signing in March 2021. Although the newly signed law will not go into effect until January 1, 2023, companies should make preparations to get into compliance with Virginia’s privacy legislation and similar laws that are likely to follow.
Applicability and Key Data Privacy Provisions
The Virginia Consumer Data Protection Act applies to “all persons that conduct business in Virginia or produce goods or services targeted at Virginia” and “either (i) during a calendar year, control or process personal data of at least 100,000 consumers” or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.”
Consistent with other data privacy laws, the Virginia Consumer Data Protection Act grants individuals certain rights. These include the right to access their personal data, correct misstatements, and request deletion of information. Consumers also have the right to opt out of the processing of personal data for use in targeted advertising.
Controllers, or the entities that determine the purpose and means of processing data, have obligations to consumer. They include the obligation to inform consumers of their security measures and privacy practices. Aside from the data privacy focus, Virginia’ CDPA also imposes cybersecurity obligations and data protection assessments on controllers to enhance transparency. The law does not provide clear guidance beyond stating that companies must adopt “reasonable administrative, technical, and physical data security practices.”
Similarities to EU’s GDPR and California’s Legislation
The Virginia Consumer Data Protection Act attempts to pick up the positive attributes of the GDPR, CCPA and CPRA. At the same time, it seeks to avoid their pitfalls. Like the GDPR, CCPA and CPRA, the Virginia CDPA applies to businesses both inside and outside of Virginia. Also, similar to California’s privacy legislation, the Virginia law avoids imposing obligations on small businesses and non-profits.
The conceptual framework and certain language of the Virginia CDPA closely mirrors the GDPR. For example, it utilizes the terms “controllers” and “processors” from the GDPR. The Virginia CDPA, like the GDPR and California legislation, also requires controllers to obtain consent from consumers before processing their “sensitive data”. Sensitive data includes categories such as precise geolocation data, genetic or biometric data, and sexual orientation.
Differences from EU’s GDPR and California’s Legislation
Companies that have implemented data privacy measures that are in compliance with the GDPR, CCPA and CPRA should already find themselves in compliance with the majority of the Virginia Consumer Data Protection Act’s provisions. However, there are a few novel concepts in the Virginia bill.
The legislature drafted the Virginia CDPA to have a narrower scope than that of the GDPR and CDPA. The definitions more explicitly prevent small businesses and non-profits from inadvertently being subject to the regulations.
Under the CDPA, personal data does not include “publicly available information” or other de-identified data. The new Virginia law also casts a wider net in defining what constitutes “publicly available information”. The CDPA’s definition encompasses not only government records but also “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” This broader definition of “publicly available information” could exclude some information posted on social media platforms.
Additionally, unlike California’s legislation, the Virginia law does not have a private right of action. David Marsden, a sponsor of the bill in the Virginia Senate, noted that the lack of private lawsuit opportunities helps prevent “turning this law into another business.” This means that only the Attorney General in the state of Virginia can enforce violations of the CDPA. An entity must cure a violation of the law within 30 days. Otherwise, the Attorney General can issue injunctions and impose civil penalties of up to $7,500 per violation.