Virginia Enacts Data Privacy Law

On March 2nd, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (CDPA), found here. In doing so, Virginia became the second state (after California) to implement a comprehensive data privacy scheme. The new law takes effect January 1, 2023.

Application

The CDPA applies to any entity (including out-of-state businesses) that conducts business in Virginia or produces products or services that are targeted to Virginia residents and

•            controls or processes personal data of at least 100,000 consumers; or

•            controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

The CDPA, however, exempts several categories of entities.  Among others, these include (a) state agencies and political subdivisions, (b) financial institutions and data subject to the Gramm-Leach-Bliley Act, (c) entities or business associates covered by HIPAA, (d) nonprofit organizations, and (e) institutes of higher education. Moreover, several categories of information and data are exempted, including data governed by other delineated data privacy laws (i.e. personal data collected pursuant to the Fair Credit Reporting Act, Family Educational Rights and Privacy Act, etc.).

Personal Data

The CDPA defines “personal data” as information that is linked or reasonably linkable to an identified or identifiable natural person but excludes “de-identified data” or “publicly available information.” Publicly available information includes any information that is made available through government records or information that a business has a basis to believe has lawfully been made available to the general public through widely distributed media by the consumer or by a person to whom the consumer has disclosed the information, provided that the consumer did not restrict the information to a specific person or audience.

Consumer Rights and Protections

The CDPA defines “consumers” as Virginia residents acting in an individual or household context but excludes a person acting in a commercial or employment context. Consumers have the following rights under the CDPA:

•            to confirm whether a controller is processing the consumer’s personal data and to access such data;

•            to correct inaccuracies in the consumer's personal data;

•            to delete personal data;

•            to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller; and

•            to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of the personal data, or (iii) profiling in furtherance of decisions that produced legal or similarly significant effects concerning the consumer.

These consumer rights cannot be waived by contract or agreement and may be invoked at any time.

Timing and Appeals

The consumer can invoke these rights by submitting a request to a controller specifying the rights that consumer wishes to invoke.  The controller must comply within an authenticated consumer request without undue delay, but in all cases within 45 days of receipt of the request.  The 45-day period, however, is subject to a one-time extension of 45 additional days when reasonably necessary so long as the controller informs the consumer of the extension within the initial 45-day response period with the reasons for the extension.

Controllers also need to establish a process by which a consumer can appeal, within a reasonable period of time, the refusal to take any action in response to a consumer invoking his or her consumer rights. The appeal process must be conspicuously available and similar to the process by which a consumer can invoke their consumer rights. Within 60 days of an appeal, the controller must inform a consumer of its decision and the reasons for its decision.  Finally, if the controller denies the appeal, it must also provide the consumer with an online mechanism, if available, or other method by which the consumer can submit a complaint to the Virginia Attorney General's office.

Privacy Notice

Controllers are required to provide consumers with a clear privacy policy that includes the following:

•            the categories of personal data processed;

•            the purpose for processing personal data;

•            how consumers may exercise their consumer rights, including their appeal rights;

•            the categories of personal data the controller shares with any third party; and

•            the categories of third parties receiving any shared personal data.

Controller’s Affirmative Responsibilities

In addition to consumers’ rights and the privacy notice, controllers have additional affirmative duties under the CDPA.  Among other obligations, controllers must:

•            limit the collection of personal data to what is reasonably necessary to the disclosed purposes;

•            establish, implement and maintain reasonable data security practices to protect the confidentiality and accessibility of personal data;

•            not process personal data in violation of any state or federal law that prohibit discrimination against consumers;

•            not discriminate against consumers for exercising their consumer rights;

•            obtain consumer consent (“opt-in”) for the processing of “sensitive data,” which is defined as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of identifying a natural person, data collected from a known child, or precise geolocation data; and

•            disclose the sale or processing of personal data for targeted advertising and how a consumer may opt out of such processing.

Data Processing Assessment

Furthermore, controllers are required to conduct and document a data processing assessment concerning the following:

•            the processing of personal data for purposes of targeted advertising;

•            the sale of personal data;

•            the processing of personal data for profiling purposes, where such profiling presents a risk of (i) unfair or deceptive treatment of or disparate impact on consumers, (ii) financial, reputational or physical injury to consumers, (iii) an intrusion into the private affairs of consumers, or (iv) other substantial injury to consumers;

•            the processing of sensitive data; and

•            the processing of personal data that presents a heightened risk of harm to consumers.

The Virginia Attorney General’s Office has the exclusive authority to investigate violations of the CDPA and can require businesses to disclose their assessments during an investigation.  Importantly, the CDPA provides for a 30-day cure period of any violation upon notice by the Virginia Attorney General and before any formal investigation, and specifically excludes any private right of action based on the statute.

Conclusion

Obviously, the statute itself contains other requirements and nuances that are simply too lengthy for a blog post (for example, concerning de-identified information).  However, those businesses that operate in Virginia or target Virginia residents and fall within the statute’s scope should begin assessing what data they collect and the statute’s effect on such data collection.