What The Consumer Data Protection Act Means For Businesses and Virginia Residents
In March of 2021, Virginia became the first state on the east coast with a comprehensive data privacy protection law. The Virginia Consumer Data Protection Act (“CDPA” or the “Act”) goes into effect on January 1, 2023. The CDPA takes inspiration from the EU’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) but its sponsors avoided some of the weaknesses of those two predecessors.
Here Are The Highlights:
- “Controllers” are businesses that collect consumer data. The CDPA requires Controllers to be good stewards of Virginians’ personal data through transparency with consumers, accountability for how data is shared with third parties, and implementation of appropriate data security to safeguard the data.
- “Processors” are third parties that did not collect the consumer’s data but, rather, receive it from Controllers as part of a business arrangement. Essentially, Processors are the Controller’s vendors or subcontractors with whom the Controller shares data.
- The Act defines two types of personally identifiable information:
- “Personal Data” is “any information that is linked or reasonably linkable to an identified or identifiable natural person” but does not include de-identified or publicly available data; and
- “Sensitive data” (a subset of Personal Data), is data that:
- Reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status
- Genetic or biometric data
- Personal data of a consumer who is known to be a child
- Precise geolocation data
Virginia residents have five new data protection rights:
The Right to Know whether a business is collecting and processing Personal Data.
The Right of Access to their Personal Data held by businesses and to obtain a copy of it.
The Right to Correct Inaccuracies in their Personal Data, considering the nature of the information and the businesses’ purpose for collecting and processing it.
The Right to Data Portability, meaning that the format in which a business keeps Personal Data must be portable and readily usable so that the consumer can transmit the data to another Controller.
The Right to Opt Out of allowing businesses to use Personal Data for:
- Targeted advertising
- Sale from one Controller to another
- Profiling, meaning use of Personal Data for decision making that has legal or other significant effects on the consumer
- The CDPA does not include a private right of action – consumers will not be able to sue companies that fail to comply with the CDPA. Instead, the Virginia Office of the Attorney General (“OAG”) will enforce the Act. The OAG’s funding will come, in part, from fines and fees levied against companies that fail to comply with the Act.
Which Businesses Are Impacted By The Virginia Consumer Data Protection Act?
The CDPA was drafted to avoid burdening small businesses and some nonprofits are exempt irrespective of size or operational practices. Regardless of where a business is located, the CDPA applies if a business “targets” Virginia consumers and meets either of these two thresholds for annual processing of PI:
- Over 100,000 Virginia consumers; or
- If 50% or more of gross revenue is from data sales, then annual processing of over 25,000 Virginia consumers triggers the Act.
Though the definition of “targeting” is somewhat complex, essentially it means that a business intentionally includes Virginians in its marketing and actively markets to residents of the Old Dominion. The Act protects only “consumers” who are natural persons residing in Virginia and acting in an individual or household context.
It excludes a natural person acting in the context of commerce or employment. The Act also expressly exempts businesses that are covered by federal privacy laws such as Gramm-Leach Bliley (financial institutions) or the Health Insurance Portability and Accountability act (health care providers and insurers). The Act also excludes personal information regulated by the federal Fair Credit Reporting Act.
What Must Businesses Do To Comply With The Consumer Data Protection Act?
For decades, Virginia has recognized core principles related to collection and use of personal information but the CDPA is the first time Virginia has codified these principles to regulate the private sector. Companies subject to the Act must:
Notify consumers: Businesses must post a privacy polity that accurately discloses all intended purposes for the businesses’ use of the Personal Data. Privacy policies must include:
- The categories of Personal Data the business collects, and which categories of data are shared with third parties
- The businesses’ purpose for processing the Personal Data
- Methods by which consumers may exercise their rights regarding their Personal Data
- The types of third parties with which the business shares Personal Data it has collected
- Whether the business sells Personal Data or uses it for targeted advertising and, if so, how consumers may opt out
Get prior consent before processing Sensitive Data: Businesses must get affirmative consent from a consumer before collecting or processing Sensitive Data regardless of the purpose.
Further, companies should only keep consumers’ Personal Data for current business purposes. Once the Act goes into effect, businesses may no longer do what many of them have been doing for decades: hoovering up every scrap of data they can find and using it however they want, without accurate disclosure to the consumer.
Implement data security practices: Businesses subject to the Act must “establish, implement and maintain reasonable administrative, technical and physical data security practices” to protect access to and the confidentiality and integrity of Personal Data. These data security practices must be “appropriate to the volume and nature” of the Personal Data in question.
Companies must also perform a formal data protection audit of activities involving Sensitive Data, Personal Data used in an activity that creates a “heightened risk of harm” to consumers, or Personal Data that the company sells, uses for profiling consumers, or uses for targeted advertising.
Companies may use an established third-party standard for their audit. During an investigation of a company’s compliance with the Act, the OAG may request a company’s data protection audit to determine whether the company met the Act’s requirements for safeguarding Personal Data.
Develop processes to fulfill consumer rights: As detailed above, Virginians will have five new rights to control their Personal Data and businesses that are subject to the Act must develop procedures to respond to consumers who elect to exercise their rights.
Within 45 days of receiving notice from a consumer, the business must fulfill the consumer’s request. However, there is an additional 45-day extension available if “reasonably necessary”, but even then, the business must respond to the consumer within 45 days. Consumers are entitled to two free inquiries each year but beyond that, businesses may charge an administrative fee if costs are excessive or repetitive.
If a business cannot authenticate a consumer’s identity or the consumer is inquiring about data that does not fall under the definition of Personal Data, then the business can decline to fulfill the consumer’s request, but it still must respond in writing no later than 45 days after receiving the request—providing a written explanation for the denial and information on how to contact the OAG to submit a complaint.
Control downstream Processors: Currently, the sale of Personal Data from one business to another is unregulated. That changes on January 1, 2023 because the Act imposes responsibility on Controllers for the acts of their Processors (vendors or other third parties with which they share or sell Personal Data). The CDPA requires contracts between Controllers and Processors and the contract must include provisions regarding:
- The type of Personal Data to be shared
- Instructions to the recipient of the data that detail the processing the recipient may do with the data and the duration of the processing
- A duty to maintain confidentiality
- An obligation on the Processor to delete or return the Personal Data to the Controller at the conclusion of the project (unless the Processor is legally required to retain the data)
- The Controller’s right to access the Processors policies, technical, and organizational measures to ensure compliance with the Act. The obligations of the Act flow downstream to all vendors and subcontractors.
Virginia’s CDPA will benefit from a Working Group composed of cabinet-level officials, consumer rights advocates, and businesses which will continue to study the issues surrounding consumer personal data and propose tweaks to the CDPA so that the law can be amended before enactment, if necessary.
The Act is a noteworthy moment in U.S. and Virginia history, vaulting Virginia into the ranks of the few states that have developed frameworks for protecting consumer’s data without overburdening businesses. Though the Act exempts businesses that collect data on fewer than 100,000 Virginians annually, even small businesses should take note of these requirements and implement as many of them as possible as best practices.
Read the entire Virginia Consumer Data Protection Act here.
Interested in other consumer data protection laws? Learn more about the California Consumer Protection Act (CCPA) here.
Tricia Dunlap, Managing Partner of Dunlap Law, is an attorney and Certified Information Privacy Professional. She is the co-chair of the Richmond KnowledgeNet chapter of the International Association of Privacy Professionals. Contact her for help or more information on your businesses’ data privacy and security issues.