Virginia - Data Protection Overview
1. Governing Texts
In addition to this, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act, which restricts the sale of personal information of customers by merchants as well as the use of social security numbers. Moreover, Virginia's personal information breach notification law, under §18.2-186.6 of Article 5 of Chapter 6 of Title 18.2 of the Code of Virginia ('the Breach Notification Statute'), regulates breach notifications and provides for various requirements in this respect. Specific protections are applicable in relation to health, employment, and financial information, and the Virginia Telephone Privacy Protection Act outlines prohibitions for solicitation calls when a person has previously stated that they do not wish to receive the call.
The CDPA regulates privacy and data protection matters in Virginia.
The Attorney General of Virginia ('AG') has not yet issued any guidance.
1.3. Case law
2. Scope of Application
The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that (§59.1-572(A) of the CDPA):
- during a calendar year, control or process personal data of at least 100,000 consumers; or
- control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
The CDPA does not apply to any body, authority, board, bureau, commission, district, or agency of Virginia or of any political subdivision of Virginia (§59.1-572(B) of the CDPA).
Moreover, the CDPA does not apply to non-profit organisations or institution of higher education (§59.1-572(B) of the CDPA).
The CDPA also does not apply to (§59.1-572(B) of the CDPA):
- financial institutions or data subjects subject to Title V of the Gramm-Leach-Bliley Act of 1999; and
- covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), and the Health Information Technology for Economic and Clinical Health Act of 2009.
The CDPA applies to persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of Virginia (§59.1-572(A) of the CDPA).
The CDPA applies to the personal data of individuals, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (§59.1-571).
The CDPA excludes certain data from its application, such as protected health information under HIPAA, certain health records, certain patient identifying information, as well as certain other data pertaining to a health context, financial context, or federal regulation, among others (§59.1-572(C) of the CDPA).
3.1. Main regulator for data protection
The AG is the regulator within Virginia.
In addition, the CDPA provides for the creation of working group to review the provisions of the CDPA and issues related to its implementation. The CDPA required that the working group's findings, best practices, and recommendations regarding the implementation of the CDPA must be submitted by the Chairman of the Joint Commission on Technology and Science to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation by 1 November 2021.
3.2. Main powers, duties and responsibilities
In accordance with §59.1-576(C) of the CDPA, the AG may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the AG, and may evaluate the assessment for compliance with the data controller responsibilities set forth in §59.1-574 of the CDPA.
In addition, §59.1-579 of the CDPA provides for investigative powers of the AG, whereby if the AG has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of the CDPA, the AG is empowered to issue a civil investigative demand.
Under §59.1-580(A) of the CDPA, the AG also has exclusive authority to enforce the provisions of the CDPA.
4. Key Definitions
In relation to the concepts of data controller and data processor, the CDPA provides that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. In this regard, a processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor (§59.1-575(D) of the CDPA).
Personal data: Any information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (§59.1-571 of the CDPA).
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- the personal data collected from a known child; or
- precise geolocation data.
Under HIPAA, 'health information' means any information, whether oral or recorded in any form or medium, that (§1171(4) of HIPAA):
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
Biometric data: Data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. However, 'biometric data' does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA (§59.1-571 of the CDPA).
Pseudonymisation: 'Pseudonymous data' is defined as personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (§59.1-571 of the CDPA).
Data subject: A 'consumer' is defined as a natural person who is a resident of Virginia acting only in an individual or household context, but does not include a natural person acting in a commercial or employment context (§59.1-571 of the CDPA).
5. Legal Bases
Under §59.1-574(A)(2) of the CDPA, a data controller must not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.
With respect to sensitive personal data, §59.1-574(A)(5) of the CDPA provides that a data controller must not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act of 1998 ('COPPA').
Nothing in the CDPA can be construed to restrict a controller's or processor's ability to provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract (§59.1-578(A)(5) of the CDPA).
Similarly, §59.1-578(B)(4) of the CDPA provides that the obligations imposed on controllers or processors will not restrict their ability to collect, use, or retain data to perform internal operations that:
- are reasonably aligned with the expectations of the consumer;
- are reasonably anticipated based on the consumer's existing relationship with the controller; or
- are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
Nothing in the CDPA must be construed to restrict a controller's or processor's ability to (§59.1-578(A)(1) to (3) of the CDPA):
- comply with federal, state, or local laws, rules, or regulations;
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; or
- cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.
Moreover, §59.1-578(C) of the CDPA provides that the obligations imposed on controllers or processors will not apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of Virginia. Nothing in the CDPA must be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Virginia as part of a privileged communication.
Nothing in the CDPA must be construed to restrict a controller's or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis (§59.1-578(A)(6) of the CDPA).
Nothing in the CDPA must be construed to restrict a controller's or processor's ability to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine (§59.1-578(A)(8) of the CDPA):
- if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
- the expected benefits of the research outweigh the privacy risks; and
- if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
Nothing in the CDPA must be construed to restrict a controller's or processor's ability to investigate, establish, exercise, prepare for, or defend legal claims (§59.1-578(A)(4) of the CDPA).
In addition, the obligations imposed on controllers or processors must not restrict their ability to collect, use, or retain data to (§59.1-578(B)(1) to (3) of the CDPA):
- conduct internal research to develop, improve, or repair products, services, or technology;
- effectuate a product recall; or
- identify and repair technical errors that impair existing or intended functionality.
Additionally, §59.1-578(B)(4) of the CDPA provides, among other things, that the obligations imposed on controllers or processors will not restrict their ability to collect, use, or retain data to perform internal operations that:
- are reasonably aligned with the expectations of the consumer; or
- are reasonably anticipated based on the consumer's existing relationship with the controller.
No further information.
