All You Need to Know About Virginia’s CDPA

On 2 March 2021, Virginia became the second US state to enact comprehensive privacy legislation. The Virginia Consumer Data Protection Act (CDPA) draws heavily from existing laws such as the California Consumer Privacy Act (CCPA) and its expansion of the California Privacy Rights Act (CPRA) as well as the EU General Data Protection Regulation (GDPR). Virginia’s CDPA is scheduled to take effect on the same date as the CPRA, on 1 January 2023.

The Virginia CDPA is the first US privacy legislation to be passed on the initiative of a state legislature. The CCPA, while passed earlier, was hastily drafted and passed to avoid the inclusion of a stricter privacy initiative on voter ballots in the November 2018 elections.

Who does the CDPA apply to?

Unlike the CCPA, which uses terms such as “business” and “service provider” to refer to the entities the law applies to, the CDPA opts for language in line with GDPR, referring to “controllers” and “processors”, explicitly making both liable for violations.

To fall under the CDPA, a company must conduct business in Virginia or produce services or products targeting Virginia residents and either:

• Control or process the personal data of at least 100,000 consumers during a calendar year or
• Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

Another key difference from the CCPA is that the CDPA does not impose a revenue threshold for applicability. This means small businesses are not exempt from compliance and larger organizations can avoid it if they do not fall within one of the two applicability criteria.

There are five categories of organizations that are exempt from the CDPA: higher education institutions, nonprofit organizations, any financial institution subject to the Gramm-Leach-Bliley Act (GLBA), any business subject to the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) and anybody, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.

What type of data does the CDPA protect?

The CDPA protects personal data, defined as any information that is linked or reasonably linkable to an identified or identifiable natural person, and excludes de-identified data and publicly available information.

The CDPA takes a step further when defining publicly available information. Going beyond data that is lawfully made available through federal, state, or local government records, it also includes information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted it to a specific audience. This expanded definition allows for a subjective inquiry into a company’s reasonable belief beyond the more clear-cut categories traditionally listed in such laws.

There are also 14 categories of exempted data, most referring to sensitive information regulated through other laws. These include data that fall under the incidence of GLBA, HIPAA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act. One notable category is employee data which is exempt because individuals acting in a commercial or employment context are not considered consumers under the CDPA.

New rights for consumers

The CDPA has granted Virginia consumers a series of new rights similar to those granted under laws like GDPR and CCPA. Individuals will have the right to confirm whether their data is being processed and access it. They will be able to correct inaccuracies in their personal data or request its deletion. They will also have the right to data portability which means companies must be able to provide them with a copy of their personal data in a portable and readily usable format so it can be transmitted to another controller without hindrance.

Virginia consumers will have the right to opt out of the processing of their personal data for purposes such as targeted advertising, the sale of personal data, and profiling. Finally, the CDPA grants individuals the right to appeal a company’s denial to act within a reasonable time.

Businesses must respond to a consumer request within 45 days of receipt of the request. This can be extended by an additional 45 days if it is considered reasonably necessary. The CDPA provides no exceptions to these new rights: companies that receive an authenticated request must comply with it or they will be considered in violation of the law.

Obligations under the CDPA

Companies falling under the incidence of the CDPA have a number of obligations. They must provide consumers with a privacy policy and limit the collection of data to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed.

Once collected, companies cannot process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer unless the controller obtains the consumer’s consent. Further limits are applied to categories of personal data considered especially sensitive such as race, religion, or mental and health diagnosis. Processing these categories of information is prohibited without consumer consent.

Companies must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Controllers must conduct data protection assessments to evaluate risks associated with processing activities. When data is processed by a third party on behalf of a controller, these activities must be governed by a data processing agreement.

Penalties

In contrast to the CCPA, the CDPA does not grant a private right of action to individuals whose rights have been violated. The CDPA will be enforced by the Virginia Attorney General who will have investigative authority and the ability to impose civil penalties of up to $7,500 per violation.

Companies notified by the Attorney General’s office of a violation will have 30 days to cure it and provide the office with a written response that the violation has been cured and no further violations will occur. In this case, the Attorney General will take no action. If the company is unable to cure the violation in the 30-day window granted by the law, the Attorney General can initiate an action against the offending company. It is currently unclear as to how violations that cannot be cured, such as data breaches, will be penalized.