Virginia’s Consumer Data Protection Act (CDPA) is expected to be signed into law by Governor Ralph Northam and will be the second comprehensive state data privacy law in the United States after the California Consumer Privacy Act of 2018 (CCPA). The CDPA comes into effect on January 1, 2023—the same date that the California Privacy Rights Act (CPRA) amendments take effect—and will require entities subject to the law to coordinate their efforts to ensure compliance with their growing obligations under these dynamic state privacy law developments. We explore the CDPA in more detail below.
Overview of the CDPA
The CDPA will apply to companies that conduct business in Virginia, or that target their products and services to Virginia residents, and that either: (i) control or process personal data of at least 100,000 Virginia residents or (ii) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
As with the CCPA, the CDPA has several broad entity-type and data-type exemptions. The CDPA will not apply to nonprofits, institutions of higher education and entities governed by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). The CDPA also exempts personal data belonging to individuals acting in commercial or employment contexts, protected health information governed by HIPAA and health records governed by other healthcare-related state and federal laws, and data regulated by the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act and Farm Credit Act.
CDPA uses the term “controller” to describe the entity that determines the purpose and means of processing data. Controllers have a number of responsibilities under the CDPA that are reminiscent of the obligations that apply to “businesses” under the CCPA/CPRA and “controllers” under the General Data Protection Regulation (GDPR). Controllers must:
Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geolocation data)
Comply with data processing principles that ensure purpose limitation of personal data and data minimization
Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data
Enter into a written contract with third-party “processors” that process data on the controller’s behalf that set forth the instructions and limitations on how the processor may process personal data, including the data that are subject to processing, the duration of processing and the rights and obligations of both parties
Conduct and document a data protection assessment when processing sensitive data or conducting activities related to targeted advertising, selling personal data, profiling and other activities that present a heightened risk of harm to consumers
Inform consumers of the various privacy rights afforded to them under the CDPA and honor those rights.
Consumers have a number of privacy rights under the CDPA that, again, are reminiscent of those found in the CPRA and the GDPR. These rights include the right to:
Confirm whether the controller is processing the consumer’s personal data and right to access such personal data
Correct inaccuracies in the personal data
Delete personal data
Request that the controller port the consumer’s personal data in a readily usable format
Opt out of the processing of personal data for purposes of targeted advertising
Opt out of the sale of personal data
Opt out of profiling that results in legal or significant effects concerning the consumer (e., decisions that result in the denial of financial or lending services, housing, insurance, education, enrollment, criminal justice, employment opportunities, healthcare services or access to basic necessities).
In the event a company refuses to honor a request, consumers will have the right to appeal the company’s refusal.
Controllers are prohibited from discriminating against a consumer for exercising these rights, which includes denying goods or services, or charging different prices for goods or services or providing a different level of quality of goods or services. The caveat is that controllers may offer different prices or quality for goods or services if it is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
The Virginia Attorney General has exclusive enforcement authority under the CDPA and may issue civil penalties of up to $7,500 per violation. Unlike the CCPA, the CDPA does not create a private right of action for Virginia consumers.
How Does the CDPA Compare to the CCPA?
With the passage of the CDPA, Virginia joins California as one of two states in the country with a comprehensive data privacy law. Companies already complying with the CCPA have a head start on their compliance efforts but will need to plan adjustments to their privacy compliance program to take into account both the CPRA and the CDPA, which take effect on January 1, 2023.
Fortunately, the CDPA and CCPA share many commonalities, such as the disclosures required in privacy notices, certain consumer rights and reasonable security requirements. However, the CDPA does contain a number of meaningful differences from the CCPA and CPRA, some of which we detail in the chart below.
