Update: The VCDPA was signed into law by Governor Ralph Northam without amendment on March 2, 2021. The VCDPA will become operative on January 1, 2023, and businesses should remain mindful of pending legislation in states like Washington, New York, Illinois and Massachusetts.
Virginia is set to become the second U.S. state to pass comprehensive data privacy legislation. Senate Bill 1392, called the Consumer Data Protection Act (“VCDPA” or the “Act”), passed the Virginia Senate by a vote of 39-0 on February 5, 2021, and the Virginia House of Delegates approved a companion bill (House Bill 2307) by a vote of 89-9 on January 29, 2021. The bills now await reconciliation, thought by some to be a mere formality. If passed, the law will establish a framework for controlling and processing personal data in the Commonwealth that parallels California legislation like the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), as well as the European Union’s General Data Protection Regulation (“GDPR”). Notably, the Act does not create a private right of action for consumers, even in the case of a security incident. The law would take effect on January 1, 2023. This article includes a chart comparing certain provisions of the Act to the CCPA (as amended by the CPRA) and the GDPR, as well as a breakdown of key provisions.
Similar to the CPRA and CCPA, as currently drafted, the new legislation establishes thresholds used to determine applicability. In particular, the VCDPA applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably absent from the definition is the gross revenue threshold seen in the similar California legislation.
The definition of “consumer” is also different. Under the VCDPA, a “consumer” is a natural person who is a resident of the Commonwealth “acting only in an individual or household context.” The definition goes on to expressly exempt a natural person acting in a “commercial or employment context.” This is in contrast to the CPRA, which as we have discussed, is set to apply to employee and contractor personal information — the term used in the CPRA — beginning on January 1, 2023.
The Act contains expected exemptions, including exemptions for HIPAA covered entities and business associates, nonprofits, higher education institutions, and financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act. However, the Act provides entity-level exemptions that are broader than the CCPA’s data-specific exemptions.
Borrowing a concept from the GDPR, the VCDPA distinguishes between responsibilities applicable to controllers and those applicable to processors. Taking a high-level view, a processor is obligated to adhere to the instructions of a controller and to assist the controller in meeting the controller’s obligations under the Act. A controller is obligated to abide by the remaining obligations under the Act, including honoring newly created individual rights and conducting data protection assessments, as appropriate.
Much like the GDPR, the VCDPA would require controllers to enter into agreements with data processors that: (i) set forth instructions for processing personal data; (ii) identify the type of data subject to processing, the duration of processing, and the rights and obligations of both parties; and (iii) ensure that third parties processing personal data are subject to a duty of confidentiality. The agreements would also need to require deletion or return of data by data processors at the termination of the controller-processor relationship.
The VCDPA creates a number of individual rights which, again, parallel rights created by both the GDPR and the CPRA. Under the Act, a consumer would have the right to (i) confirm whether or not a controller is processing the consumer’s personal data, (ii) correct inaccuracies in data held by a controller, (iii) delete personal data, and (iv) opt-out of sales of personal data, targeted advertising and profiling. The VCDPA also moves processing of “sensitive” personal data to an opt-in regime that requires the consumer’s freely given, specific, informed, and unambiguous agreement before processing certain categories of personal data. These categories include precise geolocation data (i.e., within a radius of 1750 feet), racial or ethnic origin, religious beliefs, mental or physical health, diagnosis, sexual orientation, citizenship or immigration status, and identifying genetic or biometric data.
As seen under similar legislation, controllers must (i) authenticate consumer requests, (ii) provide accessible means for the requests that take into account the normal manner of interactions, and (iii) respond to consumer requests without undue delay, but in any event within 45 days of receipt with certain limited opportunities for extension. A unique characteristic of the VCDPA is the addition of a statutory right to appeal a denial of a request and, if that appeal is denied, the controller must provide the consumer with a method to submit a complaint to the Attorney General.
The Act creates certain unique obligations related to the processing of de-identified data. Broadly speaking, under the VCDPA, a controller in possession of de-identified data is required to (i) take reasonable measure to assure the data cannot be associated with a natural person, (ii) publicly commit to abstain from attempting to re-identify the data, and (iii) contractually obligate any recipients of the de-identified data to comply with the VCDPA. The Act goes on to clarify that even an authenticated consumer rights request related to de-identified data should not be interpreted to require a controller or processor to re-identify data or maintain the data in identifiable form.
The Act also codifies many of the fair information practice principles that underpin other privacy legislation, such as the GDPR and CPRA. These principles include restraining the processing of personal data to that which is “adequate, relevant, and limited to what is necessary in relation to the specific purposes,” and “subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.”
The “sale of personal data” under the Act is “the exchange of personal data for monetary consideration by the controller to a third party.” This definition is closer to that of Nevada’s recently amended Internet privacy law and does not include the phrase “other monetary consideration” from the CCPA — a phrase that has resulted in substantial debate and confusion. The VCDPA also includes a number of express exclusions from its definition of sale, including (i) disclosure to processors, (ii) disclosure to third parties for purposes of providing a good or service requested by the consumer, (iii) disclosure to an affiliate, (iv) disclosure of information which is intentionally made public, or (v) disclosure or transfer as an asset in connection with a merger, acquisition, bankruptcy, or other transaction involving a change in control.
The VCDPA does not create a separate enforcement agency, as was created by the CPRA, and establishes no private right of action for the consumer, even in the case of a security incident. Instead, enforcement of the Act sits with Virginia’s Attorney General alone. Specifically, prior to initiating action under the VCDPA, the Attorney General will provide a controller or processor 30 days’ written notice identifying the particular alleged violation. If the controller or processor continues to violate the Act after the 30-day cure period, the Attorney General is authorized by the Act to initiate action and seek damages of up to $7,500 per violation. All penalties paid under the Act will be credited to the newly created Consumer Privacy Fund. The Attorney General may also recover reasonable expenses incurred in “investigating and preparing the case,” including attorney fees.
Virginia lawmakers must reconcile the two identical versions of the Act by the end of the legislative session on February 27, 2021. The bill would then be sent to the Governor Northam for signature. Should it be signed into law, the VCDPA would take effect on January 1, 2023, the same day as the CPRA.
The VCDPA melds obligations from a variety of data privacy legislation, and it is important for organizations within the Act’s scope to realize that compliance takes time. Organizations should determine applicability as soon as feasible. And, if the Act applies, organizations should allocate costs and time to implement any necessary changes to ensure compliance by January 1, 2023. For example, covered organizations should (i) create and/or update a comprehensive data inventory that provides insight into both the types of data involved and nature of each processing activity, (ii) take steps to segregate sensitive data, and (iii) implement a framework for conducting data protection impact assessments. Also, in developing any compliance program for VCPDA, businesses should also keep in mind the potential impact of comprehensive data privacy legislation pending in states such as New York and Washington.