On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.

Who will be impacted?

The bill’s scope appears to have been carefully drafted to avoid imposing obligations on small businesses and non-profits. Like California’s legislation (but unlike GDPR) the bill contains exclusions for nonprofit organizations, regardless of size, and for small and many medium-sized businesses. Like both GDPR and CCPA, however, it does apply to businesses located inside and outside of Virginia, if they meet the thresholds in the bill and target Virginia consumers.

  • Businesses Inside and Beyond Virginia: The “long-arm” nature of the statute is reminiscent of GDPR in that it applies not only to businesses that are physically located in Virginia, but also to any business, regardless of location, that “targets” Virginia consumers. This concept of targeting was first incorporated into GDPR to distinguish between businesses that did not intend EU/UK residents as their audience (even if they had a website, for example, that was technically accessible from the EU/UK) as compared to businesses that are actively marketing to EU/UK data subjects.
  • Annual Volume of Virginia Consumer Data is Key: Businesses (“controllers”) that meet the first test above, still have to meet one of two additional thresholds to be subject to the new legislation. The Act will apply to controllers who annually process the personal data of either:
    • Over 100,000 Virginia consumers, or
    • Over 25,000 Virginia consumers if 50% of gross revenue is from data sales

In this way, Virginia, like California, diverges dramatically from GDPR, which applies across the board to any business, whether large or small, for-profit or nonprofit, that collects or processes EU/UK data subjects’ personal information. The analysis in Virginia will be entirely based on the volume of Virginia consumers’ personal information the business processes each year, and/or whether they are in the business of selling Virginia consumers’ personal data. One additional and notable distinction from the CCPA is that “sale” is defined simply as an exchange of personal data for monetary consideration.

  • Consumer-Facing Businesses Only; Not B2B: “Consumer” is defined in the bill as “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural personal acting in a commercial or employment context.” This definition excludes sole proprietors, for example, acting in their business capacity, and creates a large exclusion for companies that are large employers of Virginia residents, but whose business does not involve collection of consumer information.
  • Excludes Businesses Subject to Federal Privacy Schemes (like HIPAA or GLBA): The bill does a better job than the California legislation in clearly excluding businesses that are already subject to federal privacy legislation. For example, “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) and financial institutions that are regulated by the Gramm-Leach-Bliley Act (GLBA) are excluded from the Virginia statute, as is personal health information that is regulated by HIPAA. It appears the drafters learned a lesson from California’s mistakes, which created confusion by excluding only data that was subject to these federal statutes, rather than the businesses themselves. This resulted in some businesses being subject to multiple privacy regimes simultaneously, because they held different “buckets” of personal information. Personal information regulated by the federal Fair Credit Reporting Act (FCRA) is similarly excluded.

If a Business is in scope, what new obligations does the statute impose?

The new law establishes, for the first time in Virginia, several principles which have long been recognized as best practices but have never before been formalized as legal obligations in the Commonwealth. They include:

  • Notice: Obligation to post a privacy notice and specific requirements for what must be included, including all intended purposes for use of the personal data.
  • Data Minimization: Obligation to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
  • Data Security: Obligation to maintain reasonable administrative, technical and physical data security practices.
  • Data Protection Assessments: Obligation of the business to undertake a formal “data protection assessment” of its data collection and processing activities that involve certain types of personal data or processing activities.
  • Consent to Process “Sensitive Data”: Obligation to obtain affirmative consent from the consumer before collecting or using sensitive data for any purpose. “Sensitive data” is defined as personal data:
    • Revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
    • Genetic or biometric data for use in uniquely identifying an individual
    • Personal data of a known child
    • Precise geolocation data
  • New Rights for Virginia Consumers: Obligation to facilitate the exercise of new rights by Virginia consumers, to know what personal data is held and for what purpose, to correct inaccuracies, to request deletion of personal data, to obtain a portable copy of the data for transfer through an automated means, to opt out of targeted advertising, certain profiling, and/or sale of personal data.
  • Contractual Control of Downstream Processors: Obligation to control third parties (like vendors) with whom personal data is shared, by including contractual provisions that limit the purposes for which the data will be used, allow for due diligence on data processes, require deletion upon request, obligate the processor to maintain confidentiality, and require the processor to flow down these obligations to downstream vendors and subcontractors.

More Detail on the Key Provisions:

  • Notice, in the Form of a Privacy Disclosure: The Act creates a legal obligation to publish an accessible, clear, and meaningful privacy notice, often called a “privacy policy”. While this has long been a best practice, it has not been required by law in Virginia. The Act specifies that the privacy notice must disclose, at a minimum:
    • The categories of personal data collected
    • The purpose for processing the personal data
    • How a consumer can exercise their rights with respect to their personal data (including how to appeal any decision by the business with respect thereto)
    • The categories of personal data that are shared with third parties, if any
    • The categories of third parties, if any, with whom the business shares personal data
    • Whether personal data is sold to third parties and how to opt out
    • Whether personal data is used for targeted advertising and how to opt out

Note that the bill requires businesses that use personal data for targeted advertising or that sell it, not only to disclose that they do so, but also to provide a mechanism for consumers to opt out of these uses, and the mechanism must be described in the privacy notice.

