Virginia Joins California with Passage of New State Data Privacy Law
On Tuesday, March 2, 2021, Virginia became the second U.S. state to enact a broad data privacy regime after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. Virginia follows California, which became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in June 2018. The CCPA became operative January 1, 2020 after several amendments necessary for its implementation, which we previously covered here and here. (California is set to enact another privacy law entitled the California Privacy Rights Act (CPRA) - to update the CCPA in November 2020.) There is also a raft of other state privacy laws in the pipeline, and Virginia’s new law aligns with a trend toward states ratcheting up broadly applicable privacy-related legal obligations.
While the CCPA, CPRA and Virginia’s CDPA were all inspired by the European Union’s 2018 General Data Protection Regulation (GDPR), they contain key differences related to their applicability, definitions, exemptions, rights of action and remedies, and consent and opt-out requirements. Of particular note, the CDPA does not provide a private right of action and may only be enforced by the state’s Attorney General. Below, we highlight the key differences between the CDPA and its California analogue.
- The CDPA does not apply to businesses solely on the basis of revenue. The CDPA applies only to businesses that conduct business in Virginia—or produce products or services that target Virginia residents—and, during a calendar year, either 1) control or process personal data of at least 100,000 consumers, or 2) control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The CRPA and CCPA include two nearly identical prongs to these, as well as a third, which Virginia did not import. In California, a business is also covered under the state’s privacy laws if it has annual gross revenue “in excess of $25 million,” calculated by evaluating the preceding calendar year, regardless of how many consumers are implicated by the data processing or what percentage of that revenue derives from data sales. The absence of an independent revenue basis for coverage in the CDPA means it will likely apply to fewer businesses than the California privacy laws.
- The CDPA uses an expansive definition of personal data. Personal information under the CDPA is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This includes “sensitive data,” such as race, sexual orientation, religion, biometric data, mental or physical health diagnoses, precise geolocation, and personal data collected from a known child. This is similar to the definition of personal information under the CCPA and the GDPR, but somewhat narrower than the CPRA, which includes additional categories of sensitive information, such as membership in a trade union. Significantly, Virginia’s definition excludes “anonymized” or, “de-identified” data—data that “cannot reasonably be linked to an identified or identifiable natural person,” or connected to a device linked to such person. It is unclear whether device identifiers, like IP addresses, are considered personal data under the CDPA.
- The law expands consumer rights to access, obtain copies of, correct, and delete personal data that is provided to or collected by a covered company. Virginia’s definition of “consumer” under the CDPA is narrower than California’s. The CDPA defines a “consumer” as a “natural person who is a resident of Virginia, acting only in an individual or household context,” and excludes individuals acting in a commercial or employment context. It also adopts the “controllers” and “processors” framework of the GDPR, where a “controller” is the entity in a direct relationship with the consumer, and a “processor” is an entity that processes personal data on behalf of, and at the direction of, the controller. While processors are merely required to provide services to controllers in compliance with the statute, controllers are subject to the full obligations outlined in the law. Specifically, the CDPA requires controllers to:
- limit the use of data to the purposes for which it was collected or created;
- disclose any sale of consumer data for advertising;
- process data only with consumer consent;
- provide consumers with reasonably accessible notice of data collection and processing activities; and
- implement reasonable data protections, including both administrative and technical safeguards.
Like the GDPR, the CDPA emphasizes that controllers are required to document data protection assessments of the risks and benefits of their data processing activities after the law takes effect.
- The CDPA includes a requirement for affirmative consent to all processing of sensitive data. Unlike California, Virginia’s law does not provide an opt-out right for sensitive data but rather, an affirmative “opt-in” requirement similar to the GDPR. This stricter standard for sensitive data requires businesses to obtain consent from consumers before any collection or processing of sensitive data through a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.” In California, the default option allows businesses to collect and process sensitive data, unless and until, the consumer acts to limit its use. The affirmative consent model will likely be more cumbersome for businesses to comply with, but may provide more meaningful protection of sensitive data for consumers. It remains unclear how this affirmative obligation to obtain consent will apply to data which is in the possession of covered businesses before the new law goes into effect.
- The CDPA gives consumers a limited right to opt-out of general data processing, for targeted advertising, sale, or profiling. Unlike the California laws, Virginia limits consumer opt-out rights to situations where data is sold for money. This opt-out right does not apply to “sharing” of data with third-parties without monetary compensation—which often occurs in targeted advertising, which utilizes personal information of consumer activity across businesses. Businesses covered by the law will be expected to provide a secure, simple and reliable mechanism for consumers to opt-out and exercise their additional rights to access, deletion and portability of their personal data. Compliance with this opt-out mechanism may be tricky in practice; in California, consumer advocates have expressed dismay at how ineffective many businesses’ opt-out mechanisms are.
- The CDPA does not include a private right of action for consumers. Only the state’s Attorney General can enforce violations under the CDPA, which provides that the state may seek damages up to $7,500 per violation after the expiration of a 30-day cure period. This stands in stark contrast to California’s law, which includes a private right of action under certain circumstances. The Virginia Attorney General has not issued guidance regarding its enforcement priorities, and it remains to be seen whether and to what extent the state will deploy its resources to consumer privacy protection.
- The CDPA prohibits non-discrimination against consumers. Notably, like California’s laws, the CDPA prohibits discrimination against consumers who exercise their privacy rights under the law, but in Virginia businesses will be allowed to offer different tiers of pricing and services for consumers participating in “loyalty programs”—implicitly taking the position that the rewards associated with participation in a loyalty program do not constitute discrimination in favor of consumers who waive their privacy rights by joining the program.
- The CDPA provides broader exemptions than the California privacy laws. The CDPA expressly does not apply to financial institutions subject to the Gramm Leach Bliley Act (GLBA), covered entities under the Health Insurance Portability and Accessibility Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and nonprofit or educational institutions subject to the Family Education and Privacy Act, (FERPA). Data covered by a number of federal laws, including, but not limited to, the Fair Credit Reporting Act (FCRA) and Children’s Online Privacy Protection Act (COPPA), is also exempt under the CDPA. By contrast, the California framework includes narrow exemptions for certain categories of data, such as personal health information protected under HIPAA, but not for entities subject to those laws.
- The CDPA does not include a “look-back” window. Virginia’s CDPA and California’s CPRA officially go into effect January 1, 2023. However, unlike the CPRA, under which businesses must practically comply by January 1, 2022 to avoid penalties for the 12-month period leading up to the official operative date, Virginia’s law does not currently include a retroactive look-back period. Businesses subject to the CDPA will have time to evaluate their compliance programs and make changes before the Virginia law is operative in 2023.
Several other states, including Washington (whose senate privacy bill the CDPA was modeled after), New York, Florida, Oklahoma, Minnesota, and Utah are currently considering enacting their own variations of broad data privacy laws. The growing patchwork of data privacy regimes across states underscores the absence of a broad federal consumer data protection law in the United States. Large businesses with multistate or national reaches should anticipate an increasingly complex landscape as they confront complying with each state’s privacy laws.