Thank you for tuning in to Van Black Law’s Technology Roundup where we discuss the latest data and technology issues affecting your business. I’m Jonathan Gallo, and I am part of Vandeventer Black’s Cybersecurity and Data Privacy Group.  

Today we’re going to discuss some of the major provisions of Virginia’s recently passed Consumer Data Protection Act and what it means for people conducting business in the Commonwealth of Virginia. Violators of this new law can be fined up to $7500 per violation, so stay tuned to find out if this law may apply to your business.  

So now let’s talk about some of the major parts of Virginia’s new Consumer Data Protection Act.  Signed by Governor Northam in March, the law is Virginia’s first comprehensive legislation designed to protect the personal data of Virginia residents.  In certain ways, the law is similar to California’s Consumer Privacy Act, and the European Union’s General Data Protection Regulation commonly referred to as the GDPR.  

 However, Virginia’s law does not take effect until January 1, 2023, so this will give businesses some time to prepare to meet the law’s requirements.  

The first question is, who is covered by the law?  Virginia’s law applies to legal and natural “persons” who: 

• Conduct business in Virginia OR 
• Produce products or services that are “targeted” to residents of Virginia,  

AND THAT EITHER 

• Control or process the personal data of 100,000 “consumers” during a calendar year OR 
• Control or process the personal data of at least 25,000 “consumers” AND derive over 50% of their gross revenue from the sale of personal data.  

 Now there are several terms in that description that we need to look at, but before we do, I want to discuss who is not covered by Virginia’s law.  

 ENTITY EXCLUSIONS 

The following entities are exempt from the law: 

• Commonwealth of Virginia bodies described here 
• Financial institutions subject to the Gramm-Leach-Bliley Act 
• Covered entities or business associates subject to the regulations established under the Health Insurance Portability and Accountability Act (HIPAA) or HIPAA and the HITECH Act  
• Nonprofit organizations; and 
• Institutions of higher education 

Now let’s get back to discussing what some of these terms mean so that we can determine who is covered by the law.  As I mentioned, the law applies to the controlling or processing of personal data of a consumer.  So, what is a “consumer?”  

The law defines a “consumer” as a natural person who is a resident of the Commonwealth BUT ONLY WHEN ACTING in an individual or household context.  

It does not include a person acting in a commercial or employment context such as an employee. This is an important distinction from the California Privacy Rights Act, which includes data collected in the employment context.  Therefore, businesses do not need to consider the employee personal data they collect or control when evaluating whether the new law applies to them.  

Next, the law applies to the control or processing of personal data. What is the definition of personal data?   

The law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data or publicly available information.” 

Importantly, Virginia’s law also identifies another subcategory of personal data called “sensitive data” that includes: 

• Personal data revealing any of the following traits:
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person. 
• Personal data collected from a known child. 
• Precise geolocation data 

In addition to exempting certain entities, the law exempts numerous categories of data from its coverage, although we will not identify all of them here, some of them are: 

• Protected health information under HIPAA; 
• Personal information regulated by the Fair Credit Reporting Act; 
• Personal data regulated by the Driver’s Privacy Protection Act of 1994; 
• Personal data regulated by the Family Educational Rights and Privacy Act;  
• Personal data subject to the Farm Credit Act; and 
• Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act. 

The next term to discuss is who is a controller and what is “processing” under the law? Here, we see that the definitions of those terms are similar to those found in the GDPR. 

For example: 

A controller is a “natural or legal person” that alone, or jointly with others, determines the purpose and means of processing personal data.  

A processor is a natural or legal person that processes personal data on behalf of a controller. 

Processing is “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, …. and that includes things such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. 

So, simply put, if your business is performing any of these activities on personal data, you are a processor, and if you are also determining the purpose and means of performing these activities, you are a controller.  

RESPONSIBILITIES 

Next, let’s discuss what requirements are imposed on businesses under the new law: 

If your business is a controller, you have several obligations under Virginia’s law. These responsibilities include: 

• Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary relative to the purposes for which it is processed as disclosed to the consumer. 
• With certain exceptions, controllers may not process personal data for purposes that are neither reasonably necessary to nor compatible with the purposes for which the personal data are processed and as disclosed to the consumer, unless the consumer’s consent has been obtained. 
• Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices – appropriate to the volume and nature of the personal data 
• Not to process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. 
• Earlier we discussed a special category of data called sensitive dates and Controllers may not process sensitive data without obtaining consent, and, in the case of a known child, a controller may not process without complying with the federal Children’s Online Privacy Protection Act or COPPA;  
• Controllers must ensure that agreements with processors are compliant with the law and any contract that waives or limits consumer rights under this law is void and unenforceable.  
• Controllers must respond to consumer requests regarding their personal data within 45 days. (In some instances, the response period may be extended by 45 additional days provided the Controller notifies the consumer within the first 45–day period of the extension and the reason for it);  
• Controllers must establish a process for a consumer to appeal a Controller’s refusal to take action on a consumer request; and 
• Controllers must provide consumers with a clear and meaningful privacy notice regarding processing practices including disclosure of the sale of personal data to third parties for targeted advertising, along with a secure and reliable way for consumers to exercise their rights under the law.  
• Controllers must conduct and document a data protection assessment of processing activities involving personal data, including identifying and weighing the benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer along with safeguards that can be employed to reduce those risks.  

It is important to mention that the Virginia Attorney General, as part of its enforcement powers under the Act, may request disclosure of that assessment and evaluate the assessment for compliance.  So, it is important that the assessment be thorough and up to date.   

Those are the requirements for Controllers.  Are there any requirements for processors? The simple answer is yes.  Processors have several obligations, which are basically to assist the controller in meeting its responsibilities under the law including: 

• The controller’s obligations to respond to consumer rights requests. 

• The controller’s obligations in the event of a breach of security of the system pursuant to Virginia’s Breach of Personal Information reporting law. 
• Providing necessary information to enable the controller to conduct and document data protection assessments. 
• It’s also important to mention that the law requires that a processor’s data processing procedures with respect to processing performed on behalf of the controller be governed by a binding contract with clear instructions for processing data, along with specific contractual provisions, which we will not go into today.  

Rights of Consumers 

Now that we have discussed who the law covers and what requirements businesses will have to meet, let’s briefly discuss the rights of consumers under this new law. 

The law provides consumers with 6 basic rights similar to those granted by California’s law and the GDPR.  

• The first is the consumer’s right to know if a controller is processing their personal data and the ability to access that data. 
• Next, consumers have the right to correct inaccuracies in their personal data based on the nature of the personal data processed and the purposes for which it is processed 
• Next, consumers have the right to have their personal data deleted by the controller or processor 
• Consumers also have the right to obtain a copy of the personal data provided to the controller in a portable and useable format, the extent technically feasible, that allows the consumer to transmit their data to another controller. 
• Consumers have the right to opt-out of their personal data for the purposes of targeted advertising, sale of their personal data, and profiling for decisions that have a legal or significant effect on the consumer.   
• Finally, consumers have the right to appeal a business’ denial to act on a request within a reasonable amount of time.  Under the law, a business must respond to a consumer request within 45 days of receipt.  The law allows for an additional 45–day extension if reasonably necessary as long as the business notifies the consumer of this extension within the first 45–day period. If the business fails to do so, it must establish a process for the consumer to appeal to the business’s failure to take action. If the appeal is denied, the controller must inform the consumer how they may file a complaint with the Virginia Attorney General.  

Virginia’s law defines a “sale” of personal data more narrowly than California law. While California law defines a “sale” as the exchange of personal data for “monetary or other valuable consideration” under the Virginia law, a “sale” of personal data is defined as the exchange of personal data for monetary consideration by the controller to a third party.  

Also, under Virginia’s law, a sale does not include the following disclosures listed (Do Not Discuss). 

• Disclosures to processors 
• Disclosures to third parties for purposes of providing a product or service requested by the consumer 
• Disclosures to an affiliate of the controller 
• Disclosures that the consumer made intentionally to the general public via a channel of mass media when the consumer did not restrict the disclosure to a specific audience; and 
• Disclosures to a third party as an asset that is part of merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets 

Enforcement 

Now let’s discuss how the law is enforced.  

The Virginia Attorney General has exclusive enforcement authority over the law. If the Attorney General has reasonable cause to believe that a violation of the law has, is, or is about to occur, it may issue a Civil Investigative Demand, which is a powerful form of legal process allowing the Attorney General to obtain information during its investigation.  

Notice to Cure 

Prior to initiating any civil action, however, the Attorney General must provide a controller or processor 30 days’ written notice identifying the specific provisions of the law alleged to have been violated.  

If within that 30-day period the controller or processor cures the violations and provides an express written statement that the alleged violation has been cured and that no further violations will occur, the AG will not proceed with a civil action against the business.  

If the violations continue, or the business breaches an express written statement provided to the Attorney General, the Attorney General may initiate action and may seek an injunction to restrain any violations of the law and civil penalties of up to $7,500 for each violation.  The Attorney General may also recover reasonable expenses incurred in the investigation and case preparation, including reasonable attorney fees. Penalties, fees, and expenses are paid into the newly created Consumer Privacy Fund.  The law provides no private right of action for consumers.  

Interestingly, the law contains a provision directing the Virginia Joint Commission on Technology and Science to create a workgroup to review the provisions of the law and issues related to its implementation and to report its findings and recommendations to the legislature by Nov. 1, 2021. This means the law could be modified during the next legislative session prior to becoming effective. 

Well, there you have it! Virginia’s new Consumer Data Protection Act.  January 1, 2023, is less than two years away, so it is a good idea for businesses to start preparing now.  

Click here to watch the video.