Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect sensitive data, opt-outs for targeted advertising, the creation of data protection assessments, and new provisions that must be included in service provider agreements.
If signed into law, the VCDPA would also grant Virginia residents GDPR-like rights of access, correction, deletion, and data portability, as well as the right to opt out of certain data processing.
The Virginia House of Delegates and Senate have both passed identical versions of the VCDPA (HB 2307; SB 1392) with wide margins. The bills are now on Governor Ralph Northam's desk awaiting signature. If Governor Northam signs, as he is expected to, the VCDPA will become effective on January 1, 2023, the same date the CPRA takes effect. (Note: After publication, Governor Northam signed the VCDPA into law on March 2, 2021.)
Key Takeaways:
Scope
The VCDPA applies to "persons that conduct business in the Commonwealth or produce products or services that are targeted to" Virginia residents "and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data." Unlike the CCPA, the VCDPA does not have a pure revenue threshold. Notably, "consumer" is defined as a natural person who is a Virginia resident "acting only in an individual or household context," which means that, unlike the CPRA, the VCDPA will not apply to employee or B2B commercial information.
At first glance, the two VCDPA thresholds seem to be narrower than the CCPA in that the VCDPA has a 100k consumer threshold instead of a 50k consumer threshold, and the second threshold related to generating over 50 percent of gross revenue from the "sale" of personal data is tied to a minimum size threshold of 25k consumers and uses a more traditional definition of sale (i.e., an exchange for monetary consideration). A critical distinction, however, is that the VCDPA's thresholds appear to apply to personal data processed by the entity, not just personal data where the entity is the controller. This means that service providers who currently avoid the reach of the CCPA because they mainly process personal information on behalf of their customers and do not meet the size thresholds as a controller could potentially meet the VCDPA's thresholds. Additionally, unlike the CCPA, the VCDPA directly applies to both controllers and processors.
The VCDPA extends broad, status-based exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA or the HITECH Act, nonprofit organizations, and institutions of higher education. The VCDPA also contains certain data-based exemptions, particularly around protected health information under HIPAA and health records under other related laws, and personal information regulated by the FCRA, federal Driver's Privacy Protection Act, FERPA, or federal Farm Credit Act. Personal data of employees, contractors, or job applicants is also exempt from the VCDPA.
Consumer Rights
Similar to the California privacy laws and the GDPR, the VCDPA grants consumers certain rights regarding their personal data, which the VCDPA broadly defines as "any information that is linked or reasonably linkable to an identified or identifiable natural person" and excludes "de-identified or publicly available information," in a similar manner to the CCPA and CPRA. Specifically, the VCDPA grants Virginia residents the rights to: (i) confirm whether or not a controller is processing the consumer's personal data and to access such personal data; (ii) delete personal data provided by or obtained about the consumer; and (iii) obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and readily usable format (where the processing is carried out by automated means). Unlike the CCPA, these access and deletion rights are not limited to information from the past 12 months. Similar to the CPRA, the VCDPA grants consumers the right to correct inaccuracies in their personal data.
The VCDPA also contains a right to opt out of the sale of personal data, which is narrower than the analogous right under the CCPA and CPRA, because the definition of "sale" is limited to the exchange of personal data for monetary consideration (and does not include an exchange for "other valuable consideration" like California's privacy laws). Notably, a sale specifically excludes disclosures made to: a processor on behalf of the controller; a third party for purposes of providing a product or service requested by the consumer; an affiliate of the controller; or a third party as part of a merger, acquisition, bankruptcy, or other transaction for all or part of the controller's assets. Information the consumer made public via a channel of mass media and did not restrict to a specific audience is also not considered to be a sale.
In addition, the VCDPA grants consumers new rights that are not currently provided for in the CCPA—specifically, the rights to opt out of the processing of personal data for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. In contrast, the CPRA (and arguably the CCPA) only gives consumers the right to opt out of having their data disclosed to a third party for purposes of targeted advertising.
Under the VCDPA, controllers must respond to a consumer's request within 45 days of receipt of the request, with one 45-day extension when "reasonably necessary." If declining the request, controllers must provide the justification for declining to take action and instructions for how to appeal. While this timing is similar to that found in California's privacy laws, the VCDPA's requirement that controllers establish an appeals process is new. Under the VCDPA, the controller must inform the consumer in writing of any actions taken or not taken within 60 days of their appeal request and the reasons for such decisions. If the controller denies the appeal, the controller must also provide the consumer with an "online mechanism … or other method" to submit a complaint to the Virginia Attorney General (AG).
