Virginia has become the second state in the United States to pass a comprehensive data privacy law after the Virginia Consumer Data Protection Act (CDPA) passed both houses of Virginia’s state legislature in February with overwhelming bipartisan support and was promptly signed into law by Virginia Governor Ralph Northam. The CDPA has a number of key similarities to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), which comes into effect in 2023, and the European Union’s General Data Protection Regulation (GDPR), and it follows a similar framework with proposed data privacy bills pending in other statehouses.
(This LawFlash is an update of our February 18, 2021, LawFlash to account for Virginia’s passage of the CDPA)
On March 2, 2021, Virginia Governor Ralph Northam signed the CDPA into law, after reconciliation of the Virginia House of Delegates and Virginia Senate bills resulted in minimal changes from the prior versions of the bills (HB 2307 and SB 1392). The act will take effect on January 1, 2023, and will require companies doing business in Virginia to reassess their collection and use of consumer personal information and modify their business practices to account for Virginia’s new requirements. The CDPA makes Virginia the second state in the United States with a comprehensive privacy law after California. This article details a few noteworthy features of the CDPA and highlights steps that businesses should take to ensure compliance prior to the law going into effect.
The CDPA will apply to all persons that conduct business in the Commonwealth of Virginia or “produce products or services that are targeted to residents of the Commonwealth” and, during a calendar year, either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The act defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data does not include publicly available information or de-identified data. Notably, the term “consumer” means a natural person who resides in Virginia, and does not include any person acting in a commercial or employment context. This is a departure from the CCPA and GDPR, which do have at least some provisions that apply to a natural person acting in a commercial or employment context. This means that for purposes of the Virginia CDPA, controlling or processing personal data in the business-to-business or employment context falls outside the scope of the CDPA. It also is notable that “publicly available information” is defined much more broadly than under the CCPA, such that “personal data” that is protected is narrower under the proposed Virginia law than under California’s law.
The CDPA contains a number of notable carve-outs similar to (but broader than) those in the CCPA, with both entity and data-specific exemptions. Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates subject to HIPAA, higher education institutions, nonprofit organizations, and commonwealth agencies will all be exempt from the CDPA. The law also exempts particular categories of data, including any data already regulated by certain federal laws such as HIPAA, GLBA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the Children’s Online Privacy Protection Act (COPPA).
While the CDPA borrows from the CCPA in terms of using threshold requirements to determine which businesses must comply with the act, the absence of a standalone revenue threshold, such as the $25 million annual gross revenue threshold present in the CCPA, most likely means that Virginia’s law will apply to far fewer businesses than are presently subject to the CCPA. The CDPA also defines a “consumer” more narrowly than the CCPA or CPRA by permanently excluding any persons acting in a commercial or employment context. Taken together, the absence of any independent revenue threshold and a narrow definition of consumer generally means that fewer businesses will be subject to the CDPA than California’s privacy regime.
The CDPA will grant Virginia consumers certain rights relating to their personal data controlled or processed by covered entities. Specifically, consumers will be afforded the rights of (i) access, (ii) correction, (iii) deletion, and (iv) portability of their personal data. The CDPA also provides consumers a right to opt-out of the processing of personal data for purposes of targeted advertising, the sale of their personal data to third parties, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. These rights will be similar to those afforded by the CCPA once the CPRA becomes effective in 2023. With respect to the sale of personal data, the CDPA’s opt-out requirements only apply if the data is exchanged by a controller to a third party for monetary consideration. In situations where personal data is shared and no money is exchanged between the business and the third party, a consumer cannot opt out of the sharing of their personal data. In contrast, under the CCPA and CPRA, a consumer may opt out of a business’s sharing of personal information for certain purposes even where no money is exchanged. However, both Virginia’s CDPA and California’s CPRA provide consumers with an explicit opt-out right extended to certain forms of targeted advertising and profiling.
Under the CDPA, data controllers are required to respond to a consumer’s request to exercise their consumer rights within 45 days of receipt of the request, with one 45-day extension period permitted when “reasonably necessary.” Limited exceptions exist under the CDPA for when controllers must comply with consumer right requests, including instances when complying with the request would both be unreasonably burdensome and the controller does not sell personal data or voluntarily disclose it to any third party other than a processor.
The CDPA mandates that data controllers limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is processed. To safeguard that information, data controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.
