From Coast to Coast: Virginia Passes First Consumer Data Protection Act Since the CCPA

March.03.2021

Following in the footsteps of the California Consumer Privacy Act (CCPA), the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation. The Virginia Consumer Data Protection Act (VCDPA) was signed into law by Governor Ralph Northam yesterday on March 2, 2021. The VCDPA will become effective on January 1, 2023, right alongside the recently enacted California Privacy Rights Act (CPRA), which significantly amended the CCPA (additional information on the CPRA can be found here). The following is a brief description of the VCDPA’s key components. Keep an eye out for a forthcoming article outlining the most important differences between the VCDPA and the CPRA.

Who Is Required to Comply?

Controllers and Processors

The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:

  • during a calendar year, control or process personal data of at least 100,000 Virginia residents; or
  • control or process personal data of at least 25,000 Virginia residents and derive more than 50 percent of gross revenue from the sale of personal data. § 59.1-572.A

Like the European Union’s General Data Protection Regulation (GDPR), the VCDPA distinguishes between controllers and processors:

  • A controller is the natural or legal person that, alone or jointly with others, determines the purpose and means (i.e., the why and the how) of processing personal data. § 59.1-571
  • A processor is the natural or legal entity that processes personal data on behalf of the controller. § 59.1-571

Statutory Exemptions

Through the definition of “consumer” and other provisions, the VCDPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context (including emergency contact information and benefits information). §§ 59.1-571; 59.1-572.C.14. It is important to note that unlike the CCPA, there is no sunset period for this exemption.

The VCDPA further does not apply to (i) non-profit organizations; (ii) institutions of higher education; (iii) Virginia government entities; (iv) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); (v) covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA), nor any protected health information under HIPAA and certain other regulated health information; and (vi) processing of information pursuant to the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act (FCA). § 59.1-572

The VCDPA also contains a number of additional limitations on the authority of the VCDPA that are beyond the scope of this article. § 59.1-578

What Information Is Protected?

Personal Data

The VCDPA protects “Personal Data,” which is defined broadly to mean any information that is linked or reasonably linkable to an identified or identifiable natural person. § 59.1-571

The Act delineates “Sensitive Data” as a separate category of personal data, which includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child under the age of 13; or precise geolocation data (any information derived from technology that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet). § 59.1-571

Personal data under the VCDPA does not include:

  • De-Identified Data, which is data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. § 59.1-571
  • Publicly Available Information, which includes information lawfully made available from government records and information the controller or processor has a reasonable basis to believe is lawfully made available to the general public under certain circumstances. § 59.1-571

The VCDPA also excludes “Pseudonymous Data” from certain controller obligations (excluding Sensitive Data Restrictions) and certain consumers rights (excluding Opt-Out Rights) provided the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 59.1-577.D

What Obligations Do Controllers Have?

The VCDPA requires a controller to:

  • Consumer Notice: Provide consumers with a reasonably accessible, clear and meaningful privacy notice about the controller’s privacy practices and consumer’s rights. § 59.1-574.C
  • Collection Limitation: Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. § 59.1-574.A.1
  • Purpose Limitation: Not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, unless the controller obtains the consumer’s consent or an exception applies. § 59.1‑574.A.2
  • Sensitive Data Restriction: Not process sensitive data concerning a consumer without obtaining the consumer’s consent. § 59.1-574.A.5
  • De-Identified Data Requirements:

    • Take reasonable measures to ensure that the data cannot be associated with a natural person;
    • Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
    • Contractually obligate any recipients of de-identified data to comply with these requirements. § 59.1-577
  • Reasonable Security: Establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data, which are appropriate to the volume and nature of the personal data at issue. § 59.1-574.A.3
  • Data Protection Assessments: Conduct and document a data protection assessment for:

    • The processing of personal data for purposes of targeted advertising;
    • The sale of personal data;
    • The processing of personal data for purposes of profiling that presents certain reasonably foreseeable risks to the consumer;
    • The processing of sensitive data; and
    • Any processing activities involving personal data that present a heightened risk of harm to consumers. § 59.1-576
  • No Discrimination:

    • Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. § 59.1-574.A.4
    • Not discriminate against a consumer for exercising any of the consumer rights granted by the VCDPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer (with qualified exceptions for when a consumer exercises their right to opt out or is voluntarily participating in a bona fide loyalty, rewards, premium features, discounts or club card program). § 59.1-574.A.4
  • Processor Contracts: Enter into a contract with any processor, which among other things sets forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.§ 59.1-575.B

What Obligations Do Processors Have?

The VCDPA requires processors to:

  • Comply with Instructions: Adhere to the instructions of a controller. § 59.1-575.A.
  • Provide Assistance to the Controller: Assist the controller in meeting its obligations under the VCDPA, including in relation to (i) consumer rights requests, (ii) protecting personal data and reporting any breach of personal data and (iii) data protection assessments. § 59.1-575.A
  • Controller Contracts: Enter into the necessary contract with the controller. § 59.1-575.B

What Rights Are Granted to Consumers?

The VCDPA requires a controller to comply with authenticated requests to exercise the following rights:

  • Right to Access: To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data. § 59.1-573.A.1
  • Right to Portability: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. § 59.1-573.A.4
  • Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. § 59.1-573.A.2
  • Right to Opt Out: To opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 59.1-573.A.5
  • Right to Deletion: To delete personal data provided by or obtained about the consumer. § 59.1‑573.A.3

The VCDPA is unique in that it provides a statutory right to appeal the denial of a consumer rights request. If such an appeal is denied, the controller must ensure the consumer is provided with “an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.” § 59.1-573.C

How Is the Law Enforced?

The Virginia Attorney General will have exclusive authority to enforce the VCDPA through civil investigative demands and civil actions for injunctive relief and civil penalties of not more than $7,500 per violation. The Act provides a 30-day right to cure provision and does not contain a private right of action. §§ 59.1-579; 59.1-580

Conclusion

In summary, the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation, following in the footsteps of the CCPA. The VCDPA will become effective on January 1, 2023, and will (i) impose new obligations on both controllers and processors who process personal data of Virginia residents and (ii) grant new rights to Virginia residents with respect to their personal data. Stay tuned for further updates on preparing for the VCDPA and how this new law compares to other comprehensive data protection legislation.