Virginia Poised to Become the Next Big Player in U.S. Privacy Regulation
Last week, Virginia’s Senate and House of Delegates sent identical versions of a new privacy bill to Virginia Governor Ralph Northam’s desk. If Governor Northam signs off on the Virginia Consumer Data Protection Act (CDPA), Virginia will become the second state in the U.S. to pass a comprehensive data privacy law. The CDPA establishes a privacy framework for the controlling and processing of personal data in Virginia, borrowing concepts from EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the newly-enacted California Privacy Rights Act (CPRA). The following are a few key takeaways of the CDPA.
Applicability of the CDPA
The CDPA applies to for-profit entities that conduct business in Virginia or produce products or services targeted to Virginia consumers, and annually: (1) control or process the personal data of at least 100,000 Virginians; or (2) control or process the personal data of at least 25,000 Virginians and derive over 50% of gross revenue from the sale of personal data.
Definition of “Consumer”
The CDPA defines a “consumer” as a “natural person who is a resident of the Commonwealth acting only in an individual or household context.” This definition of consumer excludes consumers acting in a “commercial or employment context.”
Definition of “Personal Data”
Like the CCPA, GDPR, and CPRA, the CDPA broadly defines “personal data” beyond the definition of what is traditionally considered to be personally identifiable information. Under the CDPA, “personal data” means “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This definition excludes de-identified data or information that is publicly available.
The definition of “personal data” carves out exceptions for personal health information governed by HIPAA, as well as data regulated by FERPA and FCRA.
Definition of “Sensitive Data”
The CDPA also sets forth special requirements for a category of data called “sensitive data.” Sensitive data includes: (1) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data; (3) data about children; and (4) geolocation data.
The CDPA would provide Virginians the following privacy rights, which resemble rights provided by the CCPA and GDPR:
- Right to Access: the CDPA gives consumers the right to confirm whether or not a business is processing the consumer’s personal data and to access such personal data;
- Right to Correct: the CDPA gives consumers the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
- Right to Delete: the CDPA gives consumers the right to delete personal data provided by or obtained about the consumer;
- Right to Data Portability: the CDPA gives consumers the right to obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another business without hindrance, where the processing is carried out by automated means; and
- Right to Opt-out: the CDPA gives consumers the right to opt out of the processing of their personal data for purposes of (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Data Processing Agreements
Borrowing from the CCPA and GDPR, the CDPA imposes contractual requirements between controllers and processors. These requirements include: (i) setting forth instructions for restricting the processing of personal data (including the nature and purpose of processing); (ii) identifying the type of data subject to processing; and (iii) specifying the duration of processing, among other things.
The CDPA would not provide consumers a private right of action, giving enforcement authority exclusively to the Virginia Attorney General. Although the Attorney General could impose penalties of up to $7,500 per violation of the act, the CDPA would allow businesses a 30-day cure period from a notice of violation.
If Governor Northam signs the CDPA into law, it will go into effect on January 1, 2023 in tandem with the CPRA.
For further information about the CDPA or privacy laws in general, please contact John Landolfi, Christopher Ingram, Christopher LaRocco, Sarah Boudouris, Gretchen Rutz, or your Vorys attorney.