Virginia: How consumer rights under the CDPA compare to existing privacy laws
This article is the first in a series of articles analysing various aspects of the Consumer Data Protection Act ('the CDPA'). In this article, Glenn Brown, Of Counsel at Squire Patton Boggs, provides an overview of consumers' rights under the CDPA and how those rights differ from those provided under the California Consumer Privacy Act of 2018 ('CCPA'), the California Privacy Rights Act ('CPRA'), which amends and will essentially replace the CCPA on 1 January 2023, and the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The description of the CPRA is current as of March 2021 but note that key aspects of it will be further defined through regulations that have yet to be promulgated. For a summary of how certain key terms are defined in the CDPA, please see 'Key defined terms' below.
Rights of consumers under the CDPA
The CDPA provides Virginia residents with the following rights:
Right to access
The CDPA provides consumers with a right to know whether a controller processes the consumer's personal data and to access such data.
Right to correct
The CDPA provides consumers with a right to correct inaccuracies in a consumer's personal data.
Right to delete
The CDPA provides consumers with a right to request that a controller delete all personal data collected about the consumer from any source. However, this (and other aspects of the CDPA) is subject to a controller's and impacted parties' exercise of their First Amendment rights and to reasonably expected ongoing internal uses.
Right to opt-out
The CDPA provides consumers with a right to opt-out of the processing of personal data for the following purposes:
- targeted advertising (defined to include displaying advertisements that are selected based on personal data obtained from that consumer's activities over time and across non-affiliated websites to predict the consumer's preferences or interests), subject to several exceptions;
- the sale of personal data; or
- 'profiling' (i.e., automated processing to infer certain personal attributes) 'in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.'
The right to opt-out of processing for this last purpose is interesting – it allows a consumer to opt-out of a controller's use of automated processing to make a decision, '… that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.'
However, the use of personal data to make decisions about lending, housing, insurance underwriting, or employment is generally regulated by the federal Fair Credit Reporting Act of 1970, and so in most cases will be exempt from compliance with the CDPA. This could create confusion for consumers and headaches for controllers that engage in these types of processing activities.
Right to appeal decisions
The CDPA gives consumers the right to appeal a controller's refusal of a request. Within 60 days of receiving an appeal, a controller must inform the consumer in writing of its response to the appeal, including a written explanation of the reasons for the decision. If the controller denies the appeal, it must also provide the consumer with an online mechanism (if available) or other method through which the consumer can submit a complaint to the Virginia Attorney General ('the AG').
Comparison of consumer rights under the CDPA, CCPA, CPRA, and GDPR
Below is a chart summarising what consumer rights are provided under the CDPA, CCPA, CPRA, and GDPR.
|Right to access||✓||✓||✓||✓|
|Right to confirm personal data is being processed||Implied||Implied||✓||✓|
|Right to data portability||✓||✓||✓||✓|
|Right to delete||✓||✓||✓||✓|
|Right to correct inaccuracies/right of rectification||✕||✓||✓||✓|
|Right to opt-out of sales||✓||✓||✓||✓*|
|Right to opt-out of targeted advertising/cross-context advertising||✕**||✓||✓||✓|
|Right to object to or opt-out of automated decision-making||✕||✓||✓||✓|
|Opt-in or opt-out for processing of 'sensitive' personal data?||✕||Opt-out†||Opt-in||Opt-in††|
|Right to object to/restrict processing generally||✕||✕||✕||✓|
|Right to non-discrimination||✓||✓||✓||Implied|
*Selling personal data under the GDPR generally would require the consent of the data subject for collection and would be subject to the right to object to processing.
**However, certain data disclosures inherent in this type of advertising are arguably a 'sale,' subject to opt-out rights.
†Under the CPRA, consumers' opt out rights do not apply to processing sensitive personal information for certain limited purposes.
††Under the GDPR, processing sensitive personal information is allowed with explicit consumer consent or where it is otherwise justified under another recognised lawful basis.
Key differences between the CDPA and the CCPA, CPRA, and GDPR
- Broader right to access. Unlike the CCPA, the CPRA and CDPA do not limit the 'look-back' period for personal data that a controller is required to provide to the requesting consumer; however, under the CPRA, the look-back can be limited to the extent providing access beyond the prior 12 months would be 'impossible or would involve disproportionate effort.' Similar to the GDPR, the CDPA's right to access applies to personal data in the controller's possession, whenever collected, unless a request is manifestly unfounded, excessive, or repetitive. The CCPA/CPRA provides an ability to reject requests that are 'manifestly unfounded or excessive.'
- Broader right to correct. Unlike the CPRA, which does not require a business to use disproportionate efforts in responding to a request and acknowledges that a business must have methods to prevent fraud in order to fulfill such requests, the CDPA does not provide any exceptions or acknowledge competing considerations in responding to requests to exercise this right.
- Broader right to delete. The right to delete under the CDPA is broader than that provided by the CCPA and the CPRA in that it applies to all personal data collected about the consumer from any source, whereas the two California privacy laws only apply to personal information collected from the consumer. Whereas the CCPA/CPRA has many enumerated retention exceptions, the CDPA has less detailed and broader exceptions that apply to all controller and processor obligations, including providing that controllers and processors shall not be restricted from retaining and use personal data to perform 'internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or performance of a contract to which the consumer is a part.' The GDPR provides a general right to delete, subject to exceptions that only apply where the processing is done for specific lawful bases (namely, with the data subject's consent, where it is necessary to perform a contract, where it is necessary for the legitimate interests of the controller or a third party, or necessary to protect someone's life).
- Limited definition of 'consumer.' The CDPA specifies that a Virginia resident is only a 'consumer' when acting in an individual or household context, and expressly does not include a natural person acting in a commercial or employment context. By contrast, the CPRA and GDPR apply to consumers even when they are acting in a commercial or employment context. The CCPA has the same broad definition as the CPRA, but most consumer rights are subject to carve-outs when the consumer is acting in a commercial or employment context.
- More limited right to opt-out of 'sales.' The CDPA's required element of monetary consideration in its definition of 'sale' is a significant departure from the definition of 'sale' in the CCPA/CPRA. It also excludes all transfers to affiliates from the definition. By specifying that monetary consideration must be exchanged for personal data in order for a sale to exist, the CDPA allows a business to transfer personal data for many activities that are the focus of regulatory attention elsewhere (such as targeted advertising) without having to characterise such transfers as sales.
- Time for responding to requests. As with the CCPA and CPRA, the CDPA provides that controllers must respond to rights requests within 45 days, which period the controller may extend once for an additional 45-day period if it provides notice to the requesting consumer explaining the reason for the delay. Under the GDPR, controllers have one month to respond to such requests, which may be extended by up to two months for complex requests.
- Providing a mechanism to submit complaints to regulator. Under the CDPA, if a controller denies a consumer's appeal, it must provide the consumer an online mechanism (if available) or other method through which the consumer can submit a complaint to the AG. Neither the CCPA nor CPRA includes such a requirement, but the GDPR requires privacy notices to include a reference to the fact that data subjects have the right to complain to a data protection authority.
Key defined terms under the CDPA
- 'Consumer' means a natural person who is a resident of Virginia.
- 'Controller' and 'Processor' track the definitions in the GDPR, with the former being defined as a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data, and the latter being defined as a natural or legal person that processes personal data on behalf of a controller. These terms are similar but not identical to the terms 'business' and 'service provider' in the CCPA and CPRA.
- 'Decisions that produce legal or similarly significant effects concerning a consumer' means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.
- 'Personal data' means any information that is linked or reasonably linkable to an identified or identifiable natural person. 'Personal data' does not include de-identified data or publicly available information, as those terms are defined. This is similar to definitions in other privacy laws, although the CDPA does not provide a list of specific categories of personal data, as the CCPA and CPRA do in their definitions of 'personal information.'
- 'Profiling' means any form of automated processing performed on personal data to evaluate, analyse, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
- 'Sale of personal data' means an exchange of personal data for monetary consideration by the controller to a third party.
- 'Targeted advertising' means, subject to certain exceptions, displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.
Due to the differences between the CDPA and existing privacy laws, businesses will need to consider carefully the varying obligations under each of these laws, considering the nature of their business and the types of personal data they process.
In future articles in this series, we will examine additional aspects of the CDPA, such as jurisdictional scope, obligations of controllers, enforcement and the impact of the CDPA on advertising, marketing, and profiling.
Glenn Brown Of Counsel
Squire Patton Boggs, Atlanta