The Act represents an accelerating trend among US states to attempt to pass comprehensive privacy legislation in the wake of the CCPA.
On March 2, 2021, Virginia Governor Ralph Northam signed comprehensive state privacy legislation titled the Consumer Data Protection Act (CDPA). Previously, the Virginia Senate unanimously passed the bill on February 5, 2021, and the Virginia House of Delegates followed suit in a special legislative session on February 18, 2021. The law will take effect on January 1, 2023. This post addresses some key provisions.CDPA
The CDPA will apply to businesses that conduct or process personal data of at least 100,000 consumers or businesses that control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Controllers and Processors
Following in the footsteps of the General Data Protection Regulation (GDPR), the CDPA uses the concepts of controller and processor of consumer data. A “controller” is the business that determines the purpose and means of processing personal data, while a “processor” is an entity that processes personal data on behalf of the controller. The California Consumer Privacy Act (CCPA) has a similar concept — using the terms business and service provider instead — but the CCPA’s restrictions on how service providers can use information they receive on behalf of businesses are more prescriptive.
Under the CDPA, controllers must limit the collection of personal data to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” In addition, controllers shall not process personal data “for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed” unless the consumer gives consent. A consumer can only give consent through a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”
The CDPA guarantees consumers certain personal data rights that may be exercised against a controller. Consumers are limited to Virginia residents who are “acting only in an individual or household context” — thus, Virginia residents acting in a commercial or employment context do not qualify. Under the CDPA, consumers have the right to:
- Confirm whether or not a controller is processing the consumer’s personal data and access such personal data
- Correct inaccuracies in the consumer’s personal data
- Delete personal data provided by or obtained about the consumer
- Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller
- Opt out of the processing of the personal data for purposes of (1) targeted advertising, (2) sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
Controllers may not discriminate against consumers for exercising any of these rights.
Sale of Personal Data
Under the CDPA, a “sale of personal data” is the “exchange of personal data for monetary consideration by the controller to a third party.” There are several key differences between this definition of sale and the definition found in the CCPA. First, Virginia limits the scope of a “sale” to only exchanges for monetary consideration, unlike the CCPA, which extends the scope to exchanges for monetary or other valuable consideration. Second, by only using one verb (“exchange”), Virginia’s “sale” provision is arguably narrower than the CCPA’s “sale” provision, which is defined to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.” Virginia also excludes certain exchanges of personal data from the definition of a sale, including: (1) disclosure to a processor that processes personal data on behalf of the controller; (2) disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (3) disclosure or transfer of personal data to an affiliate of the controller; (4) disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or (5) disclosure or transfer to a third party as an asset as part of a merger, acquisition, or bankruptcy.
Additional Disclosure and Opt-Out Requirements: Targeted Advertising and Profiling
While the CCPA and the CDPA both require businesses to clearly and conspicuously disclose the sale of personal data and allow consumers to opt out of such sales, the CDPA requires additional disclosures and gives consumers additional options to opt out of targeted advertising or certain types of profiling.
Targeted advertising is defined as the delivery of an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated website or online applications that predict consumer preferences or interests. Contextual advertising — which is based on activities within a controller’s own website or online applications and based on the context of a customer’s current search query or request for information — does not constitute targeted advertising. In addition, processing personal data solely for measuring or reporting advertising performance, reach, or frequency does not constitute targeted advertising.
The scope of profiling in furtherance of decisions that produce legal or similarly significant effects is uncertain. On the one hand, the CDPA defines consumer profiling broadly as any form of “automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to a … [consumer’s] economic situation, health, personal preferences, interests, reliability, behavior, location or movements. On the other hand, the profiling opt-out applies only to “decisions that produce legal or similarly significant effects” — i.e., not all profiling.
Sensitive Personal Data
Virginia’s new law creates a heightened class of protected personal data: “sensitive data.” Sensitive data is personal data that includes: “(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship, or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; or (4) precise geolocation data.” Controllers may not process sensitive data concerning a consumer without first obtaining the consumer’s affirmative consent, based on the rigorous standard established in the law.
Data Protection Assessments
The CDPA will require controllers to conduct data protection assessments regarding the processing of personal data, the sale of personal data, the processing of personal data for certain types of profiling, the processing of sensitive data, and any processing activities involving personal data that present a heightened risk of harm to consumers.
Certain types of institutions and information are exempted from the CDPA. Virginia’s new law does not apply to entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Gramm-Leach-Bliley Act (GLBA). Nor does it apply to Virginia’s government, nonprofit organizations, or institutions of higher education. Furthermore, the law does not apply to personal information that is regulated by, among others, HIPAA, HITECH, GLBA, the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), the Farm Credit Act, and the Driver’s Privacy Protection Act (DPPA).
Enforcement and Private Actions
The CDPA creates an enforcement framework that is similar to the framework currently in force under the CCPA. Virginia’s Attorney General will have the exclusive authority to enforce the new law. The CDPA requires the Attorney General to give any controller or processor 30 days’ written notice of the specific statutory violations alleged. If the controller or processor cures the alleged violations and provides an express written statement that the alleged violations have been cured and that no further violations shall occur, the Attorney General cannot initiate an action for statutory damages. If the controller or processor continues to violate the statute in breach of the express written statement, the Attorney General may then bring an enforcement action. Violations of the CDPA may result in an injunction and civil penalty of up to US$7,500 per violation. There is no private right of action.
The CDPA represents an accelerating trend among US states to attempt to pass comprehensive privacy legislation in the wake of the CCPA. For example, the New York State Legislature is currently considering two privacy bills — Senate Bill 567 and Assembly Bill A680 (the New York Privacy Act). Unlike the CDPA, both bills contain a private right of action, and Assembly Bill A680 would create an opt-in consent requirement for all processing activities and third-party disclosures. Similarly, the Washington State Legislature is considering a privacy bill that has been before the Legislature in some form since 2019. This bill, which is very similar to the CDPA, is currently making its way through Washington Senate committees. As US states continue to enact privacy legislation, the patchwork of state frameworks may create further pressure for the US Congress to pass federal privacy legislation.