U.S.: Virginia enacts comprehensive privacy legislation

Governor Ralph Northam of Virginia signed into law this month the Virginia Consumer Data Protection Act (“VCDPA”).

Virginia is the second state to enact comprehensive privacy legislation, following California’s lead with its Consumer Privacy Rights Act (“CPRA”) that followed a ballot measure to build on the California Consumer Privacy Act (“CCPA”) in November 2020. Notably, both the Virginia and California laws will come into effect at the same time in January 2023.

Virginia’s legislation reflects a growing trend of states taking the lead in seeking to enact privacy legislation. The VCDPA will require institutions and entities subject to the law to closely monitor their data and privacy practices to ensure compliance with the heightened obligations outlined under the new law. After providing a business 30 days to cure an alleged violation, the Virginia Attorney General may seek injunctive relief and civil penalties up to $7,500 per violation.

Applicability of the VCDPA

The VCDPA will apply to companies that have business operations in Virginia, target their products and services to Virginia residents, and that either:

• control or process personal data of at least 100,000 Virginia residents, or
• control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.

The VCDPA will apply extraterritorially like the CPRA in this regard. It applies broadly to businesses that “control or process” personal data, compared with the CPRA, which applies to businesses that buy, sell, or share personal data of 100,000 or more consumers or households.  The law exempts healthcare and creditworthiness data and provides Virginia consumers with the right to ask for a copy of their data, request deletion of such personal data, and opt-out of the sale and processing of their personal information when used for targeted advertising.

The VCDPA permits Virginians to consent to processing of “sensitive data” and to appeal denials pertaining to these requests. The definition of “consumers” means Virginia residents (in an individual or household context) and excludes persons acting in a commercial or employment context. To this extent, the VCDPA is similar to the California laws as further discussed below.

Similarities between VCDPA and CCPA

• Data Protection Assessments: The VCDPA requires entities that process certain personal data to conduct periodic data protection assessments, similar to the CCPA.
• Contract requirements: The VCDPA requires covered businesses to enter into specific contracts with third-party processors like the CCPA does. This includes any service providers or third parties to which personal data is transferred.
• Individual rights: The VCDPA lists specific individual rights like the CCPA that includes rights, such as access, deletion, portability and the ability to opt out of the “sale” of one’s data. The VCDPA goes a step further and adds additional rights as well (listed below).

Differences between VCDPA and CCPA

• Terminology: The VCDPA uses the term “controller” to describe natural persons or entities that are covered by the legislation. For the purposes of the VCDPA, a “controller” refers to the natural person or legal entity that determines the purpose and means of processing personal data. Notably, the reference to a “controller” is similar to the terminology of a controller and a processor as used in the EU’s General Data Protection Regulation (“GDPR”). The term “controller”, however, is not used in the CPRA, which instead refers to “businesses”, “service providers” and “third parties”.
• Monetary threshold: The VDPCA differs from the CCPA/CPRA in several key respects. The VDPCA does not impose a monetary threshold for companies to comply with its provisions unlike the CPRA, which applies to companies with annual gross revenue of US$25 million, among other applicability guidelines. The VCDPA’s guidelines have the potential to be more expansive without this monetary threshold.
• Individual Rights (private right of action): The VCDPA also expressly prohibits a private right of action, with only the State Attorney General permitted to bring suit under the act. Virginia’s State Attorney General will create a new office to enforce compliance with the VCDPA with an annual budget of US$400,000. The CPRA, in contrast, would not only allow private rights of action, but also would allow consumers to sue for breach of data under California’s breach notification laws, breach of email addresses, passwords and security questions and other confidential information. Currently, the CCPA, does not allow for private rights of action for violations of the CCPA, but does allow consumers to bring suit if they are victims of a data breach pursuant to California’s data breach notification laws.
• Exemptions: The VCDPA’s approach to exemptions is distinct from that of the CCPA. The VCDPA exempts certain businesses themselves, rather than certain specified categories of data from the law’s application. For instance, the VCDPA exempts financial services companies that already must comply with the Gramm-Leach-Bliley Act (“GLBA”) and healthcare and other companies that must comply with Health Insurance Portability and Accountability Act (“HIPAA”). In contrast, the CCPA exempts GLBA-protected personal data that is collected, processed or disclosed pursuant to the GLBA, but unlike the VCDPA, financial services companies covered by the GLBA remain subject to the CCPA when they engage in other data-sharing activities outside the scope of the GLBA, such as collecting personal data about consumers via their website using website cookies. Similarly, while protected health information held by HIPAA-covered entities is exempt from the CCPA, HIPAA-covered entities must still comply with obligations for de-identified patient information under the CCPA, for example.

Recommendations

Compliance with the CCPA – and even the GDPR – will not necessarily amount to compliance with the VCDPA. An in-depth assessment of the additional requirements that VCDPA imposes on your organization is recommended since the legislation has distinct features and requirements. While the legislation is not effective until 2023, a close look at how the legislation will impact your particular business is necessary to ensure full compliance by that date.

Building on the CCPA and CPRA, the VCDPA demonstrates an emerging trend in US data protection law, which other states may soon follow.  Businesses will likely implement the VCDPA’s requirements as another benchmark in US data privacy. 

We will continue to monitor developments and our team is available to discuss these issues further.