What do you get when you mix together a few parts of the CCPA and the CPRA, bits of the GDPR, and a dash of unique data privacy provisions? The newest comprehensive consumer privacy law, Virginia’s Consumer Data Protection Act (CDPA).
Passed last Friday (19 February 2021) by the Virginia General Assembly, the CDPA is now on the desk of Governor Northam, who is expected to sign it into law. The CDPA uses a similar framework as the California Consumer Privacy Act (CCPA) (which has been amended by the California Privacy Rights Act, or CPRA), but also borrows some key concepts (and terminology) from the EU’s General Data Protection Regulation (GDPR)—and adds in its own twists too.
Here are some key points to pay attention to in the CDPA, including how Virginia’s new privacy regime compares to the privacy laws in California and in Europe.
The good news for businesses is that Virginia’s CDPA has a somewhat more moderate scope than California’s CCPA. Virginia’s law would apply to fewer companies than California’s, exempts some information that is subject to the CCPA, and limits the definition of the “sale” of personal data. This means that some companies that are already subject to the CCPA may not be affected by Virginia’s CDPA, and some practices that California calls a “sale” of personal information will not qualify as a “sale” under Virginia law.
Regarding which organizations are subject to the CDPA, companies that conduct business in the Commonwealth of Virginia have to meet one of these two thresholds to be covered by the law:
(1) The company controls or processes the personal data of 100,000 or more Virginia residents in a calendar year; or
(2) The company controls or processes the personal data of 25,000 or more Virginia residents and derives over 50% of its gross revenue from the sale of personal data.
In comparison, the corresponding CCPA thresholds are processing the data of 50,000 California residents annually or deriving 50% of revenues from the sale of Californians’ personal information. (However, note that in 2023 that first threshold will increase to 100,000 consumers, matching the CDPA’s.) The biggest difference is that the Virginia law has no threshold tied solely to revenue; businesses that handle any California residents’ data and have over $25 million in annual, worldwide gross revenues are subject to the CCPA, regardless of the number of consumers’ personal information they process. In Virginia only businesses that handle a certain number of residents’ data will be subject to the CDPA even if they make billions of dollars per year.
Virginia’s CDPA does have CCPA-style carve-outs that exempt data that is already subject to various other federal privacy laws such as the FCRA and FERPA However, while the CCPA also exempts from its purview all data subject to HIPAA and the Gramm-Leach-Bliley Act (GLBA), Virginia’s law would exempt any organization subject to HIPAA or the Gramm–Leach–Bliley Act. In effect, banking institutions are susceptible to the CCPA in California but do not have to apply the rules of the CCPA to any data already covered by the privacy protections of the GLBA. In Virginia, the banks themselves would be exempted from the CDPA because they are regulated by the GLBA. This exemption for entire institutions subject to HIPAA or the GLBA is unusual, and it is worth keeping an eye on this provision to see whether the CDPA is amended before going into effect to clarify or remove it.
The definition of “personal data” in Virginia’s law is also a bit narrower than (the current version of) the CCPA, thanks to a broader exemption for “publicly available” information. The CDPA in this respect is generally in line with the changes coming to the CCPA in 2023 (when California’s CPRA goes into effect). In addition to exempting information from government records, Virginia’s law would not cover information made available to the general public by the consumer, by someone the consumer disclosed it to, or in widely distributed media. This creates a potentially large gap in terms of data covered by Virginia’s law as compared to California’s.
The final way in which the CDPA’s scope differs from that of California’s CCPA is in how it defines the term “sale of personal data.” Virginia will only apply that term to transactions where the party receiving the data pays money to the supplier of the data. California, however, specifically defines sales as any exchanges of personal information for money “or other valuable consideration,” a much broader approach. California’s definition has been the subject of much debate, especially in situations where data is exchanged in return for analytics or other services, but no money changes hands. Virginia’s approach takes a focused approach and defines “sale” in the same way that the word is commonly used outside of the legal context, which should reduce the confusion as well as the scope of the rules regarding the sale of personal data.
