Virginia is the latest state to adopt a consumer privacy law, with the Virginia Consumer Data Protection Act (CDPA) signed by the governor in early March. The bill adopts some of the terms seen in the California Privacy Rights Act (CPRA), most notably regarding the collection of sensitive personal data and privacy notice requirements.
The terms of the new law do not go into effect until the first day of 2023, and will only apply to select businesses at that time: those that either control or process data for at least 100,000 state residents, or that make 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. One interesting difference from the California consumer privacy law is that the CDPA does not have a revenue threshold; in California, a business generating more than $25 million in annual revenue is subject to the CPRA regardless of its number of customers or records.
Does the Virginia consumer privacy law provide robust protection?
Virginia is providing its residents with roughly equal protections in terms of the scope of personally identifiable information that is covered, but one key difference is that the CDPA only applies to data that is sold. There must be a direct “monetary consideration” for the data protection terms to be applicable.
The bill’s targeted advertising protections also have language that requires careful attention. Virginia residents will have the right to opt out of targeted advertising and profiling programs. However, information obtained directly from consumer visits to the organization’s website does not qualify as “targeted advertising” under Virginia’s terms. It would appear that sites (and possibly apps) can gather user information and use it for internal targeted advertising, but if the gathered data is shared with third parties (such as advertising networks) the publisher would then be required to disclose it to the consumer and provide them with a clear and verifiable way of opting out. The publisher is also required to communicate the consumer’s desire to opt out to any third parties it is sharing data with.
Virginia consumers will be getting personal data management rights comparable to those currently available in California. They will have the right to view collected data, correct inaccuracies, delete data, and be informed of exactly what is being sold to other parties. Data controllers will also have to be more careful about how they handle the personal data of Virginians. There are new restrictions that limit data collection only to what is adequate, relevant, and reasonably necessary for the purpose of the processing. Categories of “sensitive data” can also no longer be processed; this includes information that reveals racial or ethnic origin, sexual orientation, biometric data, and geolocation. Data controllers will have to obtain clear consent from the consumer to process anything in these protected categories.
The new consumer privacy law also creates new security requirements for data controllers: ” … reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data” are now required. Data controllers will also be required to conduct documented data protection assessments for certain categories of processing activity that include targeted advertising and any sale of sensitive or personal information. Organizations will have 45 days to comply with consumer rights requests with the ability to apply for one 45 day extension per case when a need can be demonstrated.
The Virginia Attorney General is the sole enforcement body for the CDPA, with no provisions granting state residents a right to private remedies (another key difference from the California consumer privacy law). Organizations will be given 30 days to correct CDPA violations once notified. Violators can be hit with $7,500 in damages for each violation with an additional $7,500 in civil penalties.
There are some industries that are exempt from the terms of the new consumer privacy law: health care organizations that are covered by HIPAA, financial institutions or related data handlers subject to the terms of the Gramm-Leach-Bliley Act (GLBA), nonprofits and higher education institutions.
Similarity between other consumer privacy laws
At a glance it would appear that Virginia’s forthcoming consumer privacy law is roughly comparable to California’s bill, perhaps watered down a bit in certain areas. But as Aaron Simpson, Partner and cybersecurity team leader for Hunton Andrews Kurth, notes, it defines the sale of data in legal terms more clearly than any prior efforts in the US: “Although Virginia’s law borrows certain concepts from the CCPA and the GDPR, it differs in some key ways … By defining concepts like “sale” in a manner that is more easily discernible and intuitive than in CA, Virginia’s law arguably will allow deliver stronger privacy protection to consumers by forcing businesses to focus on implementing meaningful enhancements rather than exhausting resources grappling with confusing requirements in contexts where individual privacy concerns are greatly reduced as a normative matter.”
Other states currently working on consumer privacy laws that resemble Virginia and California’s terms include Florida, Minnesota, New York, Oklahoma and Washington. Nevada and Vermont have additionally adopted data privacy bills that put restrictions on data brokers, but do not otherwise have similarly expansive terms.