The roller coaster of comprehensive state data privacy laws continues in earnest. California has now double dipped: first with the California Consumer Privacy Act (CCPA) and second with the California Privacy Rights Act (CPRA). With all eyes on New York, Washington State, and other potential early movers for more state legislation, Virginia has surprised the nation by coming out very quickly with its own version of comprehensive privacy law. As a sign of perhaps developments to come, Virginia didn’t go for a half-baked privacy law, it went full steam into a comprehensive set of privacy rights for consumers and obligations for companies, borrowing many of its terms and concepts from the EU General Data Protection Regulation (EU GPDR).
For many US companies hoping that comprehensive data privacy law would stay confined to California, this is a clear signal that we need to be ready for more. The Virginia House of Delegates adopted the Virginia Consumer Data Protection Act, HB2307, on January 29, 2021 (VCDPA). The Virginia Senate approved a companion bill, the Consumer Data Protection Act, SB 1392, on February 5, 2021 (CDPA). The two bills now move to a reconciliation, and if enacted after that procedure, could be signed into law by the governor at the end of February and go into effect on January 1, 2023.
The VCDPA applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” The VCDPA defines “Consumer” to mean a natural person who is a resident of Virginia, but does not include a natural person acting in a commercial or employment context.
The VCDPA contains many exemptions for data already subject to other laws and regulations, including those organizations covered by the Health Insurance Portability and Accountability Act (HIPAA), non-profits, universities, and organizations subject to the Gramm-Leach-Bliley Act (GLBA). The VCDPA also exempts categories of data, such as protected health information under HIPAA, information regulated by the Family Educational Rights and Privacy Act, employment-related data, and information used in a consumer report to the extent that it is regulated by the federal Fair Credit Reporting Act.
Similarities with CCPA/CPRA/EU GDPR
The VCDPA contains aspects of the CCPA, CPRA, and EU GPDR. VCDPA borrows many defined terms from the EU GDPR, including “controller,” “processor,” and “personal data.” Similar to the CPRA and EU GDPR, the VCDPA proposes a distinct class of “sensitive data.” Like the CCPA, CPRA, and EU GDPR, the VCDPA provides Virginia consumers specific rights with respect to personal data.
The VCDPA affords Consumer the right to: (i) access and disclosure; (ii) correction; (iii) deletion; (iv) portability; and (v) opt-out of targeted advertising, sales of personal data or profiling. A controller is required to respond to Consumers within 45 days of receipt of the request submitted. When reasonably necessary, this timeframe can be extended for an additional 45 additional days if the controller informs the Consumer, within the initial 45-day response period, of the reason for the extension.
The VCDPA requires controllers and processors to enter into a contractual agreement governing the processing of personal data. Akin to Art. 28 EU GDPR requirements, the agreements must provide clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The agreements must also impose requirements on the processor, such as deleting all personal data after the term of the agreement, and making available to the controller information necessary to demonstrate the processor’s compliance with VCDPA obligations.
Data Governance and Protection
The VCDPA also imposes restrictions and limitations on controllers, in addition to affirmative obligations. Like the EU GDPR and CPRA, controllers are required to limit the collection of personal data to “what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.” The VCDPA prohibits processing sensitive data without consent. Sensitive data is defined to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data; and childrens’ personal data.
Among other affirmative obligations, controllers ware required to implement “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
Unlike the CPRA and EU GDPR, enforcement authority over this bill would not be housed under a specific data privacy authority or provide any basis for a private right of action. The Virginia Attorney General’s office would enforce the VCDPA. The Attorney General would be required to provide a 30 days’ notice and cure period. If the violation remains uncured, the Attorney General could seek up to $7,500 per violation.