Virginia’s Consumer Data Protection Act and the Coming Wave of CCPA-like State Privacy Laws

Background / Legislative History

The CDPA was passed in response to growing public concern in Virginia over businesses’ use (and misuse) of personal data. Virginia House sponsor Cliff Hayes noted that “…consumers should have the right to know what is being collected about them” and “…no matter who you are as an organization, you need to be responsible when it comes to handling data of consumers.” The CDPA attempts to address these ideals by providing Virginia consumers with greater rights over their personal data by holding businesses accountable for protecting that data. It is evident that the CCPA and GDPR informed this legislation, from use of similar GDPR-like terminology to the inclusion of CCPA-like rights. In some cases, legislators looked at the CCPA and intentionally took a different approach. Senator Marsden (the sponsor of the Virginia Senate version of the bill) explained that the lack of a private right of action under Virginia’s bill (vs. what is available to individuals under the CCPA) was to prevent the law from “turn[ing] this into another business” through private lawsuit opportunities.

Consumer Rights under the CDPA

Under the CDPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.” The CDPA provides any persons residing in Virginia, acting in an individual or household (rather than commercial or employment) capacity, certain rights related to their personal data.

The CDPA requires controllers (the entity that determines the purpose and means of processing personal data) to take the following actions upon a consumer’s request: (i) confirm whether or not the organization processes the requestor’s personal data, and provide access to the personal data being processed about the requestor; (ii) correct inaccuracies in the personal data being processed; (iii) delete a requestor’s personal data; (iv) deliver a copy of the requestor’s personal data in a portable format; and (v) honor a request to opt out of the processing of personal data to be used for (a) targeted advertising; (b) sale; or (c) profiling to make decisions that have legal or other significant effects on the requestor. The opt out rights under this law go beyond a typical “sale” of the data and will require businesses to track requests across various enterprise strategic initiatives related to how the organization uses and leverages personal data in its possession. A controller generally has 45 days to respond, but there are mechanisms to extend that timeline.

Compliance with the CDPA

The CDPA applies to “…persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably, the gross revenue from the sale of personal data is defined as monetary consideration rather than the broader “valuable consideration” found in the CCPA. Another deviation from the CCPA is the lack of a standalone revenue threshold as a trigger mandating compliance. This may have the effect of narrowing the number of businesses being captured under the scope of this law compared to California.

Certain organizations are exempt from CDPA compliance including: (i) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act, (ii) any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), (iii) nonprofit institutions, and (iv) higher education institutions. Certain types of data are also exempt, such as certain categories of information governed by HIPAA, the Family Education Rights and Privacy Act of 1974, and the Fair Credit Reporting Act of 1970.

The CDPA is not limited to data privacy rights, it also creates substantive cybersecurity requirements, and requirements for transparency and data protection/data assessments. Businesses need to establish “reasonable administrative, technical, and physical data security practices” and also conduct data protection assessments for their processing activities. There is little to no guidance about what these reasonable practices are, and companies should continue to monitor legislation and regulatory guidance offered in the near term to clarify these standards.

Be Wary of the “CCPA-lite” or “GDPR-lite” Claims

While there are certainly parallels with the two most prominent consumer data privacy laws currently in effect (CCPA and GDPR), this law has its own nuances. A few examples include the sale of data threshold for compliance (as described above), appeals processes, the role of the Virginia Attorney General and security requirements related to the protection of personal data.

Under the CDPA, consumers have the right to appeal a business’ decision regarding his or her request - adding a new compliance layer at the back end of a company’s consumer response process. The law mandates that this appeals process with the business should be “…conspicuously available and similar to the process for submitting requests to initiate action…”. Not only is there an appeal process requirement, but companies are also required to actively instruct consumers about how to escalate their concerns to the Virginia Attorney General should they be dissatisfied with the company’s response.

Additionally, the Virginia Attorney General’s role seems different than that of Attorney General’s under other state privacy laws. One of the banner deviations between this law and the CCPA is that there is no private right of action – all enforcement must be done by the Virginia Attorney General.

Similar Legislation in Other States

While Virginia is the first to pass privacy legislation in 2021, it will likely not be the last. There is a pending bill in New York that would give individuals a private right of action to exercise and enforce certain privacy rights akin to the CCPA. A bill under review in Washington State is addressing similar consumer rights and related company responsibilities around protection. Lastly, Florida and Minnesota are also in the process of introducing bills to strengthen consumer rights regarding personal data.

Next Steps

Businesses should not assume that compliance with the CCPA or GDPR translates automatically to compliance with the CDPA. While there is similar verbiage and terminology across the various active privacy laws, the definitions and framework set out in the Virginia law likely carries unique requirements and nuanced differences for each organization. As a first measure, lawyers, IT professionals and privacy specialists within your organization need to fully assess what additional requirements are imposed by CDPA to develop a compliance plan most suited for your business.

Finally, while 2023 may seem distant, efforts required to comply with other recent privacy laws have proven that these initiatives require time to carefully plan, assess gaps in current compliance mechanisms, and implement new policies, processes and remediation efforts. It is not too early to start CDPA compliance efforts (while keeping a watchful eye on other state’s pending initiatives to enact consumer privacy protection laws).