On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law. This made Virginia the second state to enact a consumer privacy and data security law, following in the footsteps of the California Privacy Rights and Enforcement Act (“CPRA”). Virginia will not be the last to regulate the relationship between consumers and businesses holding their data; Colorado has already become the third state to pass such a measure, and New Jersey, New York, Washington, Minnesota, Oklahoma, and others have bills under consideration. Virginia’s recent action is relevant beyond its borders, becoming the model for proposed legislation in Utah and raising the profile of long-stalled congressional data privacy efforts.
The VCDPA builds on frameworks used in California’s early legislation and the European Union’s General Data Protection Regulation (GDPR). But unlike in Europe and California, Virginia’s new law garnered support from tech industry trade groups and businesses like Amazon and Microsoft. Its coverage and compliance regime may be less onerous than its predecessors, but still represents a major change in data regulation that previously had little state involvement.
One of the VCDPA’s concessions to industry is its generous effective date: regulated parties have until January 1, 2023 to come into compliance. But companies with significant business in Virginia, especially those that do not have experience with CPRA or GDPR compliance or want to take advantage of the VCDPA’s differences from those regimes, will benefit from advance preparation.
What the Law Does
The VCDPA obliges some businesses to give consumers the ability to access and control personal data that the business collects about them. Virginia consumers will have the right to submit a request to access, correct inaccuracies within, and delete personal data they have provided or that has been obtained about them. The law includes a right to obtain a copy of data the consumer has previously provided, in a usable format “to the extent technically feasible.” For each business collecting data on them, Virginia consumers can opt out of targeted advertising, the sale of their personal data, or “profiling” (defined as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements”) that results in the business providing or denying “financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.” A business that controls personal data must respond to requests within 45 days.
These new rights have a number of limitations. Most importantly, they only apply to Virginians’ personal data “in an individual or household context.” Virginia residents are protected as consumers, not as employees or in commercial contexts. What counts as personal data is also limited: as in California, information lawfully made available through government records is exempted, and Virginia goes further to exempt data “that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” Consumers have no right to protect data that they post publicly on social media, for example. These new rights also do not apply to pseudonymous data kept by businesses, as long as they show that any identifying information is kept separate and protected. The Virginia legislature also attempted to prevent this new law from overlapping with data collection already regulated by other laws, like health (covered by HIPAA and other statutes), research, education, and credit worthiness.
What the VCDPA considers a sale of personal data is also relatively narrowly defined. Consumers can only choose to prevent a sale of their personal data if the sale includes an “exchange of personal data for monetary consideration” between the company controlling the data and a third party. Businesses can still transfer personal data to an affiliated or controlled company, have a third party process personal data on their behalf, and disclose personal data if a consumer requests a product or service.
The law’s definition of ‘targeted advertising’ allows businesses to continue some practices even if consumers opt out. In the VCDPA, opting out only prevents advertising based on data from outside a business and its affiliates. Similarly, targeted advertising based on “the context of a consumer’s current search query, visit to a website, or online application,” or on responding to a consumer request, can remain for opted-out consumers.
Businesses’ use of personal data to measure its advertising is a final exception to consumer privacy rights. A business can continue to use personal data from opted-out consumers to see the effectiveness and reach of its marketing. However, the interaction of this exception with consumers’ ability to opt out of sales of personal data may limit its applicability.
The VCDPA further protects a “sensitive” category of personal data. There, the law requires businesses to obtain consent from the consumer—an opt in rather than opt out. This includes “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status,” identifying genetic or biometric data, particularly precise and accurate geolocation data, and data collected from a child that the business knows is under 13 years old.
How the Law Affects Businesses
The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents, and that control or process the personal data of at least 100,000 Virginia consumers. That bar is lowered to 25,000 consumers if over 50% of the business’s gross revenue derives from selling personal data. Some businesses can thus avoid the VCDPA altogether. A business could comply with the law by ensuring it falls below the bar or doesn’t control or process personal data for the purposes of the VCDPA. Public, nonprofit, and higher education entities, as well as financial institutions regulated by the Gramm-Leach-Bliley Act or entities regulated by certain HIPAA regulations, are also exempt from the law. But exempt businesses should bear in mind that general industry data collection and use practices might change in ways that affect them as well, as occurred in California.
