Virginia Set to Enact Major Data Privacy Legislation
Of all the states currently in the process of enacting major privacy legislation, Virginia may be closest to the finish line. On February 5, the Senate of Virginia voted unanimously to approve the Consumer Data Protection Act (CDPA), with the House of Delegates voting 89-9 to approve an identical bill.
Minor amendments are expected after the bills are heard in committee. Legislators have until March 1 to finalize the bills and, later that month, a unified version will land on the desk of Governor Ralph Northam, who can either sign it into law or veto.
If passed, CDPA will become effective on January 1, 2023. This would make Virginia one of the first states to follow California’s lead in enacting a large-scale, generally-applicable privacy law.
Some elements of the bill will be familiar to those complying with the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR). But Virginia’s CDPA is far from identical. Here’s what you need to know.
Scope and Exemptions
CDPA applies to businesses that conduct business in Virginia or target Virginia residents that also meet the following qualifications:
Control or process data of over 100,000 consumers;
Control or process data of over 25,000 consumers, and derive over half of their gross revenue from selling personal data;
That being said, even if they reach these standards, the law will not apply to Virginia government organizations, higher education institutions, non-profits, or HIPAA-covered entities or associates. Additionally, financial institutions subject to the Gramm-Leach-Bliley Act are exempt.
There are also exemptions for certain kind of data, including:
Data subject to the Gramm-Leach-Bliley Act;
Health information and patient-identifying information protected under HIPAA or created for the purpose of certain federal healthcare acts;
Identifiable data used for applicable federal policy and human subjects research;
Data activity used to assess a subject’s credit and character, to the extent authorized by the Fair Credit Reporting Act;
Employee data processed and maintained by employers within the context of the employee’s role, including emergency contact information;
CDPA may not hinder a controller’s ability to comply with other laws, cooperate with criminal or regulatory investigations, provide a product or service requested by the consumer, protect the life and safety of a consumer, or defend against illegal activity, such as harassment, fraud, or identity theft.
Consumer Rights
CDPA grants consumers the right to confirm whether a controller is processing their data and, upon request, access that data. When obtaining a copy of their personal data, the consumer has the right to data portability, meaning the data must be in a usable and readable format that they can transmit to other entities for their own purposes. If the data is inaccurate, they have a right to correct it.
Consumers have the right to request deletion of their data. Additionally, they have the right to submit an opt-out request in cases where their data is being sold, or used for target advertising and profiling.
Although organizations are obliged to act without “undue delay,” they technically have 45 days to fulfill any consumer requests. If necessary, they may extend this period by an additional 45 days as long as they have a legitimate reason that they make clear to the customer.
Such information must be provided to the consumer for free, but organizations are only obliged to handle two requests per year per consumer. Organizations may not require the consumer to create an account to make a request, but may require them to use an existing one.
Organizations may decline or charge consumers for requests that are “manifestly unfounded, excessive or repetitive.” Organizations must inform consumers how to appeal any decision not to fulfill a request.
Controller Obligations
Under CDPA, controllers must adhere to several principles reminiscent of those found in GDPR:
Only collect data that is necessary for the purposes disclosed to the consumer;
Only collect data beyond the purpose disclosed if the consumer consent;
Establish administrative, technical, and physical safeguards to protect consumer data;
Do not discriminate against consumers who exercise their data rights by charging them a different price, denying them goods and services, or providing a different level of quality to them;
Do not process sensitive data without the consumer’s consent;
Assist processors to meet their obligations under CDPA;
Enter into a contract with any processor establishing duties of confidentiality, to delete data upon their request and cooperate with any compliance assessments;
Take measures to ensure that de-identified data can not be re-identified;
When processing data for targeted advertising, profiling, or sale, controllers must conduct and document a data protection assessment that weighs the benefits of data activity against the risk of harm to the consumer–as well as safeguards to mitigate the risk. These assessments must be made available to the Attorney General upon request. This same requirement exists for the processing of sensitive data.
Organizations must also make a privacy notice accessible to consumers. This notice must include:
The categories of data processed;
The purposes for processing each category;
The categories of data shared with third parties;
The categories of third parties with whom the data is shared;
How consumers can exercise their data rights and appeal a decision regarding their requests;
A description of one or more means with which consumers can submit a request;
Enforcement
CDPA will be enforced by the Attorney General. Prior to enforcement, the Attorney General will provide a notice to offending organizations detailing the specific provisions being violated.
If, within 30 days, organizations cure these violations and communicate in writing that no further violations will occur, no action will be taken against them. However, if the violations continue after 30 days, they may face an injunction and penalties of up to $7,500 per violation.