Virginia is on track to be the second U.S. state to enact comprehensive consumer privacy legislation. Both the Virginia House of Delegates and the Virginia Senate have passed nearly identical versions of the Consumer Data Protection Act (CDPA) with bipartisan support, which suggests that reconciliation may be reasonably straightforward. The CDPA incorporates concepts from the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the proposed Washington Privacy Act (WPA). If enacted as currently drafted, the Virginia CDPA would take effect on January 1, 2023.

The House bill is HB 2307 and the Senate bill is SB 1392. Virginia Governor Ralph Northam (D) has convened a special legislative session beginning February 10, 2021, during which the state legislature can continue consideration and reconciliation of the CDPA. At the time of writing, the special session has no scheduled end date.

CDPA: An approach to consumer privacy influenced by GDPR, CCPA, and WPA

The CDPA contains definitions, obligations, and rights familiar to many privacy professionals. We identify a few of the key concepts below.

Scope

  • Covered Entities: The CDPA would apply to persons that: (i) conduct business in Virginia or that produce products or services that are targeted to VA residents and; (ii) either (a) control or process personal data of at least 100,000 VA residents or (b) derive 50% or more of gross revenue from the sale of personal data and control or process personal data of at least 25,000 VA residents.

The CDPA would exempt financial institutions subject to the GLBA, as well as HIPAA covered entities and business associates. The bill would also exempt data subject to FCRA, FERPA, and certain other laws.

  • Data Subjects: Unlike some comprehensive laws, the CDPA defines “consumer” in terms of state residents acting in only an individual or household context. The bill would expressly (and permanently) exclude natural persons acting in a commercial or employment context.
  • Entity Qualifications: The CDPA would follow the GDPR in categorizing covered entities as either “controllers” or “processors.” Like the GDPR, the CDPA would require specific terms to govern a controller’s relationship with a processor and would impose distinct obligations on controllers and processors. The requirements for a controller-processor contracts are similar to those under Article 28 of the GDPR (i.e., they are more detailed than the requirements for a CCPA “service provider” contract).
  • Definition of Personal Data: “Personal data” would mean “any information that is linked or reasonably linkable to an identified or identifiable natural person” and would exclude “de-identified data or publicly available information.” The definitions for “de-identified” and “publicly available” are both drafted more broadly than the analogous terms in the CCPA. De-identified data is defined as “data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.” “Publicly available” information includes information from government records, as well as “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”
  • Definition of Sensitive Data: Sensitive data would mean personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data to identify a natural person; personal data collected from a “known child;” and precise geolocation data.

Controller Obligations

The CDPA would require controllers to: (i) be transparent about data practices, including by maintaining a privacy notice and informing consumers of certain processing activities such as “selling” personal data or using personal data for targeted advertising; (ii) adhere to purpose limitation, data minimization, and security requirements; (iii) complete “data protection assessments” for certain processing activities considered high risk (e.g., processing sensitive data and targeted advertising); and (iv) obtain “freely given, specific, informed, and unambiguous” consent before processing sensitive data or processing any personal data for secondary purposes that are not compatible with previously disclosed purposes, among other requirements.

Processor Obligations

The CDPA would impose independent obligations on processors, including requirements to: (i) adhere to controller instructions; (ii) assist the controller by implementing appropriate technical and organizational measures to help the controller respond to consumer rights and by securing the processing of personal data; and (iii) provide necessary information to support data protection assessments. Contracts between controllers and processors would have to include additional provisions, including requirements relating to auditing, data retention, data confidentiality, and subcontracting.

Consumer Rights

The CDPA would grant consumers five rights, which are the rights to:

  1. Confirm whether a controller is processing data about that consumer and to access such data;
  2. Receive personal data received from the consumer in a portable and readily usable format;
  3. Correct inaccurate personal data;
  4. Delete personal data; and
  5. Opt out of the processing of personal data for “sales,” targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The CDPA defines “sale” to mean the exchange of personal data for monetary consideration by the controller to a third party, with several exceptions (e.g., transfers of personal data to an affiliate or processor). While the definition of “sale” under the CDPA would be narrower than that under the CCPA, the CDPA’s right to opt out extends beyond sales to processing for targeted advertising and certain profiling that does not involve data sharing.

In addition, the CDPA would prohibit controllers from discriminating against consumers for exercising any of their rights under the Act. The CDPA also would require that controllers establish a process for consumers to appeal a denial of a request to exercise the above rights. If an appeal is denied, the controller would need to provide a mechanism for the consumer to submit a complaint to the Attorney General.

Enforcement

The Virginia Attorney General would receive exclusive responsibility to enforce the CDPA. Private rights of action are expressly barred in the bill.

Like the CCPA, the CDPA would include a 30-day cure period before alleged non-compliance becomes a violation. Violations can be subject to a maximum penalty of $7,500 per violation.

Effective Date

The CDPA would take effect January 1, 2023.