Highlights
- Virginia appears poised to enact consumer privacy legislation by the end of the month, although the law would not be effective until Jan. 1, 2023.
- The absence of a private right of action earned the bill broad support in both houses of the Virginia Assembly.
- The state's Consumer Data Protection Act (CDPA) would grant Virginia residents General Data Protection Regulation (GDPR)-style rights of access, correction, deletion, to opt out of processing for certain purposes and to obtain copies of their personal data.
- Additional states, including New York and Washington, could follow suit later this year.
Virginia seemingly came out of nowhere on the consumer privacy front and now appears to be just days away from becoming the second state in the nation, behind California, to pass comprehensive consumer privacy legislation.
In the past week, the Virginia House (HB 2307) and Senate (SB 1392) each passed versions of the Consumer Data Protection Act (CDPA). Lawmakers have only a short window to reconcile the bills before the legislature adjourns on Feb. 11, 2021. If a reconciled bill passes in both chambers and is sent to Gov. Ralph Northam, he has up to 30 days from adjournment to sign the bill or it would become law without being signed. Despite the speed at which lawmakers have moved, the CDPA would give businesses time to prepare – the Act would not be effective until Jan. 1, 2023.
Scope
The scope of the CDPA is likely to feel familiar but is different in important ways, namely the absence of a monetary threshold. The CDPA would apply to "persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data." It is also notable that the CDPA would exclude individuals acting in a commercial or employment capacity – essentially the current state of the law in California, although that will change in 2023 when new provisions come into effect.
Consumer Rights
Modeled on draft legislation for the Washington Privacy Act (WPA), the CDPA also has parallels to California's law, the California Consumer Privacy Act (CCPA), as recently amended by Proposition 24, the California Privacy Rights Act (CPRA). In particular, the CDPA would give a Virginia resident the right:
- To confirm whether or not a controller is processing the consumer's personal data and to access such personal data;
- To correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
- To delete personal data provided by or obtained about the consumer;
- To obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
- To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers and Processors
The Act adopts the European Union's General Data Protection Regulation (GDPR) distinction of controller/processer and requires controllers to obtain consent before processing "sensitive data," which includes data revealing racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship or immigration status, genetic and biometric data, precise geolocation and data collected from (known) children. Consent itself is a high standard, requiring a clear affirmative act signifying a consumer's "freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer."
Controllers would further be required to limit data collection to that which is relevant and reasonably necessary, not process data for incompatible purposes without consent, implement reasonable security practices to protect data, not discriminate against consumers for exercising their privacy rights and not process sensitive data without consent.
Contracting
The CDPA would require controllers to include instructions for processing in their contracts with processors, as well as describe the nature and purpose of processing, the type of data subject to processing and the duration of processing. A processor would also be required to cooperate with assessments by the controller or pay for its own third-party assessment.
Data Protection Assessments
Contractors would be required to perform data protection assessments for targeted advertising, data sales, certain types of profiling, processing of sensitive data and any processing that presents a heightened risk of harm to consumers. Importantly, assessments would be required only for processing beginning or created in 2023.
Enforcement
The Act's swift passage can be attributed to the absence of a private right of action. The State Attorney General (AG) would have exclusive authority to enforce the CDPA, through both its civil investigative powers and enforcement actions. The AG would be required to provide 30 days' notice and an opportunity to cure any violation. If the violation is not cured, the AG could bring an action seeking to recover up to $7,500 per violation.
A Tipping Point?
The CCPA largely unified businesses throughout California and the U.S. in calling for Congress to pass a comprehensive federal privacy standard that preempts a patchwork of state laws. Having a second state pass its own law, particularly a state in its own backyard, could be the motivation Congress needs to focus on the issue. (See Holland & Knight's previous blog post, "Transportation Cybersecurity and Privacy Under Biden," Jan. 6, 2021.)
