On March 2, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA), making Virginia the latest state to enact a cross-industry privacy rights law. The CDPA displays a blend of concepts from two leading privacy regimes garnering attention in the U.S.: California’s CCPA and Europe’s GDPR. With Brazil continuing its work on implementation of the LGPD, and with other eyes focused on Canada’s potential revisions to PIPEDA, Virginia (roughly the thirteenth-largest U.S. state economy) becomes the latest government seeking input on how privacy should be regulated.
The CDPA’s passage adds a new acronym to the increasingly crowded list of comprehensive privacy laws implemented over the past five years. While companies already subject to those laws will have a leg up in preparing for Virginia’s CDPA, a thoughtful readiness program is needed to comply with its unique provisions and to efficiently integrate with existing business operations.
How did the CDPA pass?
Virginia was not the popular pick to follow California as the next state with comprehensive privacy legislation. For the past several years, Washington has been seen as the likely next state, but legislative infighting over inclusion of a private right of action—the ability of private citizens to sue companies for violations—seemingly has stalled the bill.
Virginia’s two legislative chambers, on the other hand, speedily and without much reported fanfare, passed nearly identical versions of the CDPA at the beginning of its 2021 legislative session. As we work to understand the CDPA’s business and legal implications, we will keep a careful watch on recent efforts in other states, including New York and Washington.
The CDPA becomes effective on January 1, 2023.
Who will be regulated?
The CDPA, as with the CCPA, is limited to for-profit businesses. Here is how it may apply to your business:
- Applicability threshold. The CDPA appears to be applicable to companies that conduct business in Virginia and that collect the personal information of at least 100,000 Virginia residents annually, or 25,000 residents if a majority of the business’s gross revenue is generated from data sales. But like the GDPR, the CDPA appears to apply also to companies that do not conduct business in Virginia, if the company’s products or services target Virginia residents, and if the company meets the same thresholds (100,000 residents or 25,000 residents and a majority of revenue from data sales). A company does not appear to be subject to the CDPA based solely on the dollar amount of its gross revenues, in contrast to the CCPA (which applies to companies with gross annual revenues over $25 million).
- Exemptions. The apparent duplicity in the exemptions will require thoughtful application to any particular business operation. The CDPA deploys a patchwork of exemptions for entities and data regulated by HIPAA (covered entities or business associates), entities or data subject to the GLBA, and institutions of higher education or other nonprofit organizations. The CDPA also exempts data covered by other federal privacy laws such as FCRA. It also exempts employee data outright, exhibiting a “lesson learned” from the CCPA’s partial coverage of workplace data, which many saw as confusing. An example of the CDPA’s thoughtful exemptions is excluding “[i]nformation derived from any health-care information listed in this subsection that is de-identified … pursuant to HIPAA.”
- Personal data and sensitive data. The CDPA helpfully adopts several naming conventions already used by the GDPR, starting with “personal data” (instead of the CCPA’s “personal information”). The definition of “personal data” is broad and relatable to the CCPA and GDPR, defined to include “any information that is linked or reasonably linkable to an identified or identifiable natural person” and to exclude de-identified and publicly available information. As with the GDPR and CPRA, the CDPA adds special obligations for “sensitive data,” which includes information such as protected status and “[p]recise geolocation data,” defined as “within a radius of 1,750 feet” (which is notably 100 feet smaller than the 1,850-foot radius used in the CPRA’s definition of the same term).
While a “consumer” in this case means a natural person who is a resident of Virginia, it expressly does not include “a natural person acting in a commercial or employment context.”
Like the GDPR, the CDPA acknowledges a category between personal data and anonymized or de-identified data: pseudonymous data. The CDPA appears to exempt pseudonymous data from the scope of its data privacy rights.
- Controllers and processors. The CDPA borrows GDPR’s concepts for “controllers”—those entities primarily responsible for determining the purpose and means of processing personal data—and “processors”—those entities handling personal data on behalf of a controller. As under the GDPR, an entity’s status as a controller or a processor is a fact-based determination, and specific contract provisions are required in order to pass down the CDPA’s various rights and obligations to processors and joint controllers.
