The Commonwealth of Virginia Enacts a Consumer Data Privacy Law
On March 2, Virginia's governor signed into law the Virginia Consumer Data Protection Act (S.B. 1392; H.B. 2307) (the VA CDPA), which now becomes the second major comprehensive privacy law in the United States after the California Consumer Privacy Act (CCPA).
The VA CDPA will go into effect on January 1, 2023, the same date on which the amendment to the CCPA pursuant to the California Privacy Rights Act (CPRA) is slated to take effect. Although this date seems far away and expectant eyes are on the Biden administration to introduce federal legislation on consumer privacy, it would be prudent for businesses to review the applicability of the VA CDPA and to consider what, if any, changes they may need to prepare for.
In terms of applicability, the VA CDPA is much narrower than the CCPA. In particular, the VA CCPA does not apply to financial services companies that must comply with the Gramm-Leach-Bliley Act (GLBA) and companies that must comply with HIPAA. It also does not apply to employees or business contacts. The VA CDPA applies to persons/entities that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
It is evident that the VA CDPA has taken pages from California's CCPA and the CPRA and also Europe's General Data Protection Regulation of 2016 (GDPR). Notably, the VA CDPA uses designations—"controller" and "processor"—similar to those in the GDPR and imposes specific obligations on each. Unfortunately, however, compliance with these other privacy laws may not suffice for compliance with the VA CDPA, which also imposes certain additional data security and data assessment requirements for covered businesses.
Like the CCPA and the GDPR, the VA CDPA vests in Virginia-resident customers certain specific rights with respect to their data. In addition to the rights of access, deletion, portability and opting out of the "sale" of data that a CCPA-covered business is obligated to provide in California, the VA CDPA additionally provides consumers the right to opt out of processing of personal data for the purposes of targeted advertising and to confirm whether a controller is processing personal data. Further, similar to the right to opt out of automated decision-making under the GDPR, under the VA CDPA, the covered business must provide consumers the right to opt out of profiling in furtherance of decisions made by the controller that produce legal or similarly significant effects concerning the consumer, namely, the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities such as food and water.
The VA CDPA requires covered businesses to follow the same process as that of the CCPA in authenticating and responding to consumer requests. Unlike under the CCPA, however, the VA CDPA specifically requires businesses to provide a "secure and reliable means" for consumers to submit their requests, Further, the VA CDPA goes beyond the CCPA to require covered businesses to conspicuously provide for a process for the consumer to appeal the decision of the business to refuse to respond to their request.
Slightly different from the CCPA, which gives consumers an opt-out right regarding the processing of sensitive information, the VA CDPA requires controllers to obtain a consumer's consent (opt in) to process sensitive data about the consumer. Further, the VA CDPA requires covered businesses to enter into specific contracts with data processors (including any service providers or other third parties to which they transfer information). The VA CDPA also requires processers of certain personal data to conduct data protection impact assessments. While this requirement is not under the CCPA currently, effective January 1, 2023, under the CPRA, processing activities that present a "significant risk" to consumers' privacy or security will require annual audits and periodic risk assessments.
Unlike the CCPA, the VA CDPA does not include a private right of action; however, a consumer may submit a complaint to the Virginia attorney general. The Virginia attorney general is empowered to enforce the VA CDPA and also to exercise rulemaking authority. Noncompliant businesses will have a 30-day notice and cure period, failing which the Virginia attorney general may institute an action against the controller for injunctive relief or damages up to $7,500 per violation as well as "reasonable expenses incurred in investigating and preparing the case, including attorney fees."
While the VA CDPA mandates that controllers' data collection practices be limited to "what is adequate, relevant and reasonably necessary," the VA CDPA imposes several specific requirements on covered businesses, some of which push the boundaries of the existing legislation. Businesses that have already developed a GDPR or a CCPA compliance program will likely be in a better position to leverage their efforts to ensure compliance with the VA CDPA; however, they may not rest there. If there is any takeaway from this latest privacy legislation, let it be the indication that the government—at both the state and federal levels—is increasingly giving impetus to privacy rights; proactive businesses will likely benefit from taking future-proofing measures to implement a nationwide comprehensive data protection strategy.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.
Recommended
Day Pitney Alert
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – November
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – November
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – November
The arrival of Day Pitney Counsel Laura Land Himelstein was featured in the New York Law Journal's Attorneys 'On the Move' column.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – July 2024
Day Pitney Tax Partner Ryan Leichsenring authored an article for the Hartford Business Journal titled, "Here's How to Avoid Common Pitfalls When Managing Charitable Assets."
The news of Ryan Leichsenring joining Day Pitney as a partner in the firm's Tax practice was featured in Thomson Reuters' The Daily Docket Industry Moves column.