Virginia’s Consumer Data Protection Act (CDPA) is expected to be signed into law by Governor Ralph Northam and will be the second comprehensive state data privacy law in the United States after the California Consumer Privacy Act of 2018 (CCPA). The CDPA comes into effect on January 1, 2023—the same date that the California Privacy Rights Act (CPRA) amendments take effect—and will require entities subject to the law to coordinate their efforts to ensure compliance with their growing obligations under these dynamic state privacy law developments. We explore the CDPA in more detail below.
Overview of the CDPA
The CDPA will apply to companies that conduct business in Virginia, or that target their products and services to Virginia residents, and that either: (i) control or process personal data of at least 100,000 Virginia residents or (ii) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
As with the CCPA, the CDPA has several broad entity-type and data-type exemptions. The CDPA will not apply to nonprofits, institutions of higher education and entities governed by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). The CDPA also exempts personal data belonging to individuals acting in commercial or employment contexts, protected health information governed by HIPAA and health records governed by other healthcare-related state and federal laws, and data regulated by the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act and Farm Credit Act.
CDPA uses the term “controller” to describe the entity that determines the purpose and means of processing data. Controllers have a number of responsibilities under the CDPA that are reminiscent of the obligations that apply to “businesses” under the CCPA/CPRA and “controllers” under the General Data Protection Regulation (GDPR). Controllers must:
- Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geolocation data)
- Comply with data processing principles that ensure purpose limitation of personal data and data minimization
- Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data
- Enter into a written contract with third-party “processors” that process data on the controller’s behalf that set forth the instructions and limitations on how the processor may process personal data, including the data that are subject to processing, the duration of processing and the rights and obligations of both parties
- Conduct and document a data protection assessment when processing sensitive data or conducting activities related to targeted advertising, selling personal data, profiling and other activities that present a heightened risk of harm to consumers
- Inform consumers of the various privacy rights afforded to them under the CDPA and honor those rights.
Consumers have a number of privacy rights under the CDPA that, again, are reminiscent of those found in the CPRA and the GDPR. These rights include the right to:
- Confirm whether the controller is processing the consumer’s personal data and right to access such personal data
- Correct inaccuracies in the personal data
- Delete personal data
- Request that the controller port the consumer’s personal data in a readily usable format
- Opt out of the processing of personal data for purposes of targeted advertising
- Opt out of the sale of personal data
- Opt out of profiling that results in legal or significant effects concerning the consumer (e., decisions that result in the denial of financial or lending services, housing, insurance, education, enrollment, criminal justice, employment opportunities, healthcare services or access to basic necessities).
In the event a company refuses to honor a request, consumers will have the right to appeal the company’s refusal.
Controllers are prohibited from discriminating against a consumer for exercising these rights, which includes denying goods or services, or charging different prices for goods or services or providing a different level of quality of goods or services. The caveat is that controllers may offer different prices or quality for goods or services if it is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
The Virginia Attorney General has exclusive enforcement authority under the CDPA and may issue civil penalties of up to $7,500 per violation. Unlike the CCPA, the CDPA does not create a private right of action for Virginia consumers.
How Does the CDPA Compare to the CCPA?
With the passage of the CDPA, Virginia joins California as one of two states in the country with a comprehensive data privacy law. Companies already complying with the CCPA have a head start on their compliance efforts but will need to plan adjustments to their privacy compliance program to take into account both the CPRA and the CDPA, which take effect on January 1, 2023.
Fortunately, the CDPA and CCPA share many commonalities, such as the disclosures required in privacy notices, certain consumer rights and reasonable security requirements. However, the CDPA does contain a number of meaningful differences from the CCPA and CPRA, some of which we detail in the chart below.
The Future of US Privacy Law Is Still Pending
Despite repeated and ongoing efforts to present and pass a comprehensive federal privacy law, as of the date of this article, there does not appear to be any particular bill that has gained significant traction in either the US House of Representatives or the Senate. In the absence of a federal standard, many states, such as Oklahoma, Washington, Florida, Minnesota and New York, have followed California’s example in introducing and considering comprehensive state data privacy bills, with varying levels of success. The common themes are predictably centered on notice, consumer privacy rights and related business obligations. Issues related to enforcement, and in particular, whether private rights of action should be permitted, have stalled bills both at the state and federal level. That said, in light of what appears to be a heightened awareness and focus on privacy and cybersecurity issues, companies can expect new or additional modifications and updates to their data privacy and security programs in the coming years.