On March 2, 2021, Virginia enacted the Consumer Data Protection Act (the “CDPA”) with the goal of establishing a framework for controlling and processing the personal data of Virginia Residents. Where the CDPA resembles California’s Consumer Privacy Act (“CCPA”) in some regards and resembles the European Union’s General Data Privacy Regulation (“GDPR”) in others, the CDPA is likely the first step in a line of new state laws governing the processing of a consumers’ data. As such, companies should use this time to familiarize themselves with the intricacies of the CDPA so as to begin to adapt to the intricacies of handling consumer data.
Who Does the CDPA Apply to?
The CDPA applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia, and that:
- during a calendar year, control or process personal data of at least 100,000 consumers; or
- control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Equally important is who is exempted from the CDPA. Va. Code Ann. § 59.1-572(A). To that end, the CDPA does not apply to i) any governmental body within Virginia; ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); or iii) any covered entity or business associate governed by the privacy, security, and breach notification under HIPAA or HITECH. Va. Code Ann. § 59.1-572(A).
What is “Sensitive Data” Under the CDPA?
Understanding what constitutes as “sensitive data” under the CDPA first requires an understanding of what is “personal data” under the CDPA. The CDPA defines personal data as being “any information that is linked or reasonably associated to an identified or identifiable natural person”. Va. Code Ann. § 59.1-571. Nevertheless, personal data under the CDPA does not include de-identified data or “publicly available information”. Id.
The CDPA more heavily regulates a covered business’ processing and handling of sensitive data. Under the CDPA sensitive data is defined as including:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- the personal data collected from a known child; or
- the precise geolocation of an individual. Va. Code Ann. § 59.1-571.
Moreover, the CDPA provides certain exceptions for data which is not to be considered sensitive data, including, but not limited to:
- protected health information under HIPAA; information used only for public health activities under by HIPAA; information derived from any of the health care-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; patient identifying information for purposes of 42 U.S.C. § 290dd-2; information created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.) or the Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);
- information collected and maintained regulated and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.); and
- personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.). Va. Code Ann. § 59.1-571(C).
What is My Business Required to Do if it is a Covered Business?
Under the CDPA, a covered business is required to:
- adopt data minimization practices;
- disclose their privacy practices through a “meaningful privacy notice”;
- implement data security measures;
- refrain from discriminating against consumers who exercise their rights under the CDPA; and
- obtain consent prior to processing sensitive data, as defined below. Va. Code Ann. § 59.1-574.
Moreover, a covered business may be required to conduct risk assessments on their data protection practices. These risk assessments must be taken where the covered business activities involve:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk;
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers. Va. Code Ann. § 59.1-576.
Does the CDPA Provide Any Rights to Virginians?
Under the CDPA, Virginians are provided certain individual rights including:
- the right to access their data;
- the right to amend their data;
- the right to delete their data;
- the right to transfer their data; and
- the right to opt out of certain uses of their personal data. Va. Code Ann. § 59.1-573(A)(1-5).
What Happens If My Business Violates the CDPA?
CDPA does not contain a private right of action. Va. Code Ann. § 59.1-579(C). As such, enforcement is the exclusive jurisdiction of the Virginia Attorney General. Va. Code Ann. § 59.1-579(A). Under the CDPA, the Virginia Attorney General is required to provide the covered business a letter outlining the provisions of the CDPA that have been, or are alleged to have been, violated. Va. Code Ann. § 59.1-579(B). The covered business than has 30 days to cure any alleged violations. Id. If the covered business cures the alleged violations of the CDPA “and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur” then Virginia Attorney General is not to seek statutory damages against the covered business. Id. Nevertheless, if the covered business fails to cure the alleged violations of the CDPA, it may be “subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Va. Code Ann. § 59.1-580(B).
When Will the CDPA Become Effective?
The CDPA will become effective on January 1, 2023. Va. Code Ann. § 59.1-581. Moreover, in contracts to the new California Consumer Privacy Rights Act (“CPRA”), the CDPA does not contain a twelve-month lookback period, and thus compliance with the CDPA will only be required moving forward.
What Do I Do Next?
Now is the time to prioritize developing a robust, scalable data privacy program within your organization. First and foremost, conducting an assessment to determine what laws and regulations, such as the CDPA, CCPA, or GDPR, apply to your organization is a great starting place. Your business may be required to make additional disclosures surrounding your data collection practices and how consumers can exercise certain rights to that data.
Octillo’s dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are especially adept to help your business adapt to the changing legal landscape. We recommend reviewing all cookie consent banners and just in time notices to evaluate whether they provide the necessary opt out consent for targeted advertising as required by the CDPA and other evolving laws. Based on the above, if you believe that the CDPA may impact your business, reach out to Octillo for assistance.
*Attorney Advertising; prior results do not guarantee similar outcomes.