On March 2, 2021, the governor of Virginia signed the Consumer Data Protection Act (CDPA) into law. This new law applies to people who conduct business in Virginia or produce products or services targeted at Virginians. Specifically, the law applies to businesses that collect and control or process personal data of 100,000 or more consumers annually, or at least 25,000 consumers if such activity makes up over 50% of their gross revenue. The CDPA refers to businesses that collect and control data are “Controllers” and third parties who process that data on behalf of Controllers as “Processors”. Several categories of organizations are exempted, including state agencies and offices, nonprofits, and institutions of higher education, as well as any financial institution subject to the privacy rules of Title V of the Graham-Leach-Bliley Act and entities subject to HIPAA. The law also exempts certain kinds of data, including employer data and data already protected under federal privacy laws like HIPAA, FERPA, and the Fair Credit Reporting Act.
The CDPA gives consumers certain rights regarding their personal data, which Controllers must comply with upon request. Consumers have the right:
- To confirm whether the controller is processing their data and to access it;
- To correct inaccuracies in their personal data;
- To delete their personal data;
- To obtain a copy of their data in a portable and readily useable format that allows the consumer to transmit the data elsewhere;
- To opt-out of the processing of their data for purposes of targeted advertising, sale, or profiling.
Consumers cannot waive these rights by contract, and Controllers are required to establish a secure and reliable means for consumers to make requests to exercise them. Once such a request is made, the Controller must respond within 45 days. Controllers may extend the response period by another 45 days if reasonably necessary under the circumstances and if they give the consumer notice of the extension within the initial 45-day period. If no action is taken by the Controller, they must notify the consumer of the justification for declining to act and the consumer’s right to appeal. Controllers must establish procedures for the appeal of initial non-action similar to the procedure for the initial request, and appeals must be acted upon within 60 days. Consumers are entitled to up to two data requests per year free of charge. Controllers may charge consumers a reasonable fee to cover administrative costs if requests are repetitive, excessive, or manifestly unfounded.
The CDPA also limits the data Controllers are allowed to collect. Specifically, controllers must limit the collection of personal consumer data to that which is “adequate, relevant, and reasonably necessary” to the disclosed purpose for processing that data. Any data that does not meet that standard, or which is considered “sensitive data” (personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying a natural person; children’s personal data; and precise geolocation data), may not be processed without consumer consent, nor may data be processed in violation of state and federal laws prohibiting unlawful discrimination. In addition, the CDPA requires Controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
If a Controller possesses consumer data that is not specifically linked to an identified consumer, or “de-identified” data, a Controller must take reasonable measures to ensure that the data cannot be associated with a person. They must publicly commit to maintaining that data without attempting to re-identify it and must contractually obligate any recipients of de-identified data to comply with the provisions of the CDPA. Controllers may not be required to re-identify data under this Act and need not comply with consumer rights requests relative to de-identified data in many cases.
The CDPA also imposes a notice requirement on Controllers. Controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of data the controller processes;
- The purpose for processing consumer data;
- How consumers may exercise their rights under the CDPA, including on appeal;
- The categories of personal data shared with third parties, and;
- The categories of third parties data is shared with.
The CDPA requires Processors to assist Controllers in meeting their statutory obligations, including providing appropriate technical and organizational measures, prompt and appropriate notifications of data breaches, and information that the Controller can use in making data protection assessments. Controllers are required to perform data protection assessments on all data that falls into the statutory opt-out categories (data for targeted advertising, sale, or profiling) as well as any sensitive consumer data and any processing activities that present a heightened risk of harm to consumers. These assessments must be designed to weigh the benefits to the Processor, Controller, consumer, stakeholders, and the public of processing such data against the potential harms to the consumer. The Attorney General has the authority to request documentation of data protection assessments related to an investigation initiated under the CDPA.
Finally, the CDPA establishes parameters for contracts between Controllers and Processors. Such contracts must require the Processor to:
- Ensure that all persons processing personal data are subject to a duty of confidentiality;
- Delete or return all personal data to the Controller at the Controller’s direction unless retention is required by law;
- Provide the Controller information sufficient to demonstrate the Processor’s compliance with the CDPA;
- Cooperate with the Controller in making data protection assessments or arrange for a qualified assessor to do so;
- Engage all subcontractors through written contracts which require the subcontractors to meet the Processor’s obligations under the CDPA.
Violations of the CDPA are enforced solely by the Attorney General. There is no private right of action. Upon a consumer complaint, the Attorney General will give notice to the Controller or Processor, who will have 30 days to cure any alleged violation. Otherwise, the Attorney General may initiate an action on behalf of the Commonwealth. Each violation is subject to injunction and a fine of up to $7,500.
The CDPA takes effect on January 1, 2023. Although the law directly impacts the businesses that operate or advertise to customers in Virginia, the CDPA will likely have far-reaching implications nationwide as a model for consumer privacy rights in years to come.