Virginia joins California in regulating consumer information: Virginia enacts the Consumer Data Protection Act

On March 2, 2021, Governor Ralph Northam of Virginia signed the Consumer Data Protection Act ("CDPA") into law, after it passed both houses of the legislature with overwhelming support.  This new legislation is set to take effect on January 1, 2023, and extends consumer data protections and business obligations that are quite similar to the California Consumer Privacy Act ("CCPA") and the upcoming California Privacy Rights Act ("CPRA").

Who does the CDPA apply to?

The CDPA imposes certain transparency and disclosure obligations on persons who either: 

• conduct business in Virginia; or 
• produce products or services that are targeted to the residents of Virginia; 

and that 

• control or process personal data of at least 100,000 Virginia residents a year; or 
• control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of their gross revenue from the sale of personal data.

What does the CDPA apply to?

The CDPA applies to "Personal Data." Personal Data is defined as "any information that is linked or reasonably linkable to an identified or identifiable natural person" and, notably, does not include publicly available information or de-identified information. Notably, the CDPA’s definition of consumer exempts natural persons acting in a commercial or employment context.

The CDPA refers to the persons who control the purpose and means of processing personal data as "controllers" and requires them to:

• limit the collection of personal data to what is adequate and reasonably necessary to achieve the purposes for which it was collected and disclosed to the consumer;
• establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data consistent with the type and volume of such data;
• provide consumers with a clear and meaningful privacy notice that outlines i) the categories of personal data processed by the controller; ii) the purpose of processing; iii) how to exercise their rights provided by the CDPA; iv) categories of data shared with third parties; and v) the categories of third parties in which data is shared;
• conspicuously disclose if it sells consumer data and provide the manner in which a consumer may opt-out; and
• obtain consumer consent before processing sensitive data by a clear affirmative act that is freely given, specific, and informed.¹

The CDPA refers to those person who process personal data on behalf of controllers as "processors".  Data processors are required to adhere to the contractual obligations set by the data controller pertaining to consumer privacy as well as cooperate with the data controller to comply with its obligations under the CDPA.

Who does the CDPA protect?

The CDPA grants Virginia residents ("consumers") certain access and control rights concerning their personal data. Specifically, the CDPA allows consumers to submit verified requests to data controllers to: (1) confirm whether it is processing the consumer’s data and provide access to their data; (2) correct inaccuracies in the consumer’s personal data; (3) delete personal data provided by the consumer; (4) provide the consumer with a copy of their data in a portable manner if feasible; and (5) allow the consumers the opportunity to opt-out of their data being processed for targeted advertising, the selling of their data, and profiling. Like the CCPA, data controllers must respond to a verified consumer’s request within 45 days and are required to provide one or more secure methods for consumers to submit a request to exercise these rights.

Key aspects of the CDPA

• The CDPA permits consumers to opt-out of the processing of personal data for 1) targeted advertising; 2) the sale of personal data; or 3) profiling. These rights exceed those granted under the CCPA, although they are more consistent with the CPRA. Overall, the CDPA provides consumers with more control over the use of their personal data by third parties.
• Similar to the CPRA, the CDPA requires controllers to conduct and document data protection assessments. Under the CDPA, the data protection assessments must weigh the direct and indirect benefits to the controller, consumer, and the public against the potential risks of processing personal data. The data protection assessments focus specifically on the processing of personal data for targeted advertising, selling personal data of consumers, the processing of data for profiling that may harm consumers, and the processing of sensitive data. Notably, the Attorney General may request that a data controller produce any data protection assessment it has conducted in order to evaluate it for compliance.
• Also similar to the CPRA, the CDPA requires businesses to enter into and maintain written contracts with data processors that govern how the processor processes data on behalf of the data controller.  Specifically, the contract must include the purpose and duration of processing, type of data being processed, and the rights and obligations of each party. Additionally, the processor must be contractually required to maintain confidentiality, delete or return personal data at termination, and cooperate with the controller in meeting its obligations under the CDPA.
• The CDPA limits enforcement authority to the Virginia Attorney General, and does not provide a private right of action. The CDPA provides a 30-day cure period for alleged violations and a court may impose penalties up to $7,500 for continuous violations and provide injunctive relief.
• Finally, the CDPA exempts governmental entities, non-profit organizations, institutions of higher education, financial institutions subject to the Gramm Leach Bliley Act (GLBA), entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), data collected under the Fair Credit Reporting Act (FCRA), and educational data subject to Family Educational Rights and Privacy Act (FERPA).  In addition, data controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (COPPA) will be deemed to be in compliance with any obligation to obtain parental consent under the CDPA.

CDPA compliance checklist

Businesses operating in Virginia should consider the following framework in assessing compliance obligations under the CDPA.

Confirm That Your Business is Subject to the CDPA.  Entities must determine whether they meet the jurisdictional threshold of the CDPA, which, unlike the CCPA, does not impose revenue requirements.

Revise Privacy Policies.  Revise privacy policies to properly reflect its personal data processing activities, communicate the new rights available to consumers, and identify the mechanisms implemented for consumers to exercise those rights.

Implement "Reasonable Security."  Assess cybersecurity policies, practices and controls to ensure they are consistent with industry-recognized standards.

Conduct Data Protection Assessments.  Businesses will need to conduct data protection assessments that evaluate how the business processes, sells and uses personal data. Importantly, they should consider the risk involved in such processing.

Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Create a separate web page to enable Virginia residents to exercise their opt-out rights to the extent the business sells their personal data, or uses it for targeted advertising or for profiling purposes.

Implement Consent Mechanism for Collecting Sensitive Information.  Businesses who collect sensitive data from consumers must first obtain consent. Although the CDPA is unclear on what constitutes adequate consent, businesses should nevertheless proactively develop opt-in mechanisms evidencing consumer consent before the collection of sensitive data.

Facilitate Receipt of and Response to Consumer Requests. Develop mechanisms for accepting, tracking, verifying, and honoring consumer requests to exercise their access, correction, deletion, and opt-out rights under the CDPA.

Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely and consistent manner that is ultimately compliant with the CDPA.

While the CDPA may differ in many ways from the CCPA, the similarities between the CDPA and CCPA should give businesses subject to both laws a head start on compliance with the new act’s requirements. Privacy policy disclosures, opt-out requirements and consumer request mechanisms instituted under the CCPA can be extended and expanded to cover the CDPA. As such, businesses subject to the CDPA will be able to leverage their existing policies, practices, and measures in coming into compliance before the January 1, 2023 deadline. White & Case LLP has a team of highly experienced, global cybersecurity, data privacy and technology attorneys who can help clients prepare its compliance obligations under the CDPA. Please reach out to any of the authors of this alert if you have questions about the steps your organization can take in this complex technical and legal environment.

_{1 Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; personal data collected from a child; genetic or biometric data; or precise geolocation data}.  

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2021 White & Case LLP}