Virginia Consumer Data Protection Act (CDPA)
California Consumer Protection Act (CCPA)
* indicates that this provision will come into effect January 1, 2023
For-profit entities that conduct business in Virginia or offer products or services targeted to residents in Virginia and (i) control or process the data of at least 100,000 consumers or (ii) control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data
For-profit entities that collect personal information from California residents and meet any of the following thresholds: (i) at least $25 million in gross annual revenue; (ii) buys, sells or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes; or (iii) derives more than 50% of its annual revenue from the sale of personal information
* (ii) above is replaced with “buys, sells or shares personal information of 100,000 or more California residents or households”; (iii) above is replaced with “derives 50% or more of annual revenue from selling or sharing California personal information”
Covered personal information
Any information that is linked or reasonably associated to an identified or identifiable natural person
Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household
Consent is required to process “sensitive data” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data, personal data collected from a known child and precise geolocation data
Not currently covered
* New categories of “sensitive personal information,” including Social Security numbers (SSNs), driver’s license, financial account and card numbers, precise geolocation, racial and ethnic characteristics, religious and philosophical beliefs, union membership, contents of mail, email and text messages, and genetic and biometric data
Employee and business-to-business (B2B) exemptions
CDPA does not apply to personal data associated with individuals acting in a commercial or employment context; there is no expiration for this exemption
Exemptions are set to expire on January 1, 2023
Know, access and confirm
Opt out of sale (defined as the exchange of personal data for monetary consideration)
Opt out of processing for targeted advertising
Opt out of profiling
Know and access
Opt out of sale (more broadly defined as the exchange of personal information for monetary or other valuable consideration)
* Rectification and correction
* Out out of sharing for cross-context behavioral advertising
* Limit use and disclosure of sensitive personal information
* Opt out of the use of automated decision-making
Requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller
The contract should include:
Type of data
Duration of processing
The rights and obligations of both parties, with specific obligations for the processor
Mandatory contracting requirements for “service providers” and “third parties” to whom the company does not sell data
* Mandatory contracting requirements for “contractors” to whom the company makes available personal information for a business purpose
Data protection assessments
Yes, for the following processing activities:
The processing of personal data for targeted advertising
The sale of personal data
The processing of personal data for purposes of profiling
The processing of sensitive data
Processing activities involving personal data that present a heightened risk of harm to consumers
Not currently required
* Cybersecurity audits and risk assessments will be required for companies whose processing presents a significant risk to consumer privacy or security
Enforced by the attorney general
Enforced by the attorney general
* Creation of new California Privacy Protection Agency (Agency) for enforcement, rulemaking and guidance
Private right of action
Limited private right of action for breach of unredacted or unencrypted personal information due to failure to maintain reasonable security practices
* Private right of action will be available for breach of email address and password or security question and answer that would allow access to account
Yes, 30 days for Attorney General enforcement
* Removes the 30-day cure period and gives the Agency discretionary power to provide the business with a time period to cure
Penalties and damages
Up to $7,500 for each violation
Up to $2,500 for each violation and $7,500 for each intentional violation
*Automatic $7,000 fine for a violation involving the personal information of minors
Statutory damages from $100-$750 per violation.
The Future of US Privacy Law Is Still Pending
Despite repeated and ongoing efforts to present and pass a comprehensive federal privacy law, as of the date of this article, there does not appear to be any particular bill that has gained significant traction in either the US House of Representatives or the Senate. In the absence of a federal standard, many states, such as Oklahoma, Washington, Florida, Minnesota and New York, have followed California’s example in introducing and considering comprehensive state data privacy bills, with varying levels of success. The common themes are predictably centered on notice, consumer privacy rights and related business obligations. Issues related to enforcement, and in particular, whether private rights of action should be permitted, have stalled bills both at the state and federal level. That said, in light of what appears to be a heightened awareness and focus on privacy and cybersecurity issues, companies can expect new or additional modifications and updates to their data privacy and security programs in the coming years.
The content of this article is based on our review of the bills passed by the Virginia General Assembly and Senate. We do not anticipate the content of the consolidated bill, or the version signed into law by the Governor of Virginia, to differ materially from the law as described herein. We will update this article, as necessary, to reflect the law as passed.
Saba Bajwa, a law clerk in our Los Angeles office, also contributed to this On the Subject.