From West to East: Virginia Passes Consumer Data Protection Similar to the CCPA
Following in the footsteps of California, Virginia has now become the second state to enact a data privacy law that establishes a comprehensive framework governing the collection, use, and disclosure of the data of its residents.
The legislation, named the Virginia Consumer Data Protection Act (the “CDPA”), was passed by the commonwealth’s House and Senate earlier this year and was signed into law by Virginia’s governor, Ralph Northam, on March 2, 2021. The law is scheduled to take effect in January 2023.
The CDPA, when effective, will impose obligations on (1) businesses operating in Virginia and (2) on businesses that "produce products or services that are targeted to residents of Virginia" and that (i) control or process the personal information of at least 100,000 Virginia residents per year, or (ii) control or process the data of at least 25,000 Virginia residents per year and derive 50% or more of their gross revenue from the sale of personal data.
The CDPA will borrow many of the consumer rights and compliance obligations enumerated in the California Consumer Privacy Act of 2018 (the “CCPA”) and California Consumer Privacy Act (the “CPRA”). For example, the CDPA provides Virginia residents the right to opt out of the sale of their personal information along with rights to access, correct, and delete their personal information. Similarly, a data “controller”—the natural or legal person that determines the purpose and means of processing personal data—will have 45 days to respond to a consumer request. However, if the controller provides the consumer notice, the controller may extend the period to respond for an additional 45 days. Virginia consumers—natural persons who are Virginia residents acting only in an individual or household context—will also have the right to appeal if a controller refuses a consumer request.
The CDPA, however, contains far broader exceptions than the CCPA/CPRA. Educational institutions, local governmental agencies, and non-profits are all exempt from CDPA compliance. Likewise, HIPAA covered entities and business associates, along with financial institutions or personal information subject to the Gramm-Leach Bliley Act (and related regulations) are also exempt.
The CDPA has also incorporated several aspects that are reminiscent of the EU’s General Data Protection Regulation (“GDPR”). The CDPA adopts the terminology of “processors” and “controllers”—providing that controllers undertake data protection assessments for certain types of processing (akin to GDPR’s Article 35 Data Protection Impact Assessment requirements). Likewise, controllers must contract with their processors to clearly define their role in processing data. The CDPA also levies compliance obligations on regulated businesses, requiring that controllers limit their collection of data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed” (i.e., data minimization), along with mandating use limitations and requirements for data security.
Unlike the CCPA, Virginia’s CDPA does not provide for a private right of action in the event of a data breach. Overall, enforcement falls solely to the Virginia attorney general. If the attorney general launches an enforcement inquiry, it must notify the controller, which then has 30 days to cure the violation and provide the attorney general with an "express written statement that the alleged violations have been cured and that no further violations shall occur." If the controller fails to cure the violation, the attorney general may fine them up to $7,500 per violation.
Although at least 18 state legislatures have proposed some form of data privacy legislation this year, Virginia managed to push through the CDPA. Most other comprehensive state privacy legislation is either held up in various committees or has died in the legislative process. Eyes are now on Washington for its Washington Privacy Act 2021, which has been reintroduced by Senator Carlyle as a follow-up to similar (though failed) 2020 bills in Washington State. New Jersey, similarly, has legislation akin to the CCPA (A4640 & S3153) pending in various Assembly and Senate committees.
The CDPA sets up 2023 as a significant moment for privacy law compliance, as both the CPRA and CDPA are scheduled to take effect on January 1 (the regulations under the CPRA are to be promulgated by July 1, 2022). Businesses which currently have CCPA and GDPR compliance programs in place will need to review their compliance programs to adapt to the new requirements under CPRA and the CDPA. For those businesses who have not begun compliance efforts with GDPR, the CCPA or the CPRA—the CDPA will be a tall order.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.