On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.
The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.
Who will be impacted?
The bill’s scope appears to have been carefully drafted to avoid imposing obligations on small businesses and non-profits. Like California’s legislation (but unlike GDPR) the bill contains exclusions for nonprofit organizations, regardless of size, and for small and many medium-sized businesses. Like both GDPR and CCPA, however, it does apply to businesses located inside and outside of Virginia, if they meet the thresholds in the bill and target Virginia consumers.
In this way, Virginia, like California, diverges dramatically from GDPR, which applies across the board to any business, whether large or small, for-profit or nonprofit, that collects or processes EU/UK data subjects’ personal information. The analysis in Virginia will be entirely based on the volume of Virginia consumers’ personal information the business processes each year, and/or whether they are in the business of selling Virginia consumers’ personal data. One additional and notable distinction from the CCPA is that “sale” is defined simply as an exchange of personal data for monetary consideration.
If a Business is in scope, what new obligations does the statute impose?
The new law establishes, for the first time in Virginia, several principles which have long been recognized as best practices but have never before been formalized as legal obligations in the Commonwealth. They include:
More Detail on the Key Provisions:
Note that the bill requires businesses that use personal data for targeted advertising or that sell it, not only to disclose that they do so, but also to provide a mechanism for consumers to opt out of these uses, and the mechanism must be described in the privacy notice.
The latter is a fundamental change and is particularly significant: in the past, the purposes for which data was used were entirely up to the business. Businesses had no obligation to disclose their purposes, nor any accountability for collecting data for one purpose and then using it for another, unless they made affirmative statements to the contrary in advertising, in which case a false advertising or unfair/deceptive trade practice claim might be valid. No longer will businesses be able to collect personal data ostensibly for one purpose but then keep it and use it for others or worse, keep it for no good reason, potentially subjecting it to risk of data breach when it arguably should have been destroyed. For many large businesses with robust information governance programs this is old hat: do not keep data you do not need. For others, however, it may be the first time they have cause to consider what data they have and why. If there is no good purpose for retaining it or if there is no purpose except purposes that were never disclosed to the consumer, then it cannot be retained under the new statute and should be destroyed.
The Act also requires that businesses undertake a formal data protection assessment of all data processing activities involving personal data that is:
The data protection assessment must identify and weigh the benefits of the processing to the business, the consumer, other stakeholders and the public, against potential risks to the rights of the consumer. Mitigating safeguards employed by the business to reduce risk should be factored in. These assessments will be very fact-specific, and should consider the use of de-identified data, the reasonable expectations of the consumer, and the relationship between the controller and the consumer. The Attorney General may request copies of a business’ data protection assessment in the context of an investigation by the Attorney General into the business’ compliance with the Act. The Act does contain specific exemptions for these assessments from Freedom of Information Act (FOIA) requests and from waiver of any attorney-client privilege. It seems likely that, for example, in the context of a data breach, the Attorney General’s office might use its investigative authority under the Act to evaluate the steps that the business previously took to assess risk and safeguard data. Notably, the assessments are only required for processing of data that occurs after the bill goes into effect on January 1, 2023, but companies are well-advised to begin these assessments now, so that if processes need to be revised before that date, they can start on a fresh note when the Act takes effect.
Notably absent from this list, in contrast with CCPA, is the right to receive a list of the third parties to which personal data has been disclosed by the controller in the past 12 months. As this is one of CCPA’s more burdensome provisions, it is another example of the narrower, more business-friendly scope of the Virginia bill.
What is required of businesses who receive a request to exercise these rights?
Businesses must develop processes to allow consumers to exercise their rights as outlined above. These provisions closely replicate the California requirements and will be easy for companies already in compliance with CCPA to implement.
No longer can a contract for services involving personal data be handled with a simple purchase order. Companies subject to the Virginia Act will need to have standard contract language on hand to use with any vendor that will touch personal data.
Enforcement by the Attorney General/No Private Right of Action
The Virginia Attorney General will have investigative authority and the ability to impose civil penalties of up to $7,500 per violation. Much like CCPA, the Act creates a 30-day cure period for violations. If a controller who was notified by the Attorney General of a violation of the Act cures the violation and provides a written response to the Attorney General stating (i) that the violation has been cured and (ii) that no further violations shall occur, then no action will be initiated by the Attorney General’s office.
If, however, violations continue or reoccur after the 30 days, or if the controller breaches its express written statement to the Attorney General, then the Attorney General can initiate an action against the controller. Such action may involve injunctive relief and civil penalties of up to $7,500 for each violation of the Act. The Attorney General also has the right to recover expenses, including legal fees, incurred in such an investigation and action. All such collections of penalties and amounts collected in this manner are to be put into a newly created fund, the “Consumer Privacy Fund” which will support the work of the Attorney General’s office in its work to enforce the Act.
Delayed Start/Interim Working Group
The Act is not scheduled to take effect until January 1, 2023. In addition to giving controllers time to prepare to comply, that delay will also give lawmakers an additional opportunity to hear from constituents and stakeholders about implications of the bill that they may not have anticipated. To that end, the Act itself dictates that the Chairman of the Joint Commission on Technology and Science shall create a work group to review the Act and consider the implications of implementation. That group is to be composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates. Notably absent from the work group are representatives of those businesses that will fall within the scope of the Act because they process the personal data of at least 25,000 Virginia consumers and receive 50% or more of their gross revenue from the sale of data. It is not clear if this is an oversight or an intentional exclusion. The Act requires the Chairman of the Joint Commission on Technology and Science to submit the work group’s findings, best practices, and recommendations regarding the implementation of this act to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.
The Virginia Consumer Data Protection Act marks a significant milestone for the Commonwealth, putting Virginia among the ranks of the first few states in the U.S. to attempt to implement a framework for data processing and protection. It may well become a model for others, and, potentially, for federal legislation in the future.
 “Targeted Advertising” is defined as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. “Targeted advertising” does not include: (i) Advertisements based on activities within a controller’s own websites or online applications; (ii) Advertisements based on the context of a consumer’s current search query, visit to a website, or online application; (iii) Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or (iv) Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
 If such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers.