Virginia's Consumer Data Protection Act can apply to businesses located well outside of the state's borders. Learn how the law could affect your company.
In 2021, Virginia passed the Consumer Data Protection Act (CDPA), becoming the second U.S. state to enact a comprehensive data privacy law. Strongly influenced by the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the CDPA is a major piece of privacy legislation that also differs from both of those laws in a number of ways.
The CDPA goes into effect on January 1, 2023, giving businesses some time to familiarize themselves with their new legal responsibilities under the state law and decide on a compliance strategy. Here is a summary of the law’s major terms and concepts.
Though the CDPA borrows terms from the GDPR and the CCPA, it sometimes uses them in different ways. Here are some of the most important terms, as defined in the Virginia law.
Personal Data - Any information that is linked or reasonably associated to an identified or identifiable natural person; does not include de-identified data or publicly available information.
Consumer - A natural person who is a Virginia resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
Controller – A natural or legal entity that determines the purpose and means of processing data. This is a familiar term from the GDPR, and analogous to a “business” under the CCPA.
Processor – Natural or legal entity that processes personal data on behalf of a controller. Similar to a CCPA “service provider,” disclosure of personal data by a controller to a processor is not considered a sale.
Processing - Any operation or set of operations performed on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Targeted Advertising - Displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Much like the amended CCPA’s “cross-context behavioral advertising,” this is treated in a similar manner to the selling of personal data.
When compared to the GDPR and CCPA, the Virginia law has a more limited scope. The CDPA applies to persons that (1) conduct business in Virginia or produce products and services that are targeted to Virginia residents, and (2) also do one of the following:
There is no revenue-floor provision in the CDPA, in contrast with the CCPA which has an additional category for any business with gross annual revenue in excess of $25 million.
The CDPA also identifies five categories of entities that are completely exempt:
There are also a number of exemptions for personal data that is processed pursuant to specified federal laws, such as HIPAA and the Fair Credit Reporting Act.
The CDPA establishes five personal data rights for consumers. These should all look familiar to anyone already well-versed in the GDPR or CCPA.
There is also, arguably, a sixth consumer right in the CDPA, and that is the right to non-discrimination for exercising their rights.
The CDPA creates a number of new legal responsibilities for businesses. Though we won’t set out all the requirements in exhaustive detail, we can describe some of the biggest changes that companies will have to make in order to become CDPA compliant.
First, businesses have a duty of transparency toward consumers. They must provide a “reasonably accessible, clear, and meaningful privacy notice” that covers such information as what data is being collected, for what purpose, who it is shared with, and how to exercise consumer rights. If the business sells personal data or processes it for targeted advertising, they must also “clearly and conspicuously” disclose this fact and inform consumers how to opt out.
Once a business has received an authenticated privacy request from a consumer (e.g., a request to delete personal data), businesses have 45 days to comply. This can be extended for another 45 days when reasonably necessary.
There are also some minimization requirements when it comes to collecting and using personal data. Businesses must limit personal data collection to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” They must also not process personal data “for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed,” unless they get the consumer’s consent.
Businesses must implement and maintain reasonable administrative, technical, and physical data security practices. What is considered reasonable will depend on the volume and nature of the personal data involved.
They cannot process “sensitive data” without first obtaining the consumer’s affirmative consent, or verified parental consent in the case of children under the age of 13. Sensitive data is defined as:
The last major requirement under the CDPA is that businesses must conduct and document “data protection assessments” for certain types of data practices, including the processing of personal data for targeted advertising, the processing of sensitive data, and any processing activities that present a heightened risk of harm to consumers. Data protection assessments must weigh the benefits and potential risks of these practices, consider the use of deidentified data, and more. These assessments are not public, but must be made available to the Virginia Attorney General upon request.
Businesses believed to be in non-compliance with the CDPA will receive a 30-day cure notice from the Attorney General’s office. If the business fixes any issues within that period, no further action is taken. If not, the Attorney General may seek an injunction and civil penalties of up to $7,500 per violation.
While the CDPA bears a strong resemblance to California’s CCPA, the two laws are not identical. Here are some of the most important differences that will affect both businesses and consumers.
Personal information from employees and job applicants is currently exempt from privacy requests under the CCPA, but businesses must disclose what information they are collecting and for what purpose. The exemption is temporary, which the California Privacy Rights Act (CPRA) extended until January 1, 2023. It is not clear whether it will be renewed, made permanent, or allowed to expire.
The CDPA, however, defines a consumer as someone acting in an individual or household context, not in an employment or commercial context. It also exempts personal data collected from job applicants. This means companies have neither a duty to disclose nor a duty to comply with privacy requests with regard to employees, applicants, and anyone acting in a B2B capacity. These exemptions are permanent.
Both the CDPA and the CCPA give consumers additional control over sensitive data, but each handles the issue a little differently. The CCPA defines sensitive personal information somewhat more broadly, and gives consumers the right to opt out of any use of that information beyond what is necessary.
While the CDPA categories of sensitive data are a little narrower, the Virginia law requires consumers’ affirmative consent before any processing, including collection. Once they have the consumer’s consent, however, this data is treated like all other personal information; i.e., there are no special opt-out rights in the CDPA for sensitive data.
The CCPA requires any business that sells consumers’ personal information to include a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage. This requirement is one of the more unpopular provisions in the CCPA for businesses, due to worry about its negative effect on their brand.
It is not yet clear if the CDPA requires something like a “Do Not Sell” link. The statute doesn’t explicitly mention them, but it does state that if a business sells personal data or uses it for targeted advertising, it must “clearly and conspicuously” disclose this fact and inform consumers how to opt out.
The CCPA does not create a private right of action for violations of consumers’ privacy rights, but it does create one in the event of a data breach where business failed to implement and maintain reasonable security procedures. The inclusion of statutory damages of up to $750 per consumer has already led to class-action lawsuits.
While the CDPA imposes similar cybersecurity obligations on businesses, it does not create any private right of action. Enforcement is left entirely to the Virginia Attorney General.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.