Virginia is For Privacy, Part 1

The slogan “Virginia is For Lovers” was created more than fifty years ago for the Virginia State Travel Service, which is now known as the Virginia Tourism Corporation, and is still used today. This enduring slogan was even inducted by popular vote into the Madison Avenue Advertising Walk of Fame on September 21, 2009. The Commonwealth of Virginia may need to adopt a new slogan for 2021 and beyond, “Virginia is For Privacy.”

Proposed privacy bills were introduced in the Virginia House (HB 2307) and Senate (SB 1392) in January 2021. The Virginia legislature was able to quickly steer one of those comprehensive privacy bills through the process. On March 2, 2021, Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) into law. Virginia became the second state to enact a comprehensive consumer privacy law. Although the CDPA shares some similarities to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), it blazes some new trails.

This summary addresses three basic issues, who is covered under the new law, what privacy-related rights consumers will have under the new law, and when the new law will be effective. If you love privacy or simply need to know more about the CDPA in order for your business to meet the new requirements, check the Resources page on our site in the coming weeks for additional blog postings addressing the other new requirements under the CDPA.

I. Who is covered by the CDPA?

The CDPA applies to any person that conducts business in Virginia or produces products or services targeted to residents of Virginia and that:

1. Controls or processes personal data of at least 100,000 consumers during a calendar year; or
2. Controls or processes personal data of at least 25,000 consumers and derives over 50% of their gross revenue from the sale of personal data.

Unlike the CCPA and CPRA, the CDPA does not include a revenue threshold. All businesses, regardless of gross annual revenue, will be subject to the CDPA if they meet the criteria outlined above and are not otherwise subject to one of the five entity-level exemptions under the new law. The CDPA does not apply to the following entities:

1. Any financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (GLBA);
2. Any covered entity or business associate subject to the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act;
3. Any nonprofit organization; or
4. Any institution of higher education.

The GLBA and HIPAA entity-level exemptions differ from the data-based exemptions under the CCPA and CPRA. Under the CDPA, a business subject to GLBA or HIPAA will be exempt from the entirety of the CDPA even if the business collects data not subject to GLBA or HIPAA.

II. What rights will consumers have under the CDPA?

The CDPA adopts the “controller” and “processor” terminology used under the European Union’s General Data Protection Regulation (GDPR), but Virginia residents are referred to as “consumers” instead of “data subjects.” The CDPA provides consumers with the following new rights:

1. Right to confirmation and access: To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.
2. Right to correct: To correct inaccuracies in the consumer’s personal data with consideration for the nature of the personal data and the purposes for processing such data.
3. Right to delete: To delete personal data provided by or obtained about the consumer.
4. Right to data portability: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that will allow the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
5. Right to opt out: To opt out of the processing of the consumer’s personal data for the following purposes: (1) targeted advertising; (2) the sale of personal data; or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Note: The term “profiling,” as used under the CDPA, means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
6. Right to appeal: To appeal a controller’s denial to act within a reasonable time.

Although Virginia may appeal to tourists, this last right, the right to appeal, will require controllers to do more than adopt a catchy slogan. The right to appeal adds new compliance and disclosure requirements to a controller’s consumer response process - and new risks. To comply with these new appeal requirements, controllers will need to, among other things, establish a “conspicuously available” process for consumer appeals similar to the process for submitting other consumer rights requests.

The CDPA requires a controller to respond to a consumer request within 45 days of receipt of the request. This response deadline may be extended for an additional 45 days where reasonably necessary, provided the controller notifies the consumer of the extension before the end of the initial response period and provides a reason for the extension. If a controller declines to act on a consumer’s request, the controller must inform the consumer without undue delay, but in all cases within 45 days of receipt of the request, of their justification for declining to take action and provide instructions on how the consumer may appeal the decision.

Within 60 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.

III. When will the CDPA be effective?

The CDPA will become effective on January 1, 2023, the same date that the new requirements under the CPRA will also become effective. Unlike the CPRA, the CDPA did not establish a separate data protection agency. Instead, the CDPA created a “temporary” privacy working group, as follows:

The Chairman of the Joint Commission on Technology and Science shall create a work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates. The work group shall review the provisions of this act and issues related to its implementation. The Chairman of the Joint Commission on Technology and Science shall submit the work group’s findings, best practices, and recommendations regarding the implementation of this act to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology, and Innovation no later than November 1, 2021.

Time will tell whether the Virginia legislature will amend the CDPA to address the findings of this working group or provide specific guidance to the industry on some of the key statutory requirements. Although the Attorney General has the exclusive authority to enforce the requirements of the CDPA, the law did not delegate specific rulemaking mandates to the Attorney General.

Next Steps

Businesses that have already implemented a CCPA compliance program will be able to leverage some of their existing policies, notices, procedures, and processes to comply with the new Virginia law. However, there are differences between the Virginia and California laws so a “cut and paste” approach will leave compliance gaps. We have covered the “who,” “what,” and “win” in this quick tour of the new law. We will cover other requirements in subsequent blog postings.

The good news is that businesses have until January 1, 2023 to navigate the new CDPA and CPRA requirements, but the clock has started ticking to that deadline. It took some time for businesses to stand up their CCPA compliance programs, so it is important that businesses use this time to plan for these new requirements, assess gaps in their current privacy compliance programs, and draft and implement new policies, notices, procedures, and processes, as needed.

In any scenic drive through Virginia, you would likely keep an eye out for other traffic on the road. Several state legislatures are driving on the same scenic privacy road. Florida, Oklahoma, Washington State, and other state legislatures are still considering comprehensive privacy bills. One or more new state privacy laws may still be enacted in 2021 with effective dates prior to January 1, 2023 or with unique requirements. Virginia may be for lovers of privacy, but a growing patchwork of differing state privacy laws may leave everyone hoping for the enactment of a comprehensive federal consumer privacy law.