The CDPA provides for various data protection principles through their incorporation into legal provisions and requirements for controllers.
In this respect, §59.1-574(A)(1) of the CDPA provides for the principle of data minimisation, noting that a controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
§59.1-574(A)(2) of the CDPA provides for the principles of purpose limitation, noting that a controller must not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.
Data controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data (§59.1-574(A)(3) of the CDPA).
Furthermore, controllers must comply with transparency obligations through the requirement to provide consumers with a privacy notice which details, among other things, categories of personal data processed, purpose for processing, or how consumer rights can be exercised (§59.1-574(C) of the CDPA).
7. Controller and Processor Obligations
The CDPA does not expressly provide for data processing notification requirements.
The CDPA does not expressly provide for requirements around data transfers.
The CDPA does not expressly provide for record-keeping requirements.
In accordance with §59.1-576 of the CDPA, data controllers must conduct and document data protection assessments. Specifically, such assessments are required for processing activities which involve (§59.1-576(A) of the CDPA):
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers;
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers.
Moreover, data protection assessments must be confidential, and must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. Controllers must also consider and factor in the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed (§59.1-576(B) of the CDPA).
The CDPA also notes that a single data protection assessment may address a comparable set of processing operations that include similar activities (§59.1-576(D) of the CDPA). In addition, data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under §59.1-576 of the CDPA if the assessments have a reasonably comparable scope and effect (§59.1-576(E) of the CDPA).
Notably, data protection assessment requirements will apply to processing activities created or generated after 1 January 2023, when the CDPA will enter into effect, and are not retroactive (§59.1-576(F) of the CDPA).
The CDPA does not expressly provide for requirements regarding the appointment of a data protection officer.
The CDPA does not provide for data breach notification requirements. §59.1-575(A)(2) of the CDPA notes that a data processor must assist the controller, which includes meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor pursuant to the Breach Notification Statute (see the introduction section above).
The CDPA does not expressly provide for data retention requirements. However, §59.1-575(B)(2) of the CDPA notes that within the context of controller and processor contracts, and at the controller's direction, a processor must delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
Overarchingly, the CDPA notes that controllers and processors who comply with the verifiable parental consent requirements under COPPA will be deemed compliant with any obligation to obtain parental consent under the CDPA (§59.1-572(D) of the CDPA).
With respect to invoking consumer rights with respect to children, a known child's parent or legal guardian may invoke such consumer rights on behalf of the child (§59.1-573(A) of the CDPA).
With respect to the processing of sensitive data, §59.1-574(A)(5) of the CDPA provides that a controller must not process children's sensitive data without processing such data in accordance with COPPA.
A child is defined as any natural person younger than 13 years of age (§59.1-571 of the CDPA).
The CDPA refers to 'sensitive data' and provides that controllers must not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA (§59.1-574(A)(5) of the CDPA).
In accordance with §59.1-575(A) of the CDPA, data processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the CDPA, where such assistance includes:
- responding to consumer rights requests;
- assisting the controller in meeting obligations in relation to the security of processing personal data and in relation to the notification of a breach of security of the system of the processor; and
- providing necessary information to enable the controller to conduct and document data protection assessments.
To facilitate this, §59.1-575(B) of the CDPA provides that a contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller. Such a contract will be binding, and must clearly set forth:
- instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing; and
- the rights and obligations of both parties.
The contract must also include requirements that the processor must (§59.1-575(B) of the CDPA):
- ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the CDPA;
- allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organisational measures in support of the obligations under the CDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments;
- provide a report of such assessment to the controller upon request; and
- engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
8. Data Subject Rights
In accordance with §59.1-574(C) of the CDPA, consumers must be informed through the provision of a privacy notice that includes:
- the categories of personal data processed by the controller;
- the purpose for processing personal data;
- how consumers may exercise their consumer rights pursuant §59.1-573 of the CDPA, including how a consumer may appeal a controller's decision with regard to the consumer's request;
- the categories of personal data that the controller shares with third parties, if any; and
- the categories of third parties, if any, with whom the controller shares personal data.
In addition, if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing (§59.1-574(D) of the CDPA).
In accordance with §59.1-573(A)(1) of the CDPA, consumers have the right to confirm whether or not a controller is processing their personal data and to access such personal data.
In accordance with §59.1-573(A)(2) of the CDPA, consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
In accordance with §59.1-573(A)(3) of the CDPA, consumers have the right to delete personal data provided by or obtained about the consumer.
In accordance with §59.1-573(A)(5) of the CDPA, consumers have the right to opt out of the processing of their personal data for purposes of:
- targeted advertising;
- the sale of personal data; or
- profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The CDPA does not explicitly refer to the possibility of withdrawing consent.
In accordance with §59.1-573(A)(4) of the CDPA, consumers have the right to obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
In accordance with §59.1-573(A)(5) of the CDPA, consumers have the right to opt out of the processing of their personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
In addition to the data subject rights outlined above, the CDPA also provides consumers with the right to appeal a controller's refusal to take action following a consumer's request to exercise their rights. As detailed in §59.1-573(C) of the CDPA, a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of such a decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action. Within 60 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the AG to submit a complaint.
Furthermore, and more generally, under §59.1-574(A)(4) controllers must not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Specifically, a controller must not discriminate against a consumer for exercising any of the consumer rights contained in the CDPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.
The AG has exclusive authority to enforce the provisions of the CDPA. If a data controller or processor continues to violate the CDPA following the prescribed 30-day cure period, or breaches an express written statement provided to the AG, the AG may initiate an action in the name of Virginia and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation (§§59.1-580(B) to (C) of the CDPA).
In addition, the AG may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any action initiated under the CDPA (§59.1-580(D) of the CDPA).