A business can be covered by the VCDPA either as a “controller” of personal data, or a “processor” that performs operations like “collection, use, storage, disclosure, analysis, deletion, or modification” on personal data on behalf of a controller. Controllers comply with the law by receiving, authenticating and complying with reasonable consumer personal data requests and setting up an appeals process for requests they deny. They also have general obligations to only collect personal data that “is adequate, relevant, and reasonably necessary,” provide disclosures and privacy notices, have “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data,” keep de-identified data from being re-identified, and conduct and document ‘data protection assessments’ to ensure compliance with the VCDPA. These confidential assessments allow businesses to justify why the benefits of their use of personal data outweighs any risks to consumer rights and how they mitigate those risks. Assessments, while imposing another compliance cost, will likely help businesses shape enforcement of the new law.
Processor businesses comply largely through their contracts with controllers, which must include instructions and details on processing personal data. Processors must also cooperate with controllers’ compliance with the law and protect consumers’ data. Businesses affected by the VCDPA as controllers or processors have a number of exemptions from their obligations that largely track the limitations on consumers’ new privacy rights. Generally, many of the specific obligations imposed on businesses controlling or processing data amount to a reasonableness requirement to protect consumer personal data and process it only when necessary and for legitimate purposes. Compliance largely falls on the controller, with assistance from the processor. The contours of reasonableness will likely be worked out in enforcement.
Enforcement and How to Prepare for It
Virginia’s Attorney General (“AG”) oversees VCDPA, and there is no private right of action for consumers under the VCDPA.
Businesses have significant lead time before enforcement unfolds. Only data processing after January 1, 2023 needs to be included in an assessment, so businesses can focus on setting up their compliance for now. Assessments begin when the law comes into effect. The AG must give a business written notice identifying any specific alleged violations 30 days before initiating an action, and the business can use that month as a ‘cure period’ to address any violations. Sending the AG “an express written statement that the alleged violations have been cured and that no further violations shall occur” will prevent enforcement.
Violations after the cure period or breaches of that written statement allow the AG to seek an injunction, levy “civil penalties of up to $7,500 for each violation,” and recover reasonable investigation and attorney expenses. Depending on the number of violations, this cost could prove significant.
One big question mark for the Virginia law’s enforcement is the role of its new Consumer Privacy Fund. This state fund will collect all money from AG actions to pay for enforcement. If the AG’s budget and priorities do not permit robust early enforcement of the VCDPA, this funding mechanism could mean that enforcement starts slow. But major penalties imposed on particular violators could lead to increased enforcement against all regulated parties as the fund increases in size.
Preparation for the VCDPA includes uncertainties beyond enforcement, like the presence of an ongoing working group composed of executive and legislative officials alongside affected businesses and consumer rights advocates. The working group will submit a report with recommendations on the law by November 1, 2021, and legislative sponsors consider the law a starting point rather than a comprehensive statement on data privacy in Virginia. Consumer rights advocates have indicated that they will advocate for a global opt-out browser setting for consumers as in California, because the VCDPA’s individualized opt-out makes it more difficult for consumers to opt out of data collection by multiple businesses. Future legislation is planned to address data privacy in artificial intelligence and facial recognition.
Thus, much remains to be seen about Virginia’s new law. How consumers respond to their new rights, how the business community treats consumer requests, and how businesses’ obligations for reasonable protection and use of personal data are interpreted are all question marks until 2023, and perhaps beyond. The AG will play a key role in determining the climate that consumers and businesses face. The VCDPA contemplates interoperability with other data protection regimes like the CPRA and GDPR, permitting businesses’ reasonably comparable data protection assessments developed for other laws to comply with Virginia law as well. But the VCDPA’s more industry-friendly approach when compared with the CPRA and other privacy regimes may make it better for some businesses to develop separate compliance systems for aspects of each law. Depending on how the VCDPA’s unknowns are resolved, it could represent a new model for privacy or another jurisdiction-specific approach to personal data.
*Many thanks to Will Poff-Webster, for his significant contributions to this summary, without which this post would not have been possible.