On March 2, 2021, Virginia enacted the Consumer Data Protection Act (“VCDPA”). The VCDPA will become effective January 1, 2023. The VCDPA shares its roots with the California Consumer Protection Act (“CCPA”) and the recently approved California Privacy Rights Act (“CPRA”), and will regulate how businesses (the VCDPA refers to businesses as “controllers”) collect and share personal information. While the VCDPA incorporates many concepts of the CCPA and the CPRA, there are also several key differences in the scope, application, and enforcement of the law.
Because businesses operate nationally (and globally), however, the effect of the Virginia law in moderating the national effects of the CCPA are unclear. Businesses often can’t easily distinguish their consumers’ state of residency and have no practical alternative but to follow the strictest privacy requirements nationally. This is likely to result in consumers across the U.S. benefitting from the California protections and the additional rights under the VCDPA. For businesses, VCDPA is unlikely to offer relief. The law’s limited definition of “sale” is unlikely to have a national effect. This is because the apparent key target of the “sale” provisions in state laws – online tracking and advertising — cannot be limited to state borders. Businesses should feel relief that the VCDPA does not provide for a private right of action, and does not appear to open another front in plaintiffs litigation.
In key departures from California’s privacy laws, the Virginia law:
- Narrows the definition of the “sale” to require monetary consideration, and excludes the sharing of personal data among affiliates.
- Sets out a broader exemption for financial institutions that are subject to GLBA (not limiting the exemption to the processing of NPI).
- Does not apply to employee or business contact information.
- Grants additional rights for Virginia consumers, including the right to appeal a controller’s refusal to take action on a consumer rights request.
- Requires affirmative opt-in consent for the processing of sensitive personal data.
- Does not provide for a private right of action for consumers.
- Does not authorize the Virginia Attorney General’s Office to issue regulations implementing the law, but creates a working group to review and make recommendations on revisions to the law.
VCDPA’s Scope and Key Terms
The scope of the VCDPA is narrower than that of the CCPA and CPRA. Businesses (i.e., “controllers” under the VCDPA) will find that there are more exemptions and exclusions from compliance in the VCDPA compared to its California counterparts.
Principally, the VCDPA applies to businesses that are based in Virginia or businesses outside of Virginia that target their products or services to Virginia residents, to the extent the business (i) during a calendar year controls or processes personal data of at least 100,000 Virginia consumers; or (ii) controls or processes personal data of at least 25,000 Virginia consumers and derives over 50 percent of gross revenue from the “sale” of their personal data. The VCDPA does not apply to non-profits or Virginia government entities. Significantly, the law also exempts entities subject to the GLBA and HIPAA, and personal data subject to the FCRA, FERPA, and COPPA.
Another key distinction is that the VCDPA treats employee and business data differently than the CCPA and CPRA. The VCDPA expressly exempts data processed or maintained in the employment context, whereas the CCPA only has a limited exemption for employee data. The VCDPA’s definition of a consumer also excludes personal data of individuals acting in a business capacity. The VCDPA defines a consumer as a Virginia resident acting only in an individual or household context. This is in contrast to the CCPA and CPRA which broadly define a consumer as a resident of California, and have a more limited exemption for employee and business-to-business data. The CCPA’s limited exemption for employee data and business-to-business data will both expire in January 2023.
The VCDPA contains other exclusions and exemptions that are equivalent to the CCPA and CPRA, including exemptions for the processing of de-identified data, publicly available information, pseudonymous data, and clinical trial data. The VCDPA views ”pseudonymous” data as personal, and subject to the consumer rights to opt out of the processing of such data for targeted advertising, sales, or profiling in furtherance of auto-decision making. However, the law doesn’t give consumers the right to access, correct, or delete pseudonymous data.
Consumer Privacy Rights
While the VCDPA may be narrower in scope than the CCPA and CPRA, it does expand consumer rights for Virginia residents and, likely, for consumers nationally.
In addition to including the privacy rights that the CCPA and CPRA offer, the VCDPA grants consumers the right to know whether or not a controller is processing the consumer's personal data, and the right to opt out of (i) the processing of personal data for the purpose of targeted advertising, and (ii) profiling in furtherance of auto-decision making.
Significantly, the VCDPA goes beyond the CCPA and the CPRA by providing consumers with additional avenues to enforce their rights. The VCDPA establishes a process for consumers to appeal a controller’s refusal to take action on any consumer rights request. The law requires controllers to inform the consumer, within 60 days of receiving an appeal, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the controller denies the appeal, it must also provide the consumer with a method to contact the Virginia Attorney General’s Office to submit a complaint. This provision is unique to the VCDPA, as neither the CCPA or CPRA grants consumers the right to appeal a controller’s decision on data rights.
