Virginia’s new consumer privacy bill, expected to be signed into law as soon as April 2021, will elevate the Commonwealth’s approach to data privacy, bringing it closer to comprehensive laws in Californian and the European Union.

Effectively becoming the second comprehensive data privacy law in the United States (after the California Consumer Privacy Act of 2018), Virginia’s Consumer Data Protection Act grants Virginians similar consumer rights to those found in the CCPA—such as the right to know, the right to correct or delete, and the right to opt out. Unlike the CCPA, the VA Consumer Data Protection Act excludes a private right of action and adopts a more business friendly approach by exempting companies based on data or certain revenue thresholds, for activities in Virginia or impacting Virginia residents. Ice Miller’s Data Security and Privacy team has more information on the Consumer Data Protection Act below, and our team in Washington DC, including several Virginia-licensed attorneys, is able to assist you in taking steps toward compliance.

Scope of the Consumer Data Protection Act

The Consumer Data Protection Act applies to businesses that “produce products or services that are targeted” to Virginia, and in a calendar year, (1) control or process data for at least 100,000 Virginia residents, or (2) derive at least 50% of their revenues from the sale and processing of consumer data of at least 25,000 customers. Unlike the CCPA, the Consumer Data Protection Act does not have a threshold revenue requirement. The Consumer Protection Act also will exempt financial institutions subject to GLBA, HIPAA-covered entities and business associates, and HR-related data processing. Not-for-profit and higher education institutions are also fully exempted. The Consumer Protection Act also defines consumer narrowly—more so than in the CCPA and CPRA—excluding natural persons who may be acting in a commercial or employment context.

What’s in the Consumer Data Protection Act?

The Consumer Protection Act includes a number of rights that require companies to disclose information or respond to consumers, such as the right of consumers to confirm whether a controller is processing personal data, to correct personal data, to delete personal data, and to obtain a copy of personal data. The bill further requires that companies implement and maintain reasonable administrative, technical, and physical data security practices, similar to the CCPA’s “reasonable security” requirement. In this respect, we note that finding a path toward a “reasonable security” approach is often challenging but there are excellent resources to do so, for example, a recent Sedona Conference publication or the work of the National Institute for Standards (NIST).

Virginia consumers will also gain broad opt-out rights; for example to be excluded from processing of personal data for “purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Notably, these rights may be more limited than they appear because the bill requires identity verification that may stymie some consumer requests.

There are two other notable provisions under the new bill that are innovative. First, the bill requires that controllers conduct and document a data protection assessment of: (1) the processing of personal data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for purposes of profiling; (4) the processing of sensitive data; and (5) any processing activities involving a “heightened risk of harm” to consumers. Interestingly, the Act allows the Attorney General to request that a controller disclose such data protection assessments—but does protect such disclosures when they may contain proprietary or attorney privileged information, and any reports produced to the Attorney General are exempt from disclosure under Virginia’s Freedom of Information Ac.

Second, the bill has a GDPR-esque definition of consent, which must be a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.” Some privacy professionals believe a company’s inability to demonstrate its compliance with a heightened consent standard could be a significant source of regulatory enforcement.

What’s NOT in the Consumer Data Protection Act?

The Consumer Data Protection Act does not include a private right of action. Instead, enforcement will be carried out by Virginia’s Attorney General, whose efforts will be bolstered by an annual $400,000 budget for the office’s newly created Consumer Privacy Fund. The lack of a private right of action reflects Virginia’s more business-friendly approach compared to that of California. Legislators in Virginia underscored their view that a private right of action was an avenue for frivolous lawsuits that prevent cooperation between regulators and businesses to better protect consumer data. The Virginia Attorney General will be empowered to seek up to $7,500 per violation, as well as reasonable expenses for investigations, including attorney fees.

What Does This Mean for Your Business?

The Consumer Data Protection Act does not take effect until January 1, 2023, giving companies time to adjust and come into compliance. Companies already complying with the GDPR or CCPA likely will be a long way toward being in compliance with the Consumer Data Protection Act. We recommend that companies doing business in Virginia first determine whether they expect that they will meet the threshold requirements sometime during the next several years and to begin planning ahead with privacy counsel to assess consent mechanisms and ensure compliance with the law’s heightened affirmative consent standard (and complete a data protection impact assessment while mapping consent mechanisms). Finally, companies should draft policies and procedures for receiving and responding to consumer requests to know, delete, or opt-out. Building toward a compliant platform over the next two years, particularly as more companies are migrating to new systems accelerated by the effects and opportunities of the COVID pandemic, may be easier than trying to retroactively change processes.