Like California’s CPRA, additional responsibilities are imposed on data controllers with respect to “sensitive data,” which is defined as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (ii) personal data collected from a child, (iii) genetic or biometric data, or (iv) precise geolocation data. When processing sensitive data, the law will require controllers to seek “consent” from consumers. Under the CDPA, “consent” is defined as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement” to process their personal data. This establishes a higher standard than that required under the CPRA and shares more in common with the consent standard established by the GDPR. Some consumer privacy advocacy groups have favored this sort of opt-in approach to consent, in contrast to the opt-out approach reflected in California’s CCPA and CPRA. In the case of children’s data, the CDPA allows data controllers to obtain parental consent in accordance with COPPA.
Data controls will also be required under the CDPA to provide consumers with reasonably accessible privacy notices that clearly disclose the categories of personal data collected, the purpose for the collection, the categories of personal data the controller shares with third parties (if any), and how consumers can exercise their rights. To exercise those consumer rights afforded under the CDPA, consumers must be allowed to submit requests to data controllers without needing to create an account with the data controller.
Like California’s CPRA, Virginia’s CDPA requires businesses to conduct data protection assessments of any processing activities that involve personal data in the context of the processing of sensitive data, targeted advertising, sale of personal data, profiling (in certain instances), and any other processing activities involving personal data that “present a heightened risk of harm to consumers.” Such assessments are required to weigh the benefits that may flow (directly and indirectly) from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by applicable safeguards.
The attorney general of Virginia has the power to request the disclosure of such data protection assessments without court order. If compelled and produced to the attorney general for evaluation, the assessments are to remain confidential and the CDPA provides specific provisions that prevent the waiver of attorney-client privilege and work product protection.
Significantly, the CDPA does not provide for any private right of action. In fact, private rights of action are expressly barred in the bill. Instead, under the CDPA, the attorney general is granted the exclusive right to enforce the law, subject to a 30-day cure period. The attorney general may seek up to $7,500 per violation, injunctive relief, and recovery of reasonable expenses incurred in investigating and preparing the case, including attorney fees.
The CDPA reflects principles from the CCPA, the CPRA, and the GDPR, and borrows many defined terms from these laws. Like these other statutes and regulations, the CDPA broadly defines “personal data,” mandates that a business’s collection of personal data be relevant and limited only to what is necessary for the business, and provides Virginia consumers with a bundle of new rights with respect to their personal data. However, businesses should bear in mind that the CDPA differs in some significant aspects.
First, unlike the CCPA’s limited private right of action for security breaches, Virginia’s CDPA does not provide for a private right of action. Instead, the attorney general will have the exclusive right to enforce the law. Practically speaking, this means that Virginia residents will be limited in their ability to sue businesses for alleged violations either in the individual or class action context, leaving enforcement entirely up to the attorney general. It remains to be seen how much of the attorney general’s budget will be allocated to enforcing the CDPA against businesses.
Second, the CDPA will impose stricter requirements than the CPRA as to how businesses obtain consent from consumers before processing sensitive data. While the CPRA accounts for sensitive personal information and permits consumers to submit opt-out requests specific to this sensitive personal information, the CDPA borrowed the stricter standard in the GDPR and requires a business to obtain affirmative consent before any sensitive data may be collected and processed. Depending on how the attorney general decides to enforce this standard, businesses should be prepared to build compliance programs that account for Virginia’s affirmative consent requirement.
Third, covered businesses that only process consumer requests to opt out of the sale of personal data will need to expand their opt-out compliance programs. The CDPA goes further than just granting Virginians the right to opt out of the sale of their personal data and broadens that opt-out right to the use of personal data for targeted advertising and profiling purposes. California’s CPRA, which goes into effect on January 1, 2023, similarly endows consumers with a new right to opt out of their personal data being used for cross-context behavioral advertising.
Ultimately, those businesses that have been building compliance programs for California’s CCPA and CPRA will be well positioned to comply with the CDPA. Some key differences in the CDPA, however, will require businesses to review their compliance programs to ensure compliance with the nation’s second comprehensive privacy state law.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
 The final legislation calls for the creation of a working group, consisting of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, and community stakeholders. The working group is tasked with evaluating the CDPA’s provisions and related implementation issues and must submit the group’s findings, best practices, and recommendations to certain legislative committees by November 1, 2021.