On February 19, the Virginia General Assembly formally approved the Consumer Data Protection Act (CDPA), which likely will be approved by the governor without any substantive changes. The CDPA grants Virginia residents new data privacy rights and creates new obligations for how businesses collect and use their personal data. It also grants the Virginia attorney general the authority to impose penalties on noncompliant businesses of up to $7,500 per violation. The law becomes effective on January 1, 2023, the same day another consumer data protection law – the California Privacy Rights and Enforcement Act of 2020 (CPRA) – takes effect. The CDPA’s key features and unique requirements are set forth below.

Scope of applicability. The CDPA only applies to a limited set of organizations (called “controllers”) that collect Virginia residents’ personal data. In particular, it applies to (for-profit) organizations conducting business in Virginia or producing products or services that target Virginia residents, and (i) that control or process the personal data of at least 100,000 consumers or (ii) control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the “sale” (defined below) of personal data. The CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to” an identifiable person. On the other hand, it defines “consumer” narrowly as a Virginia resident acting in an “individual or household context.” The CDPA does not apply to personal data concerning an individual acting in the commercial or employment context.

New data privacy rights. The CDPA creates several new data privacy rights and privileges for Virginia consumers:

  • the right to know whether a controller is processing their personal data and the right to access it,
  • the right to correct inaccurate personal data,
  • the right to delete personal data, and
  • the right to obtain a copy of their personal data.

Although the CDPA requires organizations to establish processes to receive and authenticate consumer data requests, it lacks important guidance and criteria in this area. For instance, it mandates that organizations create processes to allow for a consumer to “appeal” a controller’s decision not to honor a data rights request but lacks specificity on how the appellate review must be formulated. Moreover, the CDPA does not substantively address how a controller should address a scenario when it disputes whether a consumer’s personal data is considered “inaccurate” and therefore chooses not to “correct” it. Absent clarifying regulations, controllers should consider leveraging guidance and experience developed by other data protection frameworks that address these same issues.

Online advertising, selling data and profiling. The CDPA furnishes Virginia consumers with the right to opt out of the processing of personal data involving:

  • targeted advertising,
  • the sale of personal data, or
  • profiling/automated decision making.

The phrase “targeted advertising” means displaying an advertisement to a consumer that is selected based on the consumer’s personal data derived from activities the consumer undertakes “over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.” With some exceptions, the CDPA defines targeted advertising similarly to how the CPRA defines “cross-context behavioral advertising.” Next, the term “sale” of personal data refers to “the exchange of personal data for monetary consideration.” The CDPA does not, however, incorporate the “other consideration” qualifier that is found in the CPRA. The term “profiling” refers to the automated processing of personal data to evaluate, analyze or predict an individual’s economic situation, health, preferences, interests, reliability, behavior, location or movement that produces legal or similar effects.

Privacy policies and other notices. A controller is required to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that describes its data processing activities (e.g., categories of personal data processed and shared, purpose of processing). It must also describe how consumers can exercise their data privacy rights and the controller’s data subject request appeals process. A controller that sells personal data or uses it for targeted advertising purposes has the additional obligation to “clearly and conspicuously disclose such processing” and the manner in which consumers can exercise their opt-out rights. However, it is unclear whether this opt-out disclosure can be included in a controller’s privacy policy or must be set forth in a separate notice.

Consent. The CDPA limits how a controller can use personal data without a consumer’s consent. For example, a controller is prohibited from using personal data in a manner not necessary for or compatible with the purpose the controller disclosed to the consumer, unless it obtains the consumer’s consent. In addition, a controller is prohibited from processing “sensitive data” without obtaining appropriate consent. The CDPA defines “sensitive data” as personal data that (i) reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, (ii) uses genetic or biometric data for identification purposes, (iii) involves personal data collected from a “known child,” or (iv) includes “precise geolocation data,” which itself is uniquely defined in the law.

Data protection assessments. Pursuant to the CDPA, a controller is required to undertake a “data protection assessment” when it engages in data processing involving:

  • targeted advertising,
  • the sale of personal data,
  • profiling (if such profiling presents a certain type of risk or harm to a consumer),
  • processing of sensitive data, or
  • any personal data processing that presents a heightened risk of harm to a consumer.

The assessment must incorporate a cost-benefit analysis pertaining to the processing and address several factors related to data security, risk mitigation and consumer expectations. A controller may be required to furnish a copy of its data protection assessment to the Virginia attorney general pursuant to its CDPA compliance investigations.

Data processing agreements. Like many other data protection laws, the CDPA requires a controller to include certain data protection-related clauses in its contracts with organizations that process personal data on its behalf (i.e., “processors”). These clauses must address, among others, the nature, scope and duration of processing; limited data use; confidentiality; proof of compliance; and auditing. Processors must flow-down their obligations when retaining their own subcontractors.

Data security. The CDPA places affirmative data security obligations on controllers. In particular, it requires them to “[e]stablish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” The CDPA does not define these practices with specificity, and instead requires them to “be appropriate to the volume and nature of the personal data at issue.”

Conclusion

The CDPA is similar to, but not exactly the same as, data protection laws enacted in other jurisdictions (e.g., California, the European Union), and a business that is compliant with these existing frameworks should be well-positioned to comply with the CDPA. Yet, given the likelihood that other states may enact data protection laws soon, businesses subject to the CDPA should create a data compliance program in the near term to better ensure that they have the resources available to address future requirements.