Gov. Northam has signed the Virginia Consumer Data Protection Act into law.
One of the things 2020 should have prepared us for is the unexpected, and the Commonwealth of Virginia managed it with the mere three weeks from mid-January to the beginning of February that it took the General Assembly to introduce, debate, and favorably vote on the Consumer Data Protection Act (VCDPA) (HB 2307 / SB 1392).
So, what’s in (and not in!) the VCDPA and how does it stack up against familiar privacy acts like California’s CCPA & CPRA and the EU’s GDPR?
And what does it mean for US privacy landscape as we head further into 2021? We start with the familiar, and will see echoes of other passed and pending privacy acts (notably the Washington Privacy Act) throughout the VCDPA; but as we’re seeing in proposed bills across the state level, Virginia is putting its own spin on things.
“Virginia’s Consumer Data Protection Act has passed. As the first comprehensive state privacy law to pass following the CCPA/CPRA, Virginia’s law will again change the legal landscape for American privacy law. The Virginia law is not a California copy-cat and would greatly expand the obligations for subject businesses. Businesses should be aware of the multiple additional obligations that flow from the CDPA.”
– Michael Hellbusch, Partner – Rutan & Tucker
Scope: The VCDPA provisions take effect in 2023 and apply to all businesses that in a calendar year:
- Control or process the personal data of at least 100,000 consumers OR
- Control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data (§ 59.1-572.).
Borrowing from the GDPR, Virginia’s VCDPA uses terms including controller, processor, personal data, data minimization, and from the GDPR and CCPA/CPRA, has consumer rights, and the requirement of data protection assessments for high-risk processing activities. We also see the now ubiquitous requirements for reasonably accessible, clear, and meaningful privacy notices that address the collection, processing, disclosure, sale, and nature of and process for requesting consumer rights.
Definitions: Just as in the CCPA, we see the concept of “sale of personal data” for monetary consideration, with a twist that excludes from a sale “the disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience” (§ 59.1-571.).
Another divergence in the VCDPA is in the latter half of the definition of “consumer.” It begins with “a natural person who is a resident of the Commonwealth acting only in an individual or household context” but goes on to explicitly state that the definition of consumer does not include a “natural person acting in a commercial or employment context” (§ 59.1-571.). We see this in the Washington Privacy Act (WPA) as well, and in both, individuals in this context are also exempt from consumer rights provisions.
“Personal data” has been defined as broadly as we see in the other regulations, and includes any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data (subject to safeguards), and consistent with the carveout to the definition of Sale, publicly available information is not considered “personal data” under the bill.
With “sensitive data,” we see the blended influence of current regulations – like the CPRA and GDPR, the act includes the concept of sensitive data:
- Personal data revealing "racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;"
- Biometric data used "for the purpose of uniquely identifying a natural person;"
- Data collected from a known child; or
- Precise geolocation data.
The VCDPA imposes two key compliance obligations related to sensitive data – and they are significant:
First, sensitive data cannot be processed without opt-in consumer consent (§ 59.1-574.). The bill defines consent, consistent with the WPA, as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous” agreement (§ 59.1-571.).
Second, the VCDPA expressly requires the controller conduct and document a data protection assessment for the processing of sensitive data, in addition to processing for targeted advertising, profiling, sales of personal data, and the ambiguous “processing activities that present a heightened risk of harm" (§ 59.1-576.).
Consumer Rights: In § 59.1-573., the VCDPA provides consumers with the right to submit the following requests to the controller:
- Access personal data that a business processes about them;
- Correct inaccuracies in that data, taking into account the nature of the data and the purpose of the processing;
- Delete personal data provided or obtained about them, subject to certain exceptions; •
- Obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format
- Opt-out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
- Opt-in to the processing of sensitive data, unless the processing activity is an internal operation "reasonably aligned" with the expectations of the consumer or in furtherance of provision of a product or service specifically requested by the consumer.
Consistent with the terms of the CCPA, controllers must respond free of charge, twice a year and within 45-days. All requests are subject to authentication, and the controller can decline to take action but must provide instructions to the consumer on how to appeal that decision. Similar to the GDPR’s requirements, processors are to assist the controller in meetings its obligations (§ 59.1-575.).
Fines: Before initiating an enforcement action under the Act, the Attorney General is required to provide a controller thirty-day written notice of the specific violation of the Act at issue. Only after a controller’s continued violation of the Act may an action be initiated by the Attorney General, and damages for violations recoverable by the Attorney General are capped at $7500 per violation.
What’s Not In?
When viewed in light of the CCPA, one of the most notable absences in the VCDPA is that Virginia lacks a private right of action - meaning individuals cannot sue if their rights are being violated - leaving enforcement exclusively to the Office of the Attorney General of Virginia. Funding for initial enforcement work is not provided in the Act but is supposed to come later through fines collected in future enforcement actions.
Further, the VCDPA does not require controllers disclose or provide a list of third parties to whom personal data is shared; does not make a provision for an authorized agent to submit rights on the consumer’s behalf; and makes no provisions for instances of a data breach.
Similar to the WPA, the bill exempts a range of regulated financial services, health care, human research, consumer credit reporting, educational, and employment data from its provisions, with wide carveouts for specific types of data and covered entities regulated under laws such as HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and educational privacy law FERPA (§ 59.1-572.).
Unlike the rounds of rule-making we saw with the CCPA, the VCPDA does not provide for rule-making, though it does direct the Chairman of the General Assembly's Joint Commission on Technology and Science to create a working group of government officials, business representatives, and privacy advocates to produce recommendations related to implementation of the act by November 1, 2021.
So where does this leave us?
The Virginia Consumer Data Protection Act is another step forward, offering significant new rights for consumers, demonstrating the ongoing interest of Americans in protecting their data, and – combined with the host of other states with proposed acts – putting additional pressure on Congress to pass a federal data privacy law.
Without question, some experts had hoped law makers would go even further on the issues of Opt-In vs Opt-Out Consent and a Private Right of Action, but the VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data.