Virginia: Consumer and business concerns under CDPA enforcement
In spring 2021, Virginia passed a streamlined comprehensive privacy law entitled the Consumer Data Protection Act ('CDPA'). The CDPA grants consumers various rights related to their personal data, including the rights: of access, correction, transportability, and deletion of personal data; to opt out of the sale, processing for targeted advertising, and profiling; and opt in to processing of sensitive data. Other key elements include appeal rights for rejected consumer requests, parental rights for the collection of personal data from children, data protection assessments, data processor regulation, and data security requirements. The effective date of the CDPA is 1 January 2023. Kyle R. Dull, Senior Associate at Squire Patton Boggs, considers consumer and business concerns under the CDPA regarding enforcement.
Notably, Virginia legislators passed the CDPA without a private right of action—something that was the death knell to Florida's and Washington's proposed consumer privacy legislation this session. In fact, Virginia explicitly prohibits the CDPA from being used by private plaintiffs: 'Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law.' Section 59.1-580(E).
For one, the lack of a private right of action in Virginia substantially increases the need for government intervention. The CDPA grants the Virginia Attorney General ('AG') some familiar and important powers. Under Section 59.1-579 of the CDPA, the AG may issue civil investigative demands to any person if the AG has 'reasonable cause to believe' that a person 'has engaged in, is engaging in, or is about to engage in any violation of [the CDPA].' To address the CDPA's civil investigative demand procedural process, the CDPA cites directly to the Section 59.1-9.1. of the Code of Virginia's ('the Antitrust Act') section on investigations by the AG.
The CDPA establishes a 'Consumer Privacy Fund' where all civil penalties, expenses, and attorney fees are deposited. The fund is intended to be used to support the work of the AG to enforce the CDPA. The AG will get to keep any interest earned on the fund. This will only provide funding to the AG after enforcement begins on 1 January 2023 and collecting this money is not so easy under the CDPA.
The CDPA requires the AG to provide a 30-day cure period. Under Section 59.1- 580(B), the AG must provide 'written notice identifying the specific provisions of this chapter the Attorney General, on behalf of a consumer, alleges have been or are being violated.' The controller or processor then has 30 days to cure the noticed violation and submit 'an express written statement that the alleged violations have been cured and that no further violations shall occur' to the AG. If the controller or processor does so, then 'no action for statutory damages shall be initiated against the controller or processor.' If, on the other hand, the controller or processor fails to cure the violation or otherwise continues its violations, 'the Attorney General may initiate an action and seek an injunction to restrain any violation of this chapter and civil penalties of up to $7,500 for each violation under this chapter.'
The CDPA does not pre-fund enforcement
The CDPA lacks one important feature for successful AG enforcement—upfront funding. Prior to the bill's passage, the Virginia's Department of Planning and Budget estimated that enforcing the CDPA would cost $330,556 per year to just hire a Dispute Resolution Specialist, Consumer Protection Investigator, and Assistant AG. And that would be for funding only three positions for a state with more than 8.5 million residents. By contrast, California will fund the California Privacy Protection Agency with $5 million in the first fiscal year and $10 million in each subsequent fiscal year.
The lack of upfront funding has the potential to create a significant consumer privacy enforcement vacuum in Virginia and prohibit implementation of the CDPA, at least until: (i) the AG can accumulate enough civil penalties in the CDPA's Consumer Privacy Fund in order to fund enforcement; (ii) the AG diverts funding from other funded priorities; or (iii) the Virginia legislature specifically allocates funding for CDPA enforcement.
The Virginia legislature did increase both the funding allocated to and the amount of personnel positions at the AG for the 2020-2022 biennium budget. Perhaps the AG will allocate some of those new positions to prepare for the ramp up period to CDPA enforcement. Another way the funding issue may be addressed is through the working group which is scheduled to submit 'findings, best practices, and recommendations regarding the implementation of this act' by 1 November 2021. Until then, whether the AG has adequate funding to provide CDPA enforcement is an open issue.
Government enforcement vs. private right of action
The unresolved issue of adequate AG enforcement funding is a potential boon for businesses and potential bane for consumers. For one, private plaintiff actions are explicitly prohibited. By their very nature, these suits are privately funded and are not subject to the delicate balancing act state budgets are forced to go through every year. Consumers harmed by CDPA violations have to rely on the AG to resolve their complaints. Of course, consumers are free to request that companies voluntarily resolve their complaints, but those resolutions might not change the business's practices and might instead be limited to just resolving the CDPA violation for that specific consumer.
Traditionally, one method Attorneys General use to initiate investigations is consumer complaints. These complaints are then often reviewed by a consumer complaint specialist or investigator who acts as the first set of eyes for the AG. However, without a CDPA dedicated specialist or investigator, the employees reviewing CDPA complaints will likely also have to review and resolve complaints related to other industries such as: automotive sales; credit, loans, and debt collection; internet sales and service; home improvement, service, and repair; price gouging; direct sales and scams; and medical/health professions. This potential backlog of complaint review means consumers suffering alleged CDPA violations, such as not being able to opt out of the sale of their personal data, are having their rights infringed until the AG can address their complaint - perhaps days, weeks, or even months later. Moreover, the CDPA forces the AG to grant even the most egregious violators 30 days to remedy their violations. A business may also avoid an enforcement action solely due to the small number of complaints received by the AG. Taken together, the lack of private right of action makes the CDPA less powerful because there is a chance the AG will not pursue a violator.
