Virginia: CDPA on track to be signed into law by Governor
Rarely do Virginia and California line up on legislative issues, but if Governor Northam of Virginia signs the Senate Bill 1392 to Amend the Code of Virginia by adding in Title 59.1 a Chapter Numbered 52, Consisting of Sections Numbered 59.1-571 - 59.1-581, relating to the Consumer Data Protection Act ('CDPA') into law (as is widely expected), both states will be the first and the second in the US to pass sweeping consumer data privacy legislation. Beth Waller, Chair of the Cybersecurity & Data Privacy Practice at from Woods Rogers PLC, discusses who the CDPA would apply to, alongside the definitions and requirements it provides.
Virginia's General Assembly – made up of a House of Delegates and Senate – overwhelmingly passed companion copies of the CDPA. The Act is thus making its way after a few additional minor procedural steps to the Governor's desk. With Governor Northam expressing no opposition to the CDPA, it is highly likely that Virginia is on track to be the second state behind California to create sweeping consumer data privacy protections.
From 1 January 2023, Virginia would join the California Privacy Rights Act of 2020 ('CPRA') (and its predecessor the California Consumer Protection Act of 2018 ('CCPA')) in likely driving the national conversation around a federal data privacy law. Virginia would also rocket ahead of a number of other jurisdictions considering consumer data privacy laws, including New York, Maryland, Minnesota, and Washington. With its proximity to Washington D.C., there is no question that the CDPA would be top of mind when Congress begins considerations of federal data privacy concerns.
Who is covered by the CDPA
The CDPA is, by its terms, meant to capture those businesses processing Virginia resident consumer information. Specifically, the CDPA governs businesses that 'conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.'
Remember that conducting business in the age of e-commerce can mean simply operating a website that targets residents in Virginia. The CDPA – in a departure from the CCPA – does not have a dollar threshold and instead focuses solely on consumers served or data sold.
The CDPA has a series of robust exemptions that preclude compliance for certain entities including nonprofit organisations, institutes of higher education, and the Commonwealth's own governmental agencies. Similarly, businesses that fall under the regulatory scheme of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') or Gramm-Leach-Bliley Act of 1999 are also exempt from the CDPA's ambit.
Who is a 'consumer?'
The CDPA captures Virginia residents in its definition of consumers but most notably states that a consumer is 'not a natural person acting in a commercial or employment context.' In other words, it appears that employee information would not fall under the CDPA. Similarly, this provision appears to exempt business to business communications with its language about a person 'acting in a commercial' context.
What constitutes 'personal data' under the CDPA?
The CDPA creates three categories of data: (i) 'personal data;' (ii) 'sensitive data;' and (iii) 'biometric data.' Each contains carve-outs that distinguish the CDPA from many currently in place regulatory schemes around privacy.
'Personal data' is defined as 'any information that is linked or reasonably linked to an identifiable or identifiable natural person.' The definition states that it 'does not include de-identified or publicly available data.'
The CDPA creates a second threshold for 'sensitive data' which it defines as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.
Finally, the CDPA does govern 'biometric data,' but states that while such information includes information 'of an individual's biological characteristics, such as fingerprint, voiceprint, eye retinas,' it does not include 'a physical or digital photograph, a video or audio recording,' or information created for 'healthcare treatment, payment, or operations under HIPAA.'
Consumer rights under the CDPA
The CDPA states that a 'consumer may invoke consumer rights' under the CDPA 'by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke.'
The rights include: (i) confirmation and access of the personal data being processed; (ii) correction of inaccuracies in the personal data (taking into account the purpose of processing); (iii) to request deletion of the data provided by or obtained about the consumer; (iv) to obtain a copy of the personal data that the consumer previously provided to the controller; and (v) to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Limits on a controller's data processing
Under the CDPA, a controller is required to limit the collection of personal data 'to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.' A controller may also not process data at odds with what it discloses to the consumer – without the consumer's consent to such processing. A controller may not process personal data in violation of any state or federal laws that prohibit discrimination against consumers. With regard to 'sensitive data' – such data may not be processed without a consumer's consent.
Requirement of a reasonably accessible, clear, and meaningful privacy notice
Controllers are required to provide 'a reasonably accessible, clear, and meaningful privacy notice.' Such a privacy notice under the CDPA is to describe: 'categories of personal data processed by the controller;' the purpose for processing; how consumers may exercise their rights under the CDPA, including how they may appeal a decision; categories of personal data the controller shares with third parties, if any; and the categories of third parties, if any, with whom the controller shares personal data.
The CDPA goes a step further and provides that if a controller sells data for targeted advertising, then the controller 'shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.'
Requirements around the security of data and data requests
The CDPA also creates several security requirements around the processing and storage of data and as well as around the processing of consumer data requests under the CDPA.
Specifically, the CDPA states that a controller is required to 'establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.' The CDPA further provides that 'such data security practices shall be appropriate to the volume and nature of the personal data at issue.' In other words, security must be proportional to the sensitivity and volume of the data held.
With regard to consumer requests for information, the CDPA requires a controller to 'establish' and 'describe in the privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their rights under this chapter.' This secure communication protocol 'shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.' A controller cannot require a consumer to create a new account in order to exercise their consumer rights.
Who can enforce violations?
The CDPA grants the Attorney General of Virginia ('the AG') the 'exclusive authority to enforce violations' of the CDPA and creates a process for enforcement violations. Specifically, the AG 'shall provide a controller or processor 30 days' written notice' of a violation of the CDPA. If a business cures the violation then the CDPA provides 'an express written statement that the violations have been cured and that no further violations shall occur, no action for statutory damages shall be initiated against the controller or processor.' Thus, the CDPA creates a safe harbour for those alleged to have violated it.
However, if a controller or processor 'continues to violate' the CDPA or 'breach an express written statement provided to the consumer,' then the AG 'may initiate an action and seek damages for up to $7,500 for each violation.' Similarly, the AG may seek reimbursement of costs and reasonable attorney's fees for enforcement actions. Funds recovered are to be placed in a Consumer Privacy Fund, which shall be used to support the AG's investigations into violations of the CDPA.
The CDPA also allows that the AG may request a controller disclose any data protection assessment relevant to the investigation but that the provision of such an assessment 'does not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.'
The CDPA takes a uniquely Virginia approach to issues of consumer data privacy and should be watched with particular attention in the next few weeks. The ramp up to 2023 – with the dawning of the CPRA and now potentially the CDPA – is going to be critical for many businesses processing consumer data. The time to begin preparing for both acts is now while mindfully watching for any federal legislation that may emerge as a reaction to these state data privacy acts.
Beth Waller Chair, Cybersecurity & Data Privacy Practice
Woods Rogers PLC, Roanoke