On Tuesday, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (“CDPA”) into law, making Virginia the second U.S. state after California to pass a comprehensive data privacy law. Those familiar with the European Union General Data Protection Regulation (GDPR) will recognize terminology throughout the CDPA, mimicking many GDPR-defined terms, such as “controller”, “processor” and “personal data.” While not quite as expansive as the GDPR in every respect, the CDPA is a very broad-based privacy law that is on par with the California Consumer Privacy Act. Below, we break down some of its key elements.
To whom does the CDPA apply?
The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents that: (i) during a calendar year, control or process personal data of at least 100,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Notably, “consumers” as used in the CDPA does not include individuals acting in a commercial or employment context. This is a key difference from the soon-to-be effective California Privacy Rights Act.
Are there exemptions?
Yes, there are several exemptions in the CDPA. For example, the CDPA does not apply to certain government organizations, nonprofits, certain educational institutions, and entities governed by certain other laws such as HIPAA or GLBA. It also does not apply to certain employment-related information, nor to information governed by certain federal laws such as The Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Fair Credit Reporting Act (FRCA).
What rights do consumers have under the CDPA?
- Right to confirm whether or not their personal data is processed;
- Right to access their personal data;
- Right to correct their personal data;
- Right to deletion of their personal data;
- Right to portability of their personal data; and
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
What are a business’ obligations to consumers?
- Respond to consumer requests under the CDPA within 45 days of receipt (may be extended an additional 45 days in certain circumstances)
- Provide required information to consumers free of charge, up to twice per year
- Authenticate requests using commercially reasonable efforts
- Establish a process for consumers to appeal any refusal to take action on a consumer request
Are businesses required to provide notices to consumers?
- Businesses must conspicuously disclose any sale of personal data or processing of personal data for targeted advertising (and how to opt-out of such disclosure or processing)
What other obligations do businesses have?
- Conduct and document data protection assessments, which include extensive requirements and an obligation to provide such assessments to the Attorney General upon request
- Practice data minimization: limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer)
- Process personal data only for disclosed purposes, or purposes compatible with such disclosures
- Establish, implement, and maintain data security practices
- Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers
- Not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers
- Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act
Are vendors/data processors impacted?
Yes, vendors that are data processors have direct obligations under the CDPA, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, assisting data controllers with data protection assessments, and required subcontractor flow-down obligations.
The CDPA also contains specific requirements that must be included in data processing agreements between data controllers and data processors.
Is there a private right of action?
Although this issue was hotly debated, the CDPA does not provide for a private right of action and is enforced exclusively by the Attorney General.
What are the fines and penalties for violation of the CDPA?
Civil penalties up to $7500 per violation, injunctive relief, and recoupment of investigation and case preparation expenses, including attorney fees, incurred by the Attorney General.
When does the CDPA become effective?
January 1, 2023.