On March 2, 2021, Virginia passed the Consumer Data Protection Act (CDPA). The CDPA imposes obligations on businesses handling the Personal Data of Virginia consumers and goes into effect on January 1, 2023. Virginia follows in the footsteps of California, which implemented the California Consumer Privacy Act (CCPA) in January of 2020.
Who Does CDPA Apply To
The CDPA applies to entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either: (1) control or process the Personal Data of at least 100,000 consumers during a calendar year; or (2) control or process the Personal Data of at least 25,000 consumers and derive at least 50% of their gross revenue from the sale of Personal Data.
Like the CCPA, the CDPA defines the term “Personal Data” broadly to include “any information that is linked or reasonably linkable to an identified or identifiable person,” with exceptions for certain types of data governed by federal law, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
Importantly, “consumer” is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context,” and expressly excludes “a natural person acting in a commercial or employment context.” This means that controlling or processing Personal Data in the business-to-business or employment context falls outside the scope of the CDPA.
Like the CCPA, the CDPA contains regulations regarding the sale of Personal Data, but the CDPA defines the term “sale” much more narrowly than CCPA. Under the CDPA, a “sale” means “the exchange of personal data for monetary consideration by the controller to a third party.” This means that exchanges for other valuable consideration would not be considered a sale under the CDPA, unlike the CCPA.
What Does It Mean for Your Business
If your business is subject to the CDPA, you are required to provide Virginia residents with additional rights in connection with their data that are similar to those that people have under the General Data Protection Regulation and the CCPA. Virginia consumers are provided with six main rights under the new regulation:
- The right to confirm whether or not their Personal Data is processed;
- The right to access their Personal Data;
- The right to correct their Personal Data;
- The right to delete their Personal Data;
- The right to data portability; and
- The right to opt-out of the processing of their Personal Data for purposes of (1) targeted advertising; (2) the sale of Personal Data; or (3) profiling in furtherance of decisions that produce legal or similarly significant effects in connection with a consumer.
Obligations of Controllers and Processors
- Processors: like the GDPR, the CDPA requires that processors who are processing data on behalf of a controller be governed by a data processing agreement (“DPA”). The CDPA lays out the specific provisions that must be included in a DPA, including the nature and purpose of processing, the type of Personal Data being processed, and the rights and obligations of both parties, just to name a few.
- Controllers: the CDPA requires controllers to conduct “data protection assessments” for specific processing activities involving Personal Data. These activities include targeted advertising, sale of Personal Data, profiling, sensitive data, and data that presents a heightened risk of harm to consumers. The data protection assessments consider the risks associated with the processing activities and weigh those risks against consumer rights. The CDPA also requires controllers to provide consumers with a privacy notice that contains specific disclosures, including the categories of Personal Data processed by the controller, the purpose for processing Personal Data, the categories of Personal Data that the controller shares with third parties, if any, the categories of third parties, if any, with whom the controller shares Personal Data, and how consumers can exercise their rights.
While there is no private right of action made available under the law, the Virginia Attorney General can seek injunctive relief and bring damages for up to $7,500 per violation. Fortunately, the CDPA does provide businesses that are found to be in violation with a 30 day period to cure before penalties are imposed.
Following the implementation of the GDPR and the CCPA, the United States is seeing an influx of states pushing for privacy legislation. Washington State has introduced the Washington Privacy Act for the third time this session, which would provide many of the same rights granted to Virginia and California residents. As it becomes more difficult to comply with state by state legislation, prospects of a federal privacy law seems increasingly likely.