CDPA Rights and Obligations
The CDPA creates new data rights for Virginia residents, and imposes a number of obligations on businesses. Consumers will have the right to access their personal data, correct inaccuracies (a right coming to California in 2023 when the CPRA goes into effect), request that their data be deleted, and obtain data that they previously provided to the business in a portable format. Like the CCPA, Virginia will allow consumers to opt out of the sale of their personal data, but it will also allow them to opt out of targeted advertising and profiling (in certain circumstances). The deadline for businesses to comply with rights requests made by Virginians is the same as under the CCPA: 45 days, with a possible 45-day extension.
Some changes from the CCPA that businesses will no doubt welcome are that Virginia’s CDPA: (1) does not require a “Do Not Sell My Personal Information” link on companies’ websites, and (2) does not micro-manage the proper form for receiving consumer privacy rights requests (in California, the rules dictate instances in which an online form, a telephone number, or other method must be made available). Virginia’s law is also less specific than California’s in terms of what must be included in a privacy notice. Virginia’s CDPA lays out only high-level requirements regarding what categories of personal data companies process and share with others, the purpose of the processing, the categories of third parties with which they share data, whether the businesses sell personal data or use it for targeted advertising, and how consumers can exercise their rights under the law.
Perhaps the most significant difference between Virginia’s new law and the CCPA in California—and one of the few areas where the CDPA is stricter than the CCPA—is that Virginia will require businesses to obtain consumers’ consent before processing “sensitive” personal data. Sensitive data is defined as (i) information about protected characteristics like race, religion, health, or sexual orientation; (ii) biometric data used to identify a person; (iii) minors’ personal data; or (iv) precise geolocation data. In order to process this kind of data, businesses must obtain “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data”—language taken almost verbatim from the GDPR’s opt-in consent model. California, by contrast, generally requires businesses to only give notice of their privacy practices before processing personal information, sensitive or otherwise, with no need to obtain explicit consent for any type of processing (although consent is required before an organization can sell a minor’s personal data under California’s CCPA).
Another obligation that may be new to businesses that have dealt primarily with the CCPA—but familiar to anyone who has done business in the EU recently—is that Virginia will require data protection assessments for certain kinds of data processing. These internal evaluations must weigh the benefits and risks associated with (i) targeted advertising, (ii) sales of personal data, (iii) profiling consumers in ways that could seriously affect them, (iv) processing sensitive data, and (v) any processing activities that “present a heightened risk of harm to consumers.” Businesses will not be required to disclose these assessments to the public, but the Attorney General may confidentially access them if relevant to an investigation into CDPA violations.
The Virginia law is unique in that it has separate categories of—and obligations regarding—de-identified and pseudonymous data. In short, de-identified data is data that cannot reasonably be tied to an individual and that a business has committed to protecting from attempts at re-identification, while pseudonymous data could be associated with a particular individual but the information necessary to do so is kept separate from the pseudonymized data. While pseudonymous data still qualifies as personal data under the law, it is not subject to rights requests provided a business can sufficiently demonstrate that the data will not be re-identified.
Unlike the CCPA in California, the CDPA contains no provision for the Virginia Attorney General (or any state agencies) to enact regulations to further flesh out the law, so what the legislature passed is what we get. However, the law does create a working group to advise the General Assembly on implementation issues by this November, which could prompt changes to the law before (or after) it goes into effect.
Finally, the CDPA contains no private right of action, meaning that individuals cannot sue businesses for alleged violations; the Attorney General alone is tasked with enforcing the law. Businesses face fines of up to $7,500 per violation, which is the amount provided in the CCPA only for intentional violations (garden-variety infractions in California are capped at $2,500 apiece). We have already seen a number of class actions filed in California that rely in some way upon the CCPA, so, while the per violation cap is higher under the CDPA, companies subject to to it are likely to still see lower costs associated with violations than they would if a private right of action had been granted.
The CDPA will not take effect until January 1, 2023, but companies should study up about their obligations under the law well before then. If your organization is already compliant with either the CCPA or the GDPR becoming compliant with Virginia’s CDPA will still require a lift, but previous efforts at data mapping and in creating a system to receive and process privacy requests will lighten the burden significantly. Schedule a free demo with SixFifty to see how we can help you navigate the privacy requirements facing your organization.