Virginia is for lovers and, in the near future, may be for privacy as well, as the Commonwealth’s legislature is currently considering adopting its own comprehensive consumer data privacy law: The Consumer Data Protection Act (CDPA).
The CDPA, which would establish a framework for controlling and processing personal data in Virginia, is comprised of House Bill 2307 and Senate Bill 1392, and appears to be close to crossing the goal line in Richmond. The House passed its bill on January 29, 2021, and subsequently referred it to the Senate Committee on General Laws and Technology on February 1. Similarly, the Senate unanimously passed its bill on February 3, and it was referred to the House Committee on Communications, Technology and Innovation on February 7. All that remains now is for the House and Senate to complete the reconciliation process and present the legislation to Governor Ralph Northam for his approval, which means the CDPA could be enacted soon. As such, we have provided a brief overview of the CDPA below:
The CDPA’s Scope
The CDPA applies to an entity (or individual) that conducts business in Virginia or targets their products or services to Virginia residents and (i) “control[s] or process[es] personal data of at least 100,000 consumers” over the course of a calendar year or (ii) “control[s] or process[es] personal data of at least 25,000 consumers and derive[s] over 50 percent of gross revenue from the sale of personal data” (Data Controller). The CDPA does not apply to state or local governmental entities, nonprofit organizations, higher learning institutions, or entities covered by the Gramm-Leach-Bliley Act, HIPAA, or the HITECH Act, and does not cover certain types of personal data already protected under federal law.
Consumer Rights Provided by the CDPA
The CDPA grants consumers five personal data rights, which consumers may invoke by submitting a request to a Data Controller: (1) the right to confirm whether a controller is processing the consumer’s data and, if so, to access that data; (2) the right to correct inaccuracies in the consumer’s personal data; (3) the right to have the consumer’s personal data deleted; (4) the right to obtain a copy of the consumer’s personal data; and (5) the right to opt out of the processing of the consumer’s personal data for purposes of targeted advertising, selling that data, or profiling in order to make impactful decisions.
In this sense, the CDPA largely parallels the California Consumer Privacy Act (CCPA), which also provides California consumers with the right to know what personal data a business has collected from them and whether that data is being sold or disclosed, the right to prevent the sale of the consumer’s personal data, and the right to access the consumer’s personal data, among other things. It goes further in extending the opt-out right to cover certain types of data processing, for targeted advertising, and some profiling.
Obligations Imposed on Data Controllers Under the CDPA
Under the CDPA, Data Controllers are subject to several general obligations. Specifically, Data Controllers must: (1) collect no more personal data than is necessary for their data processing purposes; (2) only process personal data for the purposes that they have disclosed to consumers; (3) implement reasonable data security measures; (4) refrain from discriminating against consumers that exercise their personal data rights; and (5) obtain a consumer’s consent before processing “sensitive data” – which the CDPA defines to include a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status, genetic or biometric data, personal data collected from a child, and precise geolocation data.
Beyond these general obligations, the CDPA also requires that controllers take several steps to increase transparency with consumers, like providing a clear and meaningful privacy notice and disclosing whether the controller sells personal data to third parties or processes personal data for purposes of targeted advertising. Controllers must also disclose how consumers can opt out of having their data used like this. Additionally, controllers must conduct and document a privacy risk assessment when they process data for certain purposes that pose a “heightened risk” of consumer harm.
Enforcement of the CDPA
Despite granting Virginia consumers significant personal data rights, the CDPA explicitly declines to create a private right of action to enforce these rights. Rather, the authority to enforce the CDPA is vested solely with the Commonwealth’s Attorney General.
In terms of penalties, controllers or processors of personal data that violate the CDPA could be subject to an injunction and liable for up to $7,500 per violation. The CDPA also establishes a “Consumer Privacy Fund,” into which all civil penalties collected for violations of the CDPA will be deposited in order to fund the Attorney General’s further enforcement efforts.
If the CDPA is ultimately passed, Data Controllers that conduct business in the Commonwealth will find themselves subject to several important obligations, so it is vital that businesses that would be covered by the CDPA monitor its progress. The CDPA would not become effective until January 1, 2023, providing Data Controllers time to come into compliance with the CDPA’s obligations. At the same time, Data Controllers also must consider other potentially applicable state laws, such as the California Privacy Rights Act, and begin mapping out privacy compliance strategies accordingly.