Virginia: What to do if you are unregulated, a CCPA 'business,' or a GDPR data controller?
Virginia is poised to be the second U.S. State to enact a comprehensive privacy law, with Senate Bill 1392 to Amend the Code of Virginia by adding in Title 59.1 a Chapter Numbered 52, Consisting of Sections Numbered 59.1-571 - 59.1-581, relating to the Consumer Data Protection Act ('CDPA') due to take effect on 1 January 2023. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses what this means if you are: (i) an unregulated entity that had not undertaken privacy compliance before; (ii) a 'business' who has undertaken compliance for the California Consumer Privacy Act of 2018 ('CCPA'); or (iii) a 'data controller' who has undertaken compliance for the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Does CDPA apply to me?
Yes, if you:
- either: (i) conduct business in the Commonwealth of Virginia; or (ii) produce products or services that are targeted to residents of Virginia; and
- either (i) during a calendar year, control or process personal data of at least 100,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data; and
- do not fall into one of the exceptions in the law. Exceptions generally include: financial institutions under the Gramm-Leach-Bliley Act of 1999; covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'); information which is de-identified pursuant to HIPAA; information under the Fair Credit Reporting Act of 1970; information under the Driver's Privacy Protection Act; information under the Family Educational Rights and Privacy Act; or certain information in the employment context.
What if I don't comply?
The CDPA does not have a private right of action but is enforceable by the Attorney General ('AG') with a 30-day cure period after notice of violation. Violations are subject to penalties of up to $7,500 per violation. All penalties are paid into the Consumer Privacy Fund to be used to support the work of the AG to enforce the law.
10 things to do for the CDPA for 'unregulated entities'
1. Establish a process to address consumer request
- Map your information and know where it is held and by whom. This should include information held by your processors as well as third parties.
- Assess whether you engage in profiling/targeted advertising.
- Establish methods for submitting consumer requests. (This should be reliable and secure and should include a process for opting out of profiling/targeted advertising and a process for opting into the processing of sensitive information (see below) or the information of a 'known child').
- Establish a process for authenticating/verifying the identity of the requester.
- Establish a process for ensuring that the requests are handled and responded to on time.
- Establish a process for the individual to appeal your refusal of a request.
What does the bill say:
- Similar to CCPA, the CDPA grants individuals rights in the personal information collected about them. This include the right to know what information it is, get a copy of it in a portable format, and have this information deleted.
- Similar to GDPR (and the bill for the Washington Privacy Act (SB 5062) ('WPA')), the CDPA also includes the right to have incorrect information about yourself corrected ('rectification').
- Similar to CCPA and to some extent also to the California Privacy Rights Act of 2020 ('CPRA'), the CDPA also includes the right to opt out of a sale of personal information, as well as the right to opt-out of profiling and targeted advertising.
- Unlike the CCPA/CPRA and the WPA, the CDPA defines 'sale' more narrowly as 'the exchange of personal data for monetary consideration,' and includes exceptions such as the disclosure to an affiliate of the controller or disclosure of information that the consumer: (i) intentionally made available to the general public via a channel of mass media; and (ii) did not restrict to a specific audience.
- Unlike the CCPA, the CDPA allows the consumer to opt out of 'profiling' if it is conducted 'in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.' Profiling is defined as 'automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.' This is similar to the ability to restrict automated decision making under Article 22 of the GDPR.
- Unlike the CCPA, the CDPA does not specify the types of methods to be used for submitting consumer claims but rather says that: 'Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.' It can include the use of an existing account but cannot require the creation of a new one.
2. Implement data minimisation in the collection of data
- Using your data mapping exercise, assess, with your stakeholders, which of the information you collect is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer.
- Determine – is there data which is not necessary and can be foregone? Is there data that you need but is not accurately reflected in your privacy disclosure?
3. Implement a process for purpose limitation
- Check your data processing mapping/ledgers and analyse the data against the stated purposes. Do they match?
- Analyse whether the processing is reasonably necessary and proportionate to the purposes listed; and adequate, relevant, and limited to what is necessary in related to the purposes.
- Document your analysis and revisit it regularly.
4. Establish a process to avoid processing data in a discriminatory manner prohibited by law
- Assess State and Federal laws that prohibit unlawful discrimination against consumers and ensure your data collection and processing practices are aligned with it. Document your analysis and revisit it regularly.
- Establish and check your processes to ensure that you do not discriminate against a consumer for exercising any of their consumer rights, including denying goods or services, charging different prices or rates, or providing a different level or quality of goods.
- Assess your loyalty, rewards, premium features, discounts, and club card programs to make sure that they are in line with this.
5. Establish and maintain reasonable administrative, technical, and physical data security policies
- Implement information security measures which are in line with industry standards for the type of information that you process (if such exists).
- Align your practices with a data security framework such as the National Institute of Standards and Technology's ('NIST') Framework for Improving Critical Infrastructure Cybersecurity ('the Cybersecurity Framework'), the International Organization for Standardization's ('ISO') 27001, and the Center for Internet Security ('CIS') Top 20 Critical Security Controls, etc.
