Virginia Is the New California: New Privacy Requirements Arise in Virginia's Legislation
On March 2, 2021, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (the VCDPA or the Act), making Virginia the second state, following California, to grant consumers broad privacy rights with respect to their personal information as collected by businesses both within and outside the state. The VCDPA will not take effect until January 1, 2023, but businesses should begin now to assess their potential coverage and to map out a plan for compliance.
Many businesses may have a head start on compliance if they have taken steps to comply with the California Consumer Privacy Act (CCPA) or the European Union's General Data Protection Regulation (GDPR). But there will be additional work for those businesses under the VCDPA, because the Act, while importing concepts from both of those other laws, introduces different definitions and, unlike the CCPA, requires that certain covered businesses (controllers) obtain affirmative, opt-in consent to process what is defined as "sensitive data." That requirement exceeds even those of the privacy rules implementing HIPAA1 and the GLBA,2 for example, which require consent for more limited uses and disclosures, (that do not include the collection), of health and financial information, respectively.
Businesses will welcome at least two aspects of the VCDPA: (i) it does not provide a private right of action, but rather vests enforcement responsibility with the state Attorney General, and (ii) it affords controllers and processors a 30-day cure period following notice of an alleged violation before the Attorney General may initiate an enforcement action.
Who Is Subject to the VCDPA?
The VCDPA covers businesses located in Virginia or marketing to consumers, including those in Virginia, with certain size-related exemptions. Specifically, it applies to persons (including entities) conducting business in Virginia or producing products or services targeted to residents of Virginia that (i) annually control or process the personal data of at least 100,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. This is a notably narrower definition than the definition of "business" under the CCPA, which includes organizations with more than $25 million in annual gross revenue. A "consumer" is any Virginia resident but only to the extent of his or her activity in an individual or household context—when acting as an employee or as a representative of an organization, an individual is not a "consumer" for VCDPA purposes. So processing the personal data of one's own employees, or gathering personal data on officers of other companies, will not be relevant for purposes of calculating the number of "consumers" whose personal data a company processes. This is a similar exclusion to that (at-current temporary) exclusion of data in the CCPA.
Like the CCPA, the VCDPA also excludes from its scope entities that are regulated under certain federal privacy laws, including financial institutions subject to Title V of the GLBA and covered entities and business associates subject to the HIPAA privacy and security regulations, as well as nonprofit organizations and institutions of higher education. As a corollary exemption, the VCDPA does not apply to many categories of personal information regulated by federal privacy laws, including protected health information under the HIPAA rules, consumer report information regulated under the Fair Credit Reporting Act, personal data protected by the Family Educational Rights and Privacy Act, and children's data collected in compliance with the Children's Online Privacy Protection Act.
What Information Is Covered?
The VCDPA's definition of personal data takes the broad approach adopted by many privacy laws and protects "any information that is linked or reasonably linkable to an identifiable natural person, excluding de-identified data or publicly available information." "De-identified data" is data that "cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person." "Publicly available information" includes information (i) made available through government records or (ii) that a business "has a reasonable basis to believe is lawfully made available to the general public through widely distributed media," either by the consumer or others where the consumer has not restricted disclosure to a specific audience (the latter clause creating a significantly broader definition than exists in the CCPA).
As noted, the VCDPA prohibits processing of "sensitive data" without the affirmative, unambiguous consent of the consumer. "Sensitive data" includes: (i) personal data revealing one's race, ethnicity, religion, health diagnosis, sexual orientation, citizenship or immigration status, (ii) genetic or biometric data when processed to uniquely identify a natural person, (iii) personal data collected from a known child, or (iv) precise geolocation data.
The VCDPA's consent requirement for processing sensitive data has a parallel in the GDPR (Article 9), but the GDPR has exceptions to consent. It in addition marks a key distinction from California's approach in the amended CCPA,3 which provides consumers only with an opt-out right to limit businesses' use or disclosure of "sensitive" personal information (which itself is defined quite differently than "sensitive data" under the VCDPA). And this consent requirement is broad and is also in contrast to the more prevalent opt-out approach in US privacy law generally. Significantly, this requirement could mean implementation of new systems for those in industries not exempted by HIPAA, but still processing sensitive data (like much health data).
Different Requirements Based on Who Has the Control Over the Data
Similar to equivalent data protection legislation, the VCDPA imposes more obligations on the companies who control the data that those who service those companies. The VCDPA regulates "controllers" and "processors" of personal data, two terms borrowed from the GDPR that roughly correspond to the CCPA's definitions of "businesses" and "service providers," respectively. A "controller" is defined as a person that "determines the purpose and means of processing personal data;" a "processor" is a person who "processes personal data on behalf of a controller."
As does the GDPR, the VCDPA details the controller's responsibilities, which include:
(1) data minimization (limiting their collection of personal data to that which is "adequate, relevant and reasonably necessary" for the relevant purposes);
(2) transparency (like under the CCPA and the GDPR, provide consumers with a "reasonably accessible, clear, and meaningful privacy notice" that includes, data use and disclosure practices and targeted advertising and opt-opt disclosures;
(3) privacy-by-design (through performing data protection assessments of certain processing activities that may be demanded from a controller in a government investigation); and
(4) security safeguards (those necessary to adequately protect personal information); and
(5) contractually require processors to certain privacy and security requirements.
While these obligations do not directly apply to processors in most instances, processors will likely see an increase in flow-down obligations from VCDPA controllers.
Consumer's Privacy Rights Under the VCDPA
The VCDPA, similar to CCPA and GDPR, contains an enumerated list of privacy rights consumers have with respect to their data. The VCDPA empowers Virginia residents with the right to correct, delete, and access their personal data, as well as the right to opt-out of certain processing activities, including processing for purposes of targeted advertising, the sale of his or her personal data, or certain profiling that leads to legal or significant effects for the consumer. While the VCDPA does not qualify any of these rights, including the right to delete, it does provide that a controller may decline to take action regarding a consumer request, and in so doing, provide justification for the decision as well as instructions for how to appeal it. By way of contrast, the GDPR only permits controllers to honor requests to delete in certain situations, while the CCPA establishes a general right to deletion but provides businesses with the power to reject an individual's request to delete in a number of prescribed circumstances.
What Happens if I Don't Comply?
As noted, the Virginia Attorney General has sole authority to enforce the provisions of the VCDPA. Like the CCPA, as amended last November, the VCDPA creates a Consumer Privacy Fund, each fund being organized to support the enforcement work of the respective Offices of the Attorney General. Covered entities that violate the CPDA may be subject to maximum civil penalties of $7,500 for each violation, but also, as noted above, are given a 30-day opportunity to cure any violation upon receiving notice of noncompliance.
But There May be Revisions!
The VCDPA may be strengthened or otherwise changes as a VCDPA work group has been appointed to consider amendments to the law before it becomes effective. The VCDPA empowers the Chairman of the Virginia Joint Commission on Technology and Science to create a work group made up of the state's Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates. This work group is to be tasked with reviewing the provisions of the Act as well as issues related to its implementation. The Chairman of the Joint Commission on Technology and Science is to submit the group's findings, best practices, and recommendations to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.
What Should Companies Do?
Consider submitting comments. The working group set up to evaluate the VCDPA may consider comments submitted on provisions of the VCDPA and related implementation challenges.
Start planning now. The VCDPA will likely fundamentally change the approach many businesses need to take to protect consumer privacy. Companies who created California- or EU-specific and limited privacy compliance will need to extend and revise in accordance with the Virginia approach, including considering how to handle Virginia's consent requirements for sensitive data. Companies should consider creating a privacy program that anticipates new laws, allows for growth, flexibility, and scalability, while handling Virginia's newly set requirements.
Think of what is next. This will be even more critical as time goes on. The enactment of the VCDPA will likely encourage other state legislatures to pass similar laws protecting consumers' privacy. Indeed, Washington and New York states have developed their own proposed legislation along the same lines. And, as momentum grows among the states to prescribe the governing rules for their jurisdictions, Congress may feel prompted to step in and take more aggressive action to create uniformity in mandates for protection of the privacy and security of personal information. Preemption of the work the states have done or may want to do in the area will meet with considerable resistance, however, so the field will likely remain open for state-level development at least for several years.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Health Insurance Portability and Accountability Act of 1996.
Gramm-Leach-Bliley Act of 1999.
The CCPA was amended in November 2020 by the California Privacy Rights and Enforcement Act. See our previous Advisory.