  • Data Minimization: Companies that fall within the scope of the law will be obligated to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer in the privacy policy. This reflects two concepts:
    • That companies should only keep consumers’ personal data if it is used for current business purposes
    • Companies should not be using consumers’ personal data for purposes that were not disclosed to those consumers

The latter is a fundamental change and is particularly significant: in the past, the purposes for which data was used were entirely up to the business. Businesses had no obligation to disclose their purposes, nor any accountability for collecting data for one purpose and then using it for another, unless they made affirmative statements to the contrary in advertising, in which case a false advertising or unfair/deceptive trade practice claim might be valid. No longer will businesses be able to collect personal data ostensibly for one purpose but then keep it and use it for others or worse, keep it for no good reason, potentially subjecting it to risk of data breach when it arguably should have been destroyed. For many large businesses with robust information governance programs this is old hat: do not keep data you do not need. For others, however, it may be the first time they have cause to consider what data they have and why. If there is no good purpose for retaining it or if there is no purpose except purposes that were never disclosed to the consumer, then it cannot be retained under the new statute and should be destroyed.

  • Consent to Process Sensitive Data: The Act creates a two-tiered definition for personally identifiable information in Virginia. The Act defines “personal data” (the topic of the Act as a whole) as “any information that is linked or reasonably linkable to an identified or identifiable natural person” (excluding de-identified data or publicly available data). It then creates a special subset, “sensitive data,” which is defined as personal data:
    • Revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
    • Genetic or biometric data for use in uniquely identifying an individual
    • Personal data of a known child
    • Precise geolocation data
  • Data Security/Data Protection Assessments: The Act imposes a legal obligation on businesses in its scope to “establish, implemental and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” While this obligation is somewhat broad and vague, it has become a widely accepted standard and appears in GDPR and CCPA. The obligation to establish and maintain such data security practices is qualified by the requirement that they be “appropriate to the volume and nature of the personal data at issue.” In this way, the Act leaves room for the idea that one size data security does not fit all.

The Act also requires that businesses undertake a formal data protection assessment of all data processing activities involving personal data that is:

    • Used for purposes of “targeted advertising[1]
    • Sold
    • Used for purposes of profiling[2]
    • Sensitive data
    • An activity involving personal data that presents a “heightened risk of harm to consumers”

The data protection assessment must identify and weigh the benefits of the processing to the business, the consumer, other stakeholders and the public, against potential risks to the rights of the consumer. Mitigating safeguards employed by the business to reduce risk should be factored in. These assessments will be very fact-specific, and should consider the use of de-identified data, the reasonable expectations of the consumer, and the relationship between the controller and the consumer. The Attorney General may request copies of a business’ data protection assessment in the context of an investigation by the Attorney General into the business’ compliance with the Act. The Act does contain specific exemptions for these assessments from Freedom of Information Act (FOIA) requests and from waiver of any attorney-client privilege. It seems likely that, for example, in the context of a data breach, the Attorney General’s office might use its investigative authority under the Act to evaluate the steps that the business previously took to assess risk and safeguard data. Notably, the assessments are only required for processing of data that occurs after the bill goes into effect on January 1, 2023, but companies are well-advised to begin these assessments now, so that if processes need to be revised before that date, they can start on a fresh note when the Act takes effect.

  • New Rights for Virginia Consumers: Virginia consumers will now have certain rights with respect to their personal information, much like those that EU/UK data subjects and California consumers enjoy. Subject to authentication of the consumer, Virginia consumers will have the following rights with respect to their personal information:
  • The Right to Know: Consumers will have the right to know whether or not a business is processing their personal information
  • The Right of Access: Consumers will have the right to access their personal information, and to obtain a copy of it in a readily useable format (to the extent “technically feasible”)
  • The Right to Correct Inaccuracies: Consumers may request that inaccuracies in their personal information be corrected by the business, taking into account the nature of the information itself and the purposes of the business’ processing of the consumer’s information
  • The Right to Data Portability: Consumers will have the right to obtain a copy of their data from the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller
  • The Right to Opt Out: Virginia Consumers will have the right to opt out of several different uses of their personal information:
    • Targeted advertising
    • The sale of their personal information
    • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

Notably absent from this list, in contrast with CCPA, is the right to receive a list of the third parties to which personal data has been disclosed by the controller in the past 12 months. As this is one of CCPA’s more burdensome provisions, it is another example of the narrower, more business-friendly scope of the Virginia bill.

