Privacy Law Update – Virginia’s Consumer Data Protection Act

Feb 9, 2021 | Privacy

Written by Rick Buck, Chief Privacy Officer, WireWheel

From a privacy perspective, 2021 is getting off to a quick start here in the United States. Privacy bills in New York and Minnesota are moving forward. Washington’s Privacy Act is gaining energy and now has a competing bill, HB 1433. Many other states including Alabama, Connecticut, North Dakota, and Utah are in some level of discussion on their version of a data privacy law. Virginia is the next state on the list with a very high likelihood to pass their privacy law.

Overview of the Proposed Virginia Law

On January 29, 2021, the Virginia House of Delegates passed HB2307, the Virginia Consumer Data Protection Act (CDPA, The Act). The next step is for the Senate and House to go through a reconciliation process. If enacted, it could be signed into law by the governor at the end of February with an effective date of January 1, 2023.

The CDPA resembles GDPR, CCPA and is nearly identical to the Washington Privacy Act. It requires opt-in consent for the processing of sensitive data and incompatible secondary uses, Data Protection Assessments, and compliance with consumer rights – access, deletion, correction, portability, and opt-outs of sale, targeted ads, and profiling. Below is a broader overview of the pending law.

  1. Scope

    As currently drafted, the CDPA applies to:

    • Persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that during a calendar year:
      • Control or process personal data of at least 100,000 consumers or
      • Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data

    Note that CDPA does not consider annual revenue and with the threshold of 100,000 consumers, it seemingly limits its applicability to fewer businesses than CCPA.

  2. Key Definitions
    • Consumers are defined as a natural person residing in Virginia acting only in an individual or household context.
    • Personal Data is broadly defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” De-identified and publicly available information is exempt under this definition.
    • Sensitive Data is defined as racial, ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data for the purpose of uniquely identifying a natural person, personal data collected from a known child, or precise geolocation data.
    • Sale of Personal Data is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” Unlike CCPA, it does not include “other monetary consideration”.

    Exemptions from the definition of sale include:

    • Processing personal data on behalf of the controller
    • Third parties providing a product or service requested by the consumer
    • Transferring personal data to an affiliate of the controller
    • Information consumers intentionally make available to the general public
    • Transferring personal data to a third party as an asset part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets 
  3. Privacy Rights

    The Act provides rights to Virginia residents (consumers) to:

    • Confirm whether if a controller is processing their personal data and access to that data
    • Correct inaccuracies in their personal data
    • Delete their personal data provided by or obtained about the consumer
    • Obtain a copy of their personal data in a portable, readily usable format
    • Opt-out of the processing of their personal data for purposes of sale, targeted advertising, or profiling decisions
  4. Controller Responsibilities

    Data controllers must:

    • Respond to consumer requests within 45 days
    • Limit their data collection to data that is relevant and reasonably necessary
    • Only process data compatible with stated purposes and consent
    • Implement reasonable security practices to protect the data
    • Not discriminate against a consumer for exercising their privacy rights
    • Not process sensitive data without consent
    • Provide consumers with privacy notices that disclose basic information such as:
      • Categories of personal data collected
      • The purpose for the collection
      • How consumers can exercise their rights
  5. Data Processing Agreements

    Controllers must enter into data processing agreements with data processors that:

    • Provide instructions for processing and purpose of processing personal data
    • Identify the type of data subject, the duration of the processing, and the rights and obligations of both parties
    • Ensure that processors maintain confidentiality with respect to the data
    • Require the deletion or return of personal data at the conclusion of the service
    • Contractually pass down these obligations to their subcontractors
  6. Data Protection Assessments

    CDPA requires controllers to conduct data protection assessments for processing that involves:

    • Targeted advertising
    • The sale of data
    • Certain profiling activities
    • Sensitive data
    • Any processing that presents a heightened risk of harm to the consumers
  7. Exemptions

    There are many exemptions to the CDPA including:

    • Compliance with federal or state law, cooperate with law enforcement, defend legal claims
    • Providing a product or service requested by the consumer
    • Performing a contract with the consumer
    • Preventing or detecting security incidents
    • HIPAA covered entities and business associates
    • Nonprofits
    • Higher education institutions
    • Financial institutions subject to Gramm-Leach-Bliley
  8. Enforcement

    CDPA will be enforced by The Virginia Attorney General’s office.

    • Violations have a 30-day notification period to allow the controller or processor the opportunity to cure the violation
    • Uncured violations are subject to action seeking $7,500 per violation
    • CDPA does not include a private right action

What should you do to get ready for this new law?

While Virginia may be the next state to enact a data privacy law, it won’t be the last. Most likely, complying with this law (as currently written) will in many ways be consistent with what you are doing in California, and most likely in Washington, not to mention the European Union. If you’ve mapped to those requirements you’re pointed in the right direction to comply with CDPA. There is however still work to be done including: updating your policies, vendor agreements, subject request mechanisms, and re-assessing your products, systems, and services.

The WireWheel platform is built with the flexibility to accommodate these changes with ease and efficiency and can help your company with managing the rights requests and the data protection assessments.

Suggested Blog Posts