Another issue created by the CDPA's pure government enforcement mechanism is the potential for politics to influence what companies become the target of CDPA enforcement. Recently, for example, we have seen states target certain industries based on political beliefs. Other times we have seen politicians restrain or attempt to restrain enforcement actions against their supporters. And of course, we have even seen the complete lack of enforcement from the Federal Trade Commission ('FTC') when the federal government was shut down due to a budget impasse. These are issues government enforcement traditionally faces and this is not to imply that we would necessarily see the politicisation of CDPA enforcement in Virginia.
Many other laws have private rights of action that have provided consumers with significant wins in recent years during periods when government enforcement was less active. However, private consumer lawsuits are an imperfect solution that do not always primarily benefit the consumer. There are also privacy statutes with a private right of action that have been viewed as simple 'gotcha' lawsuits that also create confusion over compliance with the law. AG enforcement has many positive benefits for both consumers and businesses. One consistent enforcement policy, although it may evolve over time, makes it easier for companies to comply. Companies can also focus their investment on compliance efforts - benefiting consumers. Although budgets can be limited, Attorneys General are able to take on large scale investigations that would be impossible in smaller private lawsuits. The AG also does not have to prove actual damages - instead the AG can seek an injunction and collect civil penalties under the CDPA. With the CDPA, Virginia determined that nuisance lawsuits costs outweighed the benefits.
As noted above, a working group is scheduled to deliver the 'findings, best practices, and recommendations regarding the implementation of [the CDPA]' by 1 November 2021. After these findings are submitted, companies and consumers should be on the lookout for regulations by the AG to address some gaps in the CDPA.
The CDPA exempts pseudonymous data from '[t]he consumer rights contained in subdivisions A 1 through 4 of § 59.1-573 and § 59.1-574.' The problem is that there are subdivisions A 1 through 4 in both Sections 59.1-573 and 59.1-574, and both sets of subdivisions address consumer rights. The AG should clarify whether controllers would have to obtain opt-in consent to process sensitive pseudonymous data (if the exemption is for the subdivisions in each section); or if there is no requirement to obtain opt-in consent for the processing of sensitive pseudonymous data (if the exemption is for all of Section 59.1-574).
Under Section 59.1-573(C), controllers must 'establish a process for a consumer to appeal the controller's refusal to take action on a [consumer rights] request.' Appeals must be allowed if submitted to the controller 'within a reasonable period of time' and in response to the appeal, the controller must 'include a written explanation of the reasons for the decisions.' Controllers are also not required to comply with requests that are not 'authenticated.' The CDPA does not provide significant, concrete details of the required appeal process and leaves important terms open to interpretation. A reasonable period of time is not defined, and the CDPA does not outline appropriate reasons to deny an appeal. We should expect to see the regulations define these key terms and outline whether the same person reviews the appeal that reviewed the initial rights request. Further, the regulations should outline the authentication process to be used by controllers so that consumers are adequately informed before attempting a request.
As with the California Consumer Privacy Act of 2018 ('CCPA') and California Privacy Rights Act of 2020 ('CPRA'), the CDPA could be more definitive in answering when a business is the controller of personal data that it processes for targeting advertising. Is the website publisher the controller? Or is it to cookie operator? Should the website publisher be providing the consumer an opt out that would prevent the cookie from collecting personal data? Or is it the AdTech cookie that is responsible for providing and responding to the consumer's opt out? These are important questions that will hopefully be addressed by the CDPA's regulations.
Reasonable security practices
As the CDPA does not allow for a private right of action for security breaches, consumers and businesses should expect some additional guidance on what constitutes 'reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.'
The CDPA prohibits discrimination against consumers who exercise their consumer rights, but also allows businesses to offer different prices or levels of service to consumers who allow the controller to sell their data, or process for targeted advertising or profiling, or participate in loyalty programs. The CDPA does not address the valuation requirements the California Attorney General has asserted is required under the CCPA. It would be beneficial to both businesses and consumers if Virginia's regulations addressed whether a consumer must consent to participation in loyalty programs and whether that consent can be withdrawn at any time.
The Virginia legislature decided to balance both consumer and business interests by vesting enforcement of the CDPA to the AG. However, the ability of the AG to adequately enforce the CDPA is at risk because the legislature did not provide the AG with any funding at the offset. Enforcement of the CDPA is scheduled to begin on 1 January 2023, and in the meantime, the legislature has ample time to ensure the AG receives funding to both promulgate regulations and enforce the law. During these next two years, consumers and businesses should be on the lookout for regulations that clarify certain sections of the CDPA, including consumer rights, controller obligations, targeted advertising, reasonable security practices, and loyalty programs.
Kyle R. Dull Senior Associate
Squire Patton Boggs, New York