Controller Responsibilities and Data Protection Assessments
The VCDPA places additional significant compliance obligations on controllers,1 including adhering to data minimization principles, implementing reasonable security practices to protect personal data, and ensuring contracts are in place with processors. Controllers are also required to provide a privacy notice to consumers containing specific information similar to the CCPA.
Of particular note, the VCDPA introduces a new obligation whereby controllers must conduct and document "data protection assessments" when they engage in targeted advertising, sales of personal data, certain types of profiling, processing of sensitive data, or any processing activities that present a heightened risk of harm to consumers. This obligation does not exist in the CCPA or CPRA. As part of these assessments, controllers must identify and weigh the direct and indirect benefits that may flow from the processing against the potential risks to the rights of the consumer, as mitigated by safeguards that can be implemented by the controller. Importantly, controllers will be required to produce these assessments to the AG if they are relevant to an investigation conducted by the AG.
The VCDPA also imposes a new obligation on the processing of sensitive data, requiring controllers to obtain consumers' opt-in consent before collecting, using, or sharing sensitive data. In contrast, CPRA will provide consumers only with the right to opt out of having their sensitive data used for secondary purposes. The VCDPA conceptualizes "sensitive data" as a type of personal information that includes "personal data revealing racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; … [t]he processing of genetic or biometric data2 for the purpose of uniquely identifying a natural person; … [t]he personal data collected from a known child; or … [p]recise geolocation data." Similar to the GDPR's consent standard, the VCDPA defines consent as "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer." The requirement that consent must be "freely given" calls into question whether a business can require consent as a precondition to providing the product or service. In addition to obtaining consent before processing sensitive data, controllers must conduct and document a data protection assessment for any such processing.
Processor Responsibilities and Contracting Requirements
The VCDPA contains new requirements for contracts with data processors, which will very likely require companies to update their data processing agreements. Processors must "adhere to the instructions of a controller" subject to a written contract and assist controllers with complying with their obligations under the VCDPA. In particular, controllers must set clear instructions for processing personal data, which must include the nature and purpose of the processing, the type of data involved, the duration of the processing, and the rights and obligations of both parties. The contracts must also require the processor to: (1) bind persons involved in the processing to a duty of confidentiality, (2) delete or return the data once the processing is complete, (3) provide all information necessary to the controller to demonstrate the processor's compliance with its obligations, (4) cooperate with controller assessments or pay for its own independent assessor, and (5) enter into similar contracts with any subcontractors involved in the processing.
Many of these obligations are more commonly found in data processing agreements entered into for GDPR compliance purposes rather than CCPA compliance purposes, both of which commonly contain scoping provisions that do not always cover personal information of Virginia residents. Consequently, most companies will once again likely need to update their agreements with service providers to include these new requirements, and service providers will likely need to do the same for their customers and their subcontractors. Because the VCDPA and CPRA come into effect on the same day, companies should consider coordinating their updates for both laws, as well as any other state laws that come into effect before that time.
Enforcement and Civil Penalties
The VCDPA grants the AG exclusive authority to enforce VCDPA violations. Notably, the VCDPA expressly bars a private right of action for violations and prohibits use of the VCDPA as the basis for a private right of action under any other law. Under the VCDPA, the AG must provide a controller or processor 30 days written notice of an alleged violation. The controller or processor then has a 30-day cure period, similar to the CCPA (though note that California's cure period will be removed under the CPRA). If the alleged violations continue, the AG may seek up to $7,500 per violation.
The VCDPA also permits the AG to seek reimbursement of costs and reasonable attorneys' fees. Collected damages would be placed in the newly created Consumer Privacy Fund, which would be used to support the AG's future enforcement and investigations into VCDPA violations.
For more information or advice concerning your VCDPA compliance efforts, please contact Tracy Shapiro, Eddie Holman, Amanda Irwin, or another member of the firm's privacy and cybersecurity practice.
[1] The VCDPA uses GDPR-like controller/processor distinctions rather than the “business” and “service provider” distinctions found in the CCPA and CPRA.
[2]In language similar to the proposed (but not enacted) Washington Privacy Act (WPA), the VCDPA expressly excludes a “physical or digital photograph, a video or audio recording or data generated therefrom” from the definition of biometric data.