Virginia Consumer Data Protection Act Signed Into Law
Virginia is now the second state to enact a comprehensive privacy law to enhance the protection of consumers’ data and expand consumer privacy rights. The Virginia Consumer Data Protection Act (“VCDPA”), H.B. 2307, was signed into law on March 2. The VCDPA shares some similarities with the California Consumer Privacy Act (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”), while establishing new definitions and requirements for controlling and processing Personal Data. The VCDPA takes effect on January 1, 2023.
Scope and Application
The VCDPA applies to persons and organizations that conduct business in Virginia or produce products or services that target Virginia residents, and that (i) control or process Personal Data of at least 100,000 consumers annually; or (ii) control or process Personal Data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of Personal Data. All non-profits, and Personal Data collected in business-to-business transactions, are exempt.
Personal Data is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. This definition is much narrower in scope than the definition of personal data that CCPA provides. However, Virginia has expanded the definition of Sensitive Personal Data to include religious beliefs, sexual orientation, and citizenship and immigration status, in addition to traditional sensitive data such as precise geo-location data, racial or ethnic origin, data collected from children under the age of 13, mental and physical health data, and biometric or genetic data. Significantly, the VCDPA requires that a person provide his or her affirmative consent before any Sensitive Personal Data is processed (i.e., collected, used, stored, disclosed, analyzed, deleted or modified by manual or automated means). No other federal or state law requires advance consent for such a broad range of Sensitive Personal Data.
The VCDPA is also unique among other state laws in its definition and specific conditions to qualify for the deidentification of Personal Data. Deidentified data, defined as data that cannot reasonably be linked to an identified or identifiable natural person, or to a device linked to such person, is not classified as Personal Data, and therefore, is not subject to the full protections of the Virginia law.
Individual Privacy Rights
Similar to the CCPA and the GDPR, the VCDPA mandates several new consumer rights regarding Personal Data. These include a consumer’s right to
· confirm whether the controller is processing Personal Data;
· access Personal Data;
· delete Personal Data;
· correct inaccurate Personal Data;
· opt out of the processing of Personal Data for purposes of targeted advertising or the sale of Personal Data;
· opt out of profiling that results in legal or significant effects concerning the consumer;
· obtain a copy of Personal Data in a portable and readily usable format.
Unlike the CCPA, the definition of “sale” or “selling” Personal Data is more traditionally defined to include an exchange of Personal Data for monetary consideration by the controller to a third party. To the benefit of businesses, the sale of Personal Data expressly excludes the following:
· Disclosure of Personal Data to a processor that processes the Personal Data on behalf of the controller;
· Disclosure of Personal Data to a third party for purposes of providing a product or service requested by the consumer;
· Disclosure or transfer of Personal Data to an affiliate of the controller;
· Disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or
· Disclosure or transfer of Personal Data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
The CCPA, on the other hand, defines the sale of Personal Information to include monetary or other valuable consideration, and includes the disclosure of personal information to any third party unless that party is defined as a “Service Provider” under very stringent statutory and other contractual requirements. The VCDPA also includes specific contractual obligations for third party processors, but such provisions do not impact whether there has been a “sale” of Personal Information.
Vrginia consumers may opt out of processing their Personal Data for “targeted advertising,” defined as displaying advertisements to a consumer where the advertisement is selected based on Personal Data obtained from that consumer’s activities across websites to predict individual preferences or interests.
The challenge for businesses that are classified as controllers will be to honor a consumer’s request under these various rights without undue delay but within 45 days of the consumer’s request. This time frame may be extended only once, for an additional 45 days, if reasonably necessary. If the business cannot honor a consumer’s request, the business must notify the consumer in writing within 45 days of the consumer’s request, and must provide an explanation both of the business’s inability to honor the request, and the process by which the consumer may appeal the business’s decision. There are detailed statutory requirements for the appeal process.
Data Protection Assessment Documentation
Similar to the GDPR, the VCDPA requires companies to conduct a Data Protection Assessment (DPA) when processing Personal Data which presents a heightened risk to consumers’ privacy or security. Virginia is the first state to require such a detailed assessment. The DPA must document each of the following processing activities involving Personal Data:
· Sale of Personal Data
· Use of Personal Data for targeted advertising
· Processing Personal Data for profiling that could create foreseeable risk of injury to the consumer
· Processing Sensitive Data
· Processing Personal Data that could otherwise pose a heightened risk of harm to consumers
The DPA must identify and weigh the benefits that may flow, directly and indirectly, from the processer to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer associated with such processing, and any available options to reduce such risks.
Enforcement and Penalties
Virginia’s sole enforcement mechanism is through the Virginia Attorney General’s office. Upon written notice from the Attorney General specifying the provisions of the law that are alleged to have been violated, a controller or processor has 30 days to cure such alleged violation(s), and to notify the Attorney General’s office, in a written statement, that all such violations have been cured, and that no further violations will take place. If a controller or processor continues to violate the statute following the cure period, the Attorney General may initiate an action seeking an injunction to restrain further violations and may seek civil penalties of up to $7,500 for each violation. This amount is triple the lowest statutory damage amount under the CCPA. The Attorney General may also recover expenses incurred in investigating and preparing the case, including attorney fees. Importantly, however, the VCDPA does not provide for any private right of action.
If you have any questions about this legislation or about privacy and data security law, please contact any attorney in our office.