OBLIGATIONS OF CONTROLLERS — SENSITIVE DATA, DATA PROTECTION ASSESSMENTS, AND CONTRACTS
Controllers will have obligations under the VCDPA that are similar to those imposed by the CCPA and CPRA. However, there are a few important differences. For instance, both the VCDPA and the CPRA define and regulate how businesses can collect and process sensitive personal data, but the laws’ standards and methods of compliance are quite different.
The CPRA gives consumers the right to limit the use of their sensitive personal information, and requires businesses that collect and process sensitive personal information to provide a link on their homepage(s) entitled “Limit the Use of My Sensitive Personal Information.” In contrast, the VCDPA takes an opt-in approach. Controllers must obtain “freely given, specific, informed, and unambiguous” opt-in consent to process sensitive data. In this instance, VCDPA articulated the opt-in requirement similarly to the EU’s General Data Protection Regulation (“GDPR”). It is unclear how Virginia regulators will interpret the requirement for the consent to be "freely given." The European Data Protection Board (EDPB) famously interprets the need for the consent to be “freely given” very strictly.
Data Protection Assessments
The VCDPA makes data protection assessments mandatory if a controller engages in processing personal data for purposes of targeted advertising, the sale of personal data, the processing of sensitive data, and any processing activities that present a heightened risk of harm to consumers. The law’s concept of heightened risk is another instance of borrowing from the GDPR and the EDPB guidance. The Virginia Attorney General can request that a controller disclose any data protection assessment that is relevant to an investigation.
The CPRA includes a similar requirement for businesses whose processing of consumers’ personal information presents “significant risk to the consumers’ privacy or security” to conduct annual audits and periodic risk assessments. The CPRA will require annual submission of such assessments to the soon-to-be-created California Privacy Protection Agency.
Privacy and Security Terms in Processor Contracts
Like the GDPR and the CPRA, the VCDPA requires contracts between controllers and processors to include specific provisions governing the scope and nature of personal information processing activities. The VCDPA requires contracts to include instructions for processing data, the nature and purpose of processing, the types of data subject to the processing, the duration of processing, and the rights and obligations of the controller and processor. The VCDPA also requires contracts to include terms that require the processor to maintain appropriate confidentiality standards, sub-processor agreements, and audit controls.
SALE OF DATA
The ambiguity surrounding the definition and interpretation of the “sale” of personal data under the CCPA is well-known, and both the CPRA and VCDPA have attempted to clarify the CCPA’s definition. The VCDPA limits the definition of “sale" to the disclosure of personal data for monetary consideration to a “third party.” The law defines “third parties” to exclude consumers, processors, or the controller’s or its processors’ relevant affiliates. The VCDPA also expressly excludes from the definition of “sale” the disclosure of personal data by a controller to its processors, the sharing of personal data among affiliates, and the disclosure of information that the consumer intentionally made available to the public and did not restrict to a specific audience.
An "affiliate" under the VCDPA is a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. The CCPA does not require monetary consideration for a data exchange to be a “sale,” and provides a more limited exemption for sharing of data among affiliates by requiring the affiliates to have both common control and common branding.
The Virginia Attorney General’s Office has exclusive authority to enforce the VCDPA. Like the CCPA, the VCDPA has a 30-day right to cure provision (the CPRA removes the compulsory 30-day cure period for administrative enforcement actions). If the controller or processor fails to correct any alleged violation within 30 days, the Virginia Attorney General can seek damages for up to $7,500 for each violation of the law. In contrast to the CCPA and CPRA, the VCDPA does not provide consumers with a private right of action.
REVIEW AND IMPLEMENTATION OF THE LAW
The VCDPA does not authorize the Attorney General’s Office to issue regulations to implement the VCDPA. However, the law requires Virginia’s Joint Commission on Technology and Science to create a working group to review and make recommendations on the law and its implementation. The working group will include various Virginia government agencies, the Attorney General, representatives of businesses, and consumer rights advocates. It is unclear whether the working group will solicit comments, but businesses impacted by the VCDPA should in any event consider submitting recommendations. The working group must submit their findings and recommendations to the Virginia legislature by November 1, 2021.
In many ways the enactment of the VCDPA clarifies the need for comprehensive federal privacy legislation in the United States. Because companies operate nationally and globally, state comprehensive privacy laws have the effect of creating a framework in which companies in practice have no alternative but to follow the most restrictive provisions of the state laws. In the case of the VCDPA, this means no relief for businesses from the law’s limited definition of sale (as compared to the California laws), combined with the additional burden of complying with expanded consumer privacy rights.
Companies should be following state developments closely to adjust their privacy practices in anticipation of the new requirements, while hoping that Congress will act to bring certainty to the rules of the road for the processing of unregulated personal information in the United States.