- Ensure you follow the recent enforcement actions and caselaw regarding information security, as well as recent Federal Trade Commission enforcement actions.
- Document your security measures and assess them regularly.
6. Adopt, improve and expand privacy notices
- Develop and implement a reasonably accessible, clear, and meaningful privacy notice which addresses all of your relevant processing of personal information (online and offline).
- The privacy notice should include: the categories of information processed; the purpose; how to exercise consumer rights; categories of personal data shared with third parties; any sale of personal data; and any processing for targeted advertising.
7. Implement a data processing agreement, per the requirements of the law, with each processor that handles personal information for you
The agreement should include:
- clear instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of the processing;
- the rights and obligations of both parties;
- obligations re de-identified data (see below);
- obligation on processor's personnel and sub-processors to be bound by a duty of confidentiality;
- obligation on the processor to return or delete the data at the controller's choice;
- obligation on the processor to make available to the controller all information in its possession necessary to demonstrate compliance with the CDPA obligations; and
- obligation on the processor to allow, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor, or to arrange for a periodic third-party audit itself and present the results to the controller.
8. Adopt a process for data protection assessments
- Assess which of your data processing activities include: sale of personal data; targeted advertising; profiling which may cause risk; sensitive data; or processing which presents a 'heightened risk of harm.'
- For each such processing, identify (and document) and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing. Consider the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed.
- For each risk identified, identify (and document) measures to mitigate the risk such as the use of de-identified data.
- Document the assessment and be ready to disclose it if requested by the AG.
What does the bill say:
Even though the data protection assessment is similar to that of the GDPR, the sets of processes for which it is required is much broader. This requirement applies only for processing created or generated after 1 January 2023.
9. Adopt a process for de-identified information
- Take reasonable measures to ensure that the data cannot be associated with a natural person.
- Publicly commit to maintaining and using de-identified data without attempting to reidentify the data.
- Contractually obligate any recipients of the de-identified data to comply these provisions.
- Adopt policies and procedures to ensure the above are implemented.
10. If you are a data processor: adopt a process to facilitate the controller's obligations
- Adopt a process to assist the controller with responding to re: consumer rights. Is information readily available provide to the controller in a format that is easy to handle?
- Adopt information security measures.
- Develop and maintain the documentation and/or certification necessary to provide the controller the necessary information to enable the controller to conduct and document data protection assessments.
10 things to do for the CDPA for companies who have undergone CCPA compliance
1. Ensure that your CCPA rights and processes apply to Virginia Residents and establish an appeal process for refusal to take action on a request within a reasonable time
2. Establish process for rectification of information (correcting inaccuracies)
3. Establish a process for opting out of profiling/automated processing and targeted advertising
4. Implement data minimisation (this is also needed for the CPRA)
5. Implement a process for purpose limitation
6. Implement a process for opt-in consent for sensitive information
- The CDPA concept of 'consent' uses the GDPR definition of freely given, specific, informed, and unambiguous. If it is also interpreted as it has been in the EU (see the European Data Protection Board's Guidelines 05/2020 on Consent under Regulation 2016/679, and the Norwegian data protection authority's decision to fine Grindr LLC for consent violations) it significantly changes business processes. However, a specific section in the CDPA permits offering different 'price, rate, level quality or selection of goods or services to a consumer, if the consumer has opted out of targeted advertising or the offer is related to a loyalty, rewards or discount program,' and may apply to some situations requiring consent.
- The CPDA concept of 'sensitive information' includes GDPR concepts like ethnic origin, religious belief, physical or mental health, sexual orientation, genetic or biometric data but also immigration status, information collected from a child, and precise geolocation data. 'Precise geolocation data' is defined as 'information derived from technology (GDPR) that directly identifies the specific location of a natural person with precision and accuracy below 1750 ft.'
7. Implement clear and conspicuous disclosure of sale for targeted advertising and the manner for exercising an opt out
8. Review your service provider agreements to make sure they include all the provisions required (see above)
9. Adopt a process for data protection assessments (see above)
10. If you are a data processor - adopt a process to facilitate the controller's obligations re: consumer rights (see above)
10 things to do for the CDPA for companies who have undergone GDPR compliance
1. Make sure you are on top of your GDPR obligations and that they apply to Virginia residents
For example, consider data minimisation, lawful and fair processing, and purpose limitation.
2. Amend your privacy notice for specific requirements.
3. Amend and adapt Article 28 to account for specific requirements (e.g. de-identified information)
4. Assess and adapt your Article 32 protections (e.g. Do they include state and federal data breach reporting?
5. Address the concept and opt out process for 'sale'
6. Tweak your data subject access request process
Consider how you will address profiling, targeted advertising, and those parts of 'sensitive information' that are not subsumed in Article 9 covering special category data (e.g. children's information and precise geolocation).
7. Establish an appeal process for refusal to take action on a consumer request within a reasonable time
8. Implement verified parental consent processes for 'known children' in accordance with the Children's Online Privacy Protection Act of 1998
9. Adopt a process for and conduct data protection assessments
If re-purposing Data Protection Impact Assessments as under the GDPR, make sure they are in a form that can be submitted to the AG.
10. Adopt a process for de-identified information
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia