Virginia: Direct marketing under the Consumer Data Protection Act
Organisations that carry out direct marketing must comply with an alphabet soup of laws and regulations. In addition to the Federal Trade Commission Act of 1914 ('FTC Act') and state unfair and deceptive acts and practices ('UDAP') laws, there are a number of regulatory schemes that are specific to the mode of communication used in consumer outreach. For example, there is the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM Act') for email marketing, the Telephone Consumer Protection Act of 1991 ('TCPA') for automated text message and telephone marketing, the Telemarketing Sales Rule 1995 ('TSR') for telemarketing, and the Deceptive Mail Prevention and Enforcement Act ('DMPEA') for direct mail. Kyle R. Fath, Counsel at Squire Patton Boggs, explores how Virginia's Consumer Data Protection Act ('CDPA') impacts consumers' rights, as well as its requirements concerning sensitive data, among others.
Current US state privacy legislation, including the California Consumer Privacy Act of 2018 ('CCPA'), which became effective in 2020, and the California Privacy Rights Act ('CPRA'), which becomes operative in relevant part in 2023, does not directly address direct marketing, although there are a number of consumer rights and obligations imposed on businesses that are ancillary to, or interrelate with, organisations' obligations under direct marketing laws. The CDPA, effective from 1 January 2023, is similar to the CCPA in this regard. Despite the lack of explicit direct marketing provisions, companies should be aware of a number of obligations under the CDPA that might arise in respect of direct marketing activities, particularly considering that direct marketing involves the collection and management of personal data and, for some organisations, the sale and purchase of data in connection with such marketing activities.
Consumer rights under the CDPA
The CDPA grants Virginia 'consumers' (definition discussed below) the rights of access/portability, correction, and deletion, as well as a number of opt-out rights, with respect to their personal data. The CDPA's opt-out rights and consumer rights requests mechanics are discussed in further detail a related article by Squire Patton Boggs' Glenn Brown1. Below, we discuss the CDPA's consumer rights and related controller obligations and how they are implicated in a controller's direct marketing efforts.
The CDPA allows a consumer to 'obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format'. The CCPA currently requires businesses to disclose all personal information collected about a consumer, which would include not only contact information but also information related to direct marketing campaigns, such as contents of emails sent to a consumer, information regarding a business' analytics of users' treatment of emails (e.g., whether they opened them, if it led to a sale/conversion, and so on). However, the CDPA makes it clear that the access/portability right only extends to 'the consumer's personal data that the consumer previously provided to the controller', thus providing a much more limited scope of information to be provided in response to a CDPA access request.
The CDPA requires controllers to, upon request by a consumer, 'correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data'. It is conceivable that a consumer might make a request for correction based on information in a direct marketing campaign, such as an incorrectly spelled name or other inaccurate information. To the extent that the request comes through the controller's designated method for receipt of CDPA consumer requests, the controller would have to treat it as such.
The CDPA permits consumers to request that a controller 'delete personal data provided by or obtained about the consumer' [emphasis added]. The CCPA's deletion right, on the other hand, is narrower and only applies to information collected 'from the consumer'. As has been the case under the CCPA, consumers often submit deletion requests with the goal of stopping promotional emails, rather than simply clicking the 'unsubscribe' link provided in the email. To the extent that a consumer chooses to opt out of emails in this manner, which may be somewhat unclear and cryptic, businesses should certainly consider the exceptions available to it in order to retain the consumer's information. However, similar to the CCPA, it is unlikely that any of the exceptions under the CDPA would allow a controller to continue sending marketing emails to a consumer who has made a deletion request.
Consumers also have the right to opt-out of the processing of the personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
It is unlikely that direct marketing would meet the definition of targeted advertising or profiling under the CDPA. However, controllers that buy and/or sell personal data for its or a third party's direct marketing efforts should be aware of the right to opt-out of sales, discussed in the article linked earlier.
Only 'consumers' – i.e., Virginia residents 'acting only in an individual or household context' and specifically excluding anyone 'acting in a commercial or employment context' – have rights under the CDPA. Therefore, information collected by an organisation in a business to business ('B2B') context falls outside of the scope of the CDPA, including with respect to the direct marketing issues and obligations discussed herein. Of course, organisations engaging in B2B direct marketing should be sure to comply with other applicable laws, including, without limitation, the CAN-SPAM Act, the TCPA, and the TSR.
As discussed above, the CDPA is generally an opt-out regime. However, it does require General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')-like consent for all processing of 'sensitive data', including for direct marketing.
Under the CDPA, sensitive data includes:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- personal data collected from a known child; or
- precise geolocation data.
This definition is more circumscribed than the definition of sensitive personal information under the forthcoming CCPA-amending CPRA, though there is some ambiguity as to whether the list is exhaustive. Organisations that process any of this data should already be paying heightened attention to how they process it and should certainly be aware of any direct marketing uses of the same.
Notably, there might be limited scenarios where health diagnoses would be considered 'sensitive data' under the CDPA. This is because most types of healthcare entities (including Health Insurance Portability and Accountability Act of 1996 ('HIPAA') covered entities and business associates), along with health information (including protection health information ('PHI')), and information derived therefrom falls under a host of exemptions. That said, organisations carrying out direct marketing using this type of information should understand the extent to which any exemptions may or may not apply.
'Consent' means 'a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer'. Organisations may obtain consent through 'a written statement, including a statement written by electronic means, or any other unambiguous affirmative action'. Since implied consent is often used for direct marketing in the US, companies must be aware of and ensure whether this new consent requirement may apply to its direct marketing activities involving Virginians.
Loyalty programs/financial incentives
Numerous businesses obtain personal data, such as email and newsletter sign-ups by customers or potential customers, by offering various incentives, such as loyalty programs, discounts, and access to premium features and content. Businesses that obtain personal data using such common tactics should be aware of the CDPA's watered down (compared to the CCPA) non-discrimination clause:
Nothing in this subdivision shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to § 59.1-573 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
Unlike its California counterpart, Virginia's new law explicitly allows controllers to offer different prices or service levels to consumers who participate in a loyalty program or otherwise allow the controller to sell their data or process their data for targeted advertising or profiling without having to disclose the valuations and value comparisons that are required under the CCPA and the CPRA. Therefore, the CDPA does not impose any obligations on organisations' direct marketing in connection with loyalty, rewards, or other similar programs, though it is possible that the Virginia Attorney General may issue regulations further clarifying these and other issues under the law.
Like other data privacy schemes, including the GDPR and the CPRA, the CDPA provides purpose limitation requirements. In particular, it states that:
A controller shall…not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.
In indirect collection scenarios, such as where a controller obtains data from a third party, the third party should have gotten all necessary rights at collection to permit it to share and the recipient(s) to use in the desired manner, such as direct marketing, and the recipient controller should require the third party to represent and warrant in that regard. If the recipient controller cannot obtain such representations and warranties from the data source, the recipient disclosure should consider consent to new use cases, including direct marketing.
While new state privacy laws such as the CDPA do not directly regulate direct marketing, it is clear that many of its obligations relate to direct marketing and organisations' management of their customer relationship management databases. In addition to considering the obvious laws that address direct marketing, such as the CAN-SPAM Act and the TCPA, organisations should also consider state privacy laws such as the CDPA when carrying out campaigns and ingesting, using, sharing, and managing the data associated with such campaigns.
Kyle R. Fath Counsel
Squire Patton Boggs, New York