Following California’s lead, Virginia enacts consumer data privacy law
This article is the first in a series providing insight and updates on the latest state data privacy legislation.
In what is expected to be a wave of states joining California in expanding data security protections for consumers and heightening requirements for businesses to protect consumer data, Virginia was the first state to enact a consumer data privacy law. The Virginia Consumer Data Privacy Act (VCDPA), signed into law by Virginia Gov. Ralph Northam on March 2, 2021, is set to become effective January 1, 2023.
Unlike the California Consumer Privacy Act (CCPA), the VCDPA does not create a private right of action for consumers, but the act does create a number of internal and external obligations for businesses that process Virginia resident data. Businesses need to pay close attention to the statute as it will take time to ensure that the correct processes, contracts, and assessments are in place. The VCDPA will apply to processing activities created or generated after January 1, 2021, but will not otherwise apply retroactively.
What businesses does the VCDPA apply to?
The VCDPA specifically applies to businesses that control or process personal data of at least 100,000 Virginia consumers or control or process personal data of at least 25,000 consumers and derive more than half of their gross revenue from the sale of personal data. A business that falls under these definitions is the “controller.” A controller does not have be located or headquartered in Virginia to be subject to the law. An out-of-state business that collects data on Virginia residents may be required to comply. The VCDPA does not apply to:
- State agencies, boards, commissions, or political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities or business associates covered by HIPAA regulations
- Nonprofit organizations
- Institutions of higher education
Other exempt data under the VCDPA includes data covered by the Fair Credit Reporting Act (FCRA), Driver Privacy Protection Act (DPPA), the Federal Educational Rights and Privacy Act (FERPA), the Farm Credit Act, and the Children's Online Privacy Protection Act (COPPA).
What is the VCDPA definition of consumer?
Also important is the definition of “consumer.” A “consumer” is “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural personal acting in a commercial or employment context.”
Consumer rights under the VCDPA
Like the CCPA, the VCDPA creates personal rights for consumers. These rights allow a consumer to request that a business:
- Confirm whether or not a controller is processing the consumer's personal data.
- Correct inaccuracies in the consumer's personal data.
- Delete personal data provided by or obtained about the consumer.
- Provide a copy to the consumer of the consumer's personal data that the consumer previously provided to the controller.
- Opt the consumer out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
A controller is required to establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
A business is permitted to refuse to honor certain consumer requests under specific circumstances. Under the VCDPA a controller must also establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable amount of time. The process must:
- Be similar to the process for submitting requests.
- Inform the consumer within 60 days of receipt of an appeal in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
- Provide the consumer with an online tool if available, or other method through which the consumer may contact the Attorney General to submit a complaint if their appeal is denied.
VCDPA requirements for businesses
Under the VCDPA, applicable businesses will need to take careful steps to:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or in the case of the processing of sensitive data concerning a child, without processing such data in accordance with COPPA. The VCDPA expands sensitive data to include data related to racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, and citizenship or immigration status.
The VCDPA requires applicable businesses to draft privacy notices – such notices are usually conveyed to consumers a website privacy policy. A controller is required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data processed by the controller;
- The purpose for processing personal data;
- How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
Third party service provider requirements under VCDPA
Like the CCPA, the VCDPA recognizes that controllers will sometimes need to engage the services of third party service providers to assist in the processing of personal information. These third parties are called “processors.” The VCDPA requires a controller and processor to establish a contract that governs the processor’s data processing procedures with respect to the controller.
This contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall:
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
- At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;.
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter.
- Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures. The processor shall provide a report of such assessment to the controller upon request.
- Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
The VCDPA does not hold data controllers liable for the actions of processors if the third-party committed the violation and the controller/processor lacked knowledge of the violation or the intent to commit the violation.
Under the VCDPA a controller must conduct and document a data protection assessment of each of the following processing activities involving personal data:
- Processing of personal data for purposes of targeted advertising;
- Sale of personal data;
- Processing of personal data for profiling;
- Processing of sensitive data; and
- Processing activities involving personal data that present a heightened risk of harm to consumers.
The VCDPA requires that data protection assessments be kept confidential and exempt from public inspection and copying under the Virginia Freedom of Information Act. The data protection assessment requirements shall apply to processing activities created or generated after January 1, 2021, and are not retroactive.
VCDPA safe harbors and limitations
The VCDPA includes some safe harbors and limitations, allowing processing of personal information to comply with laws, cooperate with law enforcement, defense legal claims, prevent security breaches, engage in scientific research, among others.
As noted, there is no private right of action under the VCDPA. The Virginia Attorney General will have exclusive authority to enforce the law. Prior to the Attorney General initiating any enforcement action, the AG shall provide a controller 30 days to cure the noticed violation. No damages will be initiated by the AG if the controller provides the AG with an express written statement that the alleged violations have been cured and that no further violations shall occur. Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. The AG may also recover attorney’s fees.
The VCDPA will create a special nonreverting fund wherein all civil penalties will be collected pursuant to (this section), paid to the state treasury, and credited to the Fund. Moneys in the Fund are intended to be used to support of the Office of the Attorney General in enforcing this provision.