Virginia: Consumers' opt-out rights under the CDPA
This is a part of a series of articles analysing various aspects of the Consumer Data Protection Act ('CDPA'). In this article, Glenn Brown, Of Counsel at Squire Patton Boggs, focuses on consumers' rights to opt out of three specific uses of their personal data under the CDPA.
For a summary of how certain key terms are defined in the CDPA, please see 'Key Defined Terms' below.
Opt-out rights and the mechanics of responding to them
Among other consumer privacy rights, the CDPA provides Virginia residents with the right to 'opt out' of the processing of personal data for the following three purposes:
- targeted advertising;
- selling personal data; and
- profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
How consumers may exercise rights
Timing of a controller's response
Controllers must respond to consumers seeking to exercise their opt-out rights without undue delay, but in all cases within 45 days of receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary, as long as the controller informs the consumer of such extension within the initial 45-day period, together with the reason for the extension.
Denial of request and appeal
A controller declining a consumer's request must inform the consumer within 45 days of receipt of the request and provide a justification for the denial. The controller must also provide the consumer with instructions for how to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to submit a request to opt out. Within 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Virginia Attorney General ('AG') to submit a complaint.
Below is a more in-depth discussion of each of these opt-out rights. Keep in mind that the CDPA specifies that a Virginia resident is only a 'consumer' when acting in an individual or household context, and expressly does not include a natural person acting in a commercial or employment context.
Right to opt out of targeted advertising
Scope of right
The CDPA allows consumers to opt out of the controller using the consumer's personal data in connection with targeted advertising. The CDPA defines 'targeted advertising' as '… displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests'. However, the CDPA also provides that the following are not considered 'targeted advertising':
- advertisements based on activities within a controller's own websites or online applications;
- advertisements based on the context of a consumer's current search query, visit to a website, or online application;
- advertisements directed to a consumer in response to the consumer's request for information or feedback; and
- processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
Implementation and impact
The CDPA's definition of targeted advertising is a fairly limited definition that would seemingly exclude many digital advertising activities and use cases that do not involve 'displaying advertisements'. Importantly, too, it excludes from the definition of targeted advertising certain routine advertising activities, such as measurement and frequency capping, that exceed permissible purposes of service provider processing under the California Consumer Privacy Act of 2018 ('CCPA'). As a result, those important activities will be able to continue even after a consumer has opted out of targeted advertising under the CDPA.
Right to opt out of sales of personal data
Scope of right
The CDPA allows consumers to opt out of future 'sales' of the consumer's personal data by the controller. The CDPA defines a 'sale' of personal data as taking place when there is an exchange of personal data for monetary consideration by the controller to a third party.
Implementation and impact
Note that the CDPA's required element of monetary consideration in its definition of 'sale' is a significant departure from the definition of 'sale' in the CCPA and the California Privacy Rights Act ('CPRA'). It also excludes all transfers to affiliates from the definition. By specifying that monetary consideration must be exchanged for personal data in order for a sale to exist, the CDPA allows a business to transfer personal data for many activities that are the focus of regulatory attention elsewhere (such as targeted advertising) without having to characterise such transfers as sales. But as with the CCPA and CPRA, if a consumer exercises their right to opt out of sales under the CDPA, the controller will have to have the means to prevent future transfers of such consumer's personal data that would fall within the definition of 'sale'.
Right to opt out of certain types of profiling
Scope of right
The CDPA allows consumers to opt out from a controller's use of the consumer's personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. This opt-out right involves two defined terms- 'profiling' and 'decisions that produce legal or similarly significant effects concerning the consumer'. Consumers do not have the right under the CDPA to opt out of all activities that would fall within the definition of profiling- only those that are in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The CDPA defines 'profiling' to mean '… any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements'.
The CDPA defines the phrase 'decisions that produce legal or similarly significant effects concerning a consumer' to mean '… a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water'.
Implementation and impact
The right to opt-out of processing for this purpose is interesting in that making decisions about lending, housing, insurance underwriting, or employment is generally regulated by the federal Fair Credit Reporting Act of 1970 ('FCRA'), and so in most cases will be exempt from compliance with the CDPA. This could create confusion for consumers and headaches for controllers that engage in these types of processing activities. However, to the extent a controller engages in profiling in connection with these types of decisions that are not exempt from the CDPA, it may need to comply with a consumer's opt-out request.
In order to be able to comply with such a request, a controller will have to understand the contexts in which it engages in 'profiling' generally, and then when that 'profiling' is used for making the specific types of decisions described above.
Key defined terms under the CDPA
'Consumer' means a natural person who is a resident of Virginia.
'Controller' and 'processor' track the definitions in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), with the former being defined as a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data, and the latter being defined as a natural or legal person that processes personal data on behalf of a controller. These terms are similar but not identical to the terms 'business' and 'service provider' in the CCPA.
'Personal data' means any information that is linked or reasonably linkable to an identified or identifiable natural person. 'Personal data' does not include de-identified data or publicly available information, as those terms are defined. This is similar to definitions in other privacy laws.
Due to the differences between the opt-out rights provided by the CDPA and those provided under existing privacy laws, businesses will need to consider carefully the specific obligations under the CDPA, considering the nature of their business and the types of personal data they process.
Glenn Brown Of Counsel
Squire Patton Boggs, Atlanta