Virginia became the second state in the country to enact comprehensive data privacy legislation when Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2. The good news: this sweeping new law, which will create a whole host of critical obligations for employers and businesses operating in Virginia, is not effective until January 1, 2023 – giving you ample time to adjust your practices to ensure compliance with the new law. But the time to begin preparing for this major change is now. Below are some key highlights of the CDPA for your consideration, along with some action steps you can begin to take at once.
Earlier this year we previewed that Virginia was poised to enact the Consumer Data Protection Act (CDPA). That has now come to fruition. The CDPA, passed into law last month and effective starting January 1, 2023, will apply to all persons that conduct business in Virginia, or produce products or services that are targeted to residents of Virginia and either: (1) control or process personal data of at least 100,000 Virginia consumers or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia consumers. The CDPA does not apply to state or local governmental entities, and also contains exceptions for certain types of entities and data governed by federal law – such as, for example, entities and data regulated by HIPAA. The CDPA also specifically excludes employee and B2B (business to business) data.
Responsibilities and Privacy Protection Standards
Virginia’s new law will create both new obligations for businesses and new rights for consumers.
The CDPA imposes obligations on “controllers” and “processors,” which is another way of identifying businesses and service providers that maintain consumers’ data. While there are numerous requirements businesses must follow, there are several key provisions you should familiarize yourself with.
- Controllers are required to limit the personal data collected, process it for purposes that are reasonably necessary to the business, maintain security practices to protect the confidentiality of the data, and obtain consumer consent to process sensitive personal data.
- Additionally, controllers must provide consumers a privacy notice that includes specific information about how personal data is collected and used or shared, and how consumers can exercise their rights under the CDPA.
- Similarly, processors of personal data are required to follow any instructions provided by a controller and assist the controller in meeting its obligations to consumers and under the CDPA.
- The relationship between controllers and processes must be governed by an agreement that adheres to certain requirements identified in the CDPA.
The CDPA provides consumers the ability to manage and control their personal data through five mechanisms, providing them the right to:
- know whether a controller is processing their data and have the right to access that data;
- correct their data;
- have controllers delete their data;
- obtain their data in a portable form, if feasible, to allow them to transfer the data; and
- opt out of the use of their data for (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
At this time, the CDPA does not provide consumers with a private right of action to enforce these rights. Instead, the Virginia Attorney General will be provided that authority, and if a violation occurs and is not cured, the Attorney General may impose penalties.
Although the CDPA does not go into effect until January 1, 2023, you should begin your preparations now. First, you should determine whether the CDPA will apply to your business. Additionally, as previously recommended, you will want to understand the consumer data you currently process and store to ensure that no more data is collected than reasonably necessary. You should act now to review your current security practices that protect such data and update them if necessary. If your businesses is affected, you will also want to consider how to manage consumers’ requests regarding their personal data, as well as how sensitive data consent will be collected. You will also need to begin reviewing their agreements with data processing vendors.
Virginia is the latest state – but most certainly not the last – to enact new data protections that will impact businesses. Many other states have general data privacy bills pending for consideration, such as Colorado, Washington, Illinois, and Florida, and this trend will only increase in the coming years.