Controllers are obligated to establish, implement and maintain “reasonable administrative, technical, and physical data security practices …” This is similar to GDPR’s phraseology and concepts, and it provides the Virginia attorney general with another hook to pursue enforcement against any company experiencing a data security incident with an impact on protected data or data systems.
What’s in it?
Like the CCPA, the CDPA confers broad data privacy rights to Virginia residents. This includes the following:
- The right to access. As with the CCPA, Virginians will have the right to access the information a business has collected and to receive that data in a portable and readily useable format. Unlike with the CCPA, the personal data that is subject to the right to access appears to reach back in time indefinitely.
- The right to delete. Virginians may ask businesses to delete personal data provided by or obtained about them.
- The right to correct. As with the new CPRA (following in the GDPR’s footsteps), Virginia residents may seek to correct inaccuracies in personal data held by a business.
- The right to opt out of targeted advertising, data sales and profiling. Virginians may opt out of sale of their personal data, though the term “sale” is defined as only “the exchange of personal data to a third party for monetary consideration.” A tighter definition than in the CCPA, this excludes, for example, data sharing for nonmonetary consideration. Virginians may also opt out of “targeted advertising” and profiling activity if it involves automated processing to “produce legal or similarly significant effects concerning the consumer.”
These rights must be fully processed within the familiar 45-day period employed by the CCPA, subject to another 45-day extension. Unlike under the CCPA, however, consumers have a right to appeal denials of their privacy rights requests.
The CDPA also includes a range of obligations, many of which will be familiar to GDPR- and CCPA-regulated organizations but with important nuances, as follows:
- Privacy notices. Businesses must post “reasonably accessible, clear, and meaningful” privacy notices that describe (i) the categories of personal data handled by the business, (ii) the purposes for handling the data, (iii) what categories of data are shared with third parties, (iv) the categories of third parties the business shares data with, and (v) how consumers may exercise their privacy rights.
- Affirmative privacy obligations. The CDPA also adopts affirmative privacy obligations, such as transparency, data minimization and purpose limitation, that will be familiar to those regulated by the GDPR and the upcoming CPRA.
- Consent for certain processing. Businesses wishing to process sensitive personal data or personal data for “secondary” nondisclosed purposes must first obtain affirmative, specific and unambiguous consent from the consumer. There will likely be litigation concerning what constitutes valid consent under the CDPA.
- Self-assessments. The CDPA requires GDPR-like data protection assessments for certain activities, such as selling personal data, handling sensitive data, using personal data for targeted advertising or profiling, or otherwise using personal data in a manner that “present[s] a heightened risk of harm to consumer.”
How will the CDPA be enforced?
The Virginia attorney general is the sole enforcer of the law, for up to $7,500 per violation. There is no express private right of action. And entities enjoy a 30-day “cure” period to address alleged violations. As with the CCPA, the ability to cure an alleged violation will need significant attention and advice of counsel should the opportunity to cure arise.
Importantly, the Virginia attorney general’s office is expressly authorized to recover its “reasonable expenses” in investigating and preparing its case, including “attorney fees.” In addition, the law is self-funding and may encourage the attorney general to pursue matters and litigation, directly or through the appointment of special outside counsel, as permitted by Virginia law. The CDPA creates a Consumer Privacy Fund, to be funded through the collection of civil penalties, expenses and attorney fees recovered under it.
In addition, the CDPA follows the CCPA in that it shall not “be construed as providing the basis for, or [be] subject to, a private right of action for violations of chapter or under any other law.” This provision likely will prove meaningful in litigation to come.
The CDPA becomes enforceable on January 1, 2023—the same day that the CPRA becomes effective. The CDPA does not authorize a rulemaking process, as was experienced in the long buildup to enforcement of the CCPA in 2020.
Companies doing business in Virginia should begin evaluating whether readiness measures will be required in the relatively short two-year buildup to CDPA enforcement. In the meantime, Manatt will continue to monitor legislative developments across the country, as several other states—including Massachusetts, New York and Washington—are expected to make serious pushes toward similar legislation in 2021.