As Congress remains locked in a stalemate over the terms of a comprehensive federal privacy law, states continue to forge ahead. Following California, Virginia is the second U.S. state to enact its own comprehensive privacy law governing the collection and use of personal data. Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2, 2021.
The CDPA applies to businesses that operate in Virginia or produce products or services that are targeted to Virginia residents, and (1) in any calendar year, control or process personal data of at least 100,000 Virginia residents, or (2) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Concepts in the bill draw from other laws, such as the EU General Data Protection Regulation (GDPR), but the bill includes some pragmatic approaches designed to enhance privacy and to align with other laws, and in a manner that businesses can operationalize. Importantly, the CDPA does not authorize a private right of action.
The CDPA provides several rights to “consumers,” defined as Virginia residents acting in an individual or household context, and not individuals acting in a commercial or employment context. The CDPA appears to borrow some of its terminology from the GDPR, namely, the terms “controller” (defined as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data”), “processor” (defined as “a natural or legal entity that processes personal data on behalf of a controller”), and “personal data” (defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excluding de-identified and publicly available information).
The CDPA grants consumers the right, subject to verification of their identity, to access, correct, delete, or obtain a copy of personal data, and the right to opt out of (1) the processing of personal data for the purposes of targeted advertising, (2) the sale of personal data, or (3) profiling “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Businesses as controllers are prohibited from discriminating against consumers for exercising their rights, but with some exceptions, such as offers in connection with loyalty, rewards, club card, and similar programs.
The CDPA allows for a parent or legal guardian to invoke these rights on behalf of a child. The term “child” is defined as an individual under 13, which aligns with the Children’s Online Privacy Protection Act (COPPA). Parental consent rights for the collection, processing, and sale of children’s personal data also are consistent with COPPA.
In addition to responding to consumer requests described above, any business subject to the CDPA as a controller must provide a privacy notice that describes the categories of personal data processed, the purposes for processing data, how consumers can exercise their rights, the categories of personal data shared with third parties, the categories of third parties with whom personal data is shared, and how consumers can opt out of the sale of personal data to third parties or the processing of personal data for targeted advertising (if applicable). Controllers are also required to follow data minimization principles and to establish, implement, and maintain reasonable security practices to protect personal data.
Processors are required to assist controllers in meeting their obligations under the CDPA and controllers must have contracts in place with processors that impose specific requirements, as set forth in the CDPA.
The CDPA also requires that controllers obtain consent before they collect and process “sensitive data,” which includes data collected from children. However, the CDPA is drafted in a manner that avoids the possible conflict with COPPA; it prohibits processing of sensitive data concerning a known child unless the processing is in accordance with COPPA. This approach preserves the commonsense exceptions to parental consent and the “sliding scale” options for obtaining it, as well as the important “support for internal operations” exception to COPPA.
Similar to the GDPR, the CDPA requires that controllers conduct and document a data protection assessment when processing data for targeted advertising, engaging in the sale of personal data, processing personal data for profiling purposes, processing sensitive data, or engaging in processing activities that present a heightened risk of harm to consumers. Importantly, the bill takes a practical approach, establishing that a single assessment may address “a comparable set of processing obligations that include similar activities,” and that assessments conducted for purposes of compliance with other laws may comply if they have a reasonably comparable scope and effect. Businesses are not obligated to conduct mandatory audits.
The Attorney General has exclusive authority to enforce violations of the CDPA; there is no private right of action. Civil penalties of up to $7,500 may be imposed for each violation of the Act.