What is required of businesses who receive a request to exercise these rights? 

Businesses must develop processes to allow consumers to exercise their rights as outlined above. These provisions closely replicate the California requirements and will be easy for companies already in compliance with CCPA to implement.

    • 45 Days to Respond: Businesses that are subject to the statute must respond to requests by consumers to exercise these rights without “undue delay” and in all cases within 45 days of receipt, with an additional 45-day extension available if reasonably necessary for the business to comply. If a business needs the additional extension, it still must respond to the consumer during the first 45-day period and provides the reason for the delay.
    • Each Consumer is Entitled to Two Free Inquiries Annually: The business may charge a reasonable fee to cover administrative costs if requests are manifestly unfounded, excessive, or repetitive (beyond the two free annual requests).
    • Ability to Decline to Respond: In certain situations, such as if the business cannot authenticate the consumer’s identity, or if the data requested is not of a nature that is subject to the statute (like employment data), the business may decline to take the action requested by the consumer. In that case, the business must provide the reason for declining and instructions about how to appeal that decision, all within 45 days of receipt of the initial request from the consumer. Any appeal must be decided within 60 days of receipt and a written explanation must be provided to the consumer, together with a method (online or otherwise) for the consumer to contact the Attorney General to submit a complaint.
    • Contractual Control of Downstream Processors: The Act enshrines the concept already incorporated into both GDPR and CCPA (as well as other state data security laws), that controllers are responsible for their vendors or other third parties (“processors”) with whom they share personal data. This has long been considered a best practice, but it is not something that every controller considers. The Act requires that there must be a contract between any controller and processor, and that it must include, at a minimum, provisions that address:
      • The type of personal data to be shared
      • Instructions detailing the processing to be done by the recipient of the personal data
      • The duration of the processing
      • A duty to maintain the confidentiality of the personal information by both parties
      • An obligation that the processor delete or return the data to the controller at the end of the services unless the processor is legally required to retain it
      • A right of the controller to assess the processor’s policies (itself, or by using a designated assessor), and its technical and organizational measures with respect to compliance with the Act – effectively an audit/diligence provision; and the right of the controller to receive a report on same requiring the processor to flow down these obligations to downstream vendors and subcontractors.

No longer can a contract for services involving personal data be handled with a simple purchase order. Companies subject to the Virginia Act will need to have standard contract language on hand to use with any vendor that will touch personal data.

Enforcement by the Attorney General/No Private Right of Action

The Virginia Attorney General will have investigative authority and the ability to impose civil penalties of up to $7,500 per violation. Much like CCPA, the Act creates a 30-day cure period for violations. If a controller who was notified by the Attorney General of a violation of the Act cures the violation and provides a written response to the Attorney General stating (i) that the violation has been cured and (ii) that no further violations shall occur, then no action will be initiated by the Attorney General’s office.

If, however, violations continue or reoccur after the 30 days, or if the controller breaches its express written statement to the Attorney General, then the Attorney General can initiate an action against the controller. Such action may involve injunctive relief and civil penalties of up to $7,500 for each violation of the Act. The Attorney General also has the right to recover expenses, including legal fees, incurred in such an investigation and action. All such collections of penalties and amounts collected in this manner are to be put into a newly created fund, the “Consumer Privacy Fund” which will support the work of the Attorney General’s office in its work to enforce the Act.

Delayed Start/Interim Working Group

The Act is not scheduled to take effect until January 1, 2023. In addition to giving controllers time to prepare to comply, that delay will also give lawmakers an additional opportunity to hear from constituents and stakeholders about implications of the bill that they may not have anticipated. To that end, the Act itself dictates that the Chairman of the Joint Commission on Technology and Science shall create a work group to review the Act and consider the implications of implementation. That group is to be composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates. Notably absent from the work group are representatives of those businesses that will fall within the scope of the Act because they process the personal data of at least 25,000 Virginia consumers and receive 50% or more of their gross revenue from the sale of data. It is not clear if this is an oversight or an intentional exclusion. The Act requires the Chairman of the Joint Commission on Technology and Science to submit the work group’s findings, best practices, and recommendations regarding the implementation of this act to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.

The Virginia Consumer Data Protection Act marks a significant milestone for the Commonwealth, putting Virginia among the ranks of the first few states in the U.S. to attempt to implement a framework for data processing and protection. It may well become a model for others, and, potentially, for federal legislation in the future.

[1] “Targeted Advertising” is defined as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. “Targeted advertising” does not include: (i) Advertisements based on activities within a controller’s own websites or online applications; (ii) Advertisements based on the context of a consumer’s current search query, visit to a website, or online application; (iii) Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or (iv) Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.

[2] If such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers.