Virginia recently became the second state in the U.S. to pass a comprehensive data privacy law, following the lead of California’s Consumer Privacy Act of 2018 (CCPA). The Virginia Consumer Data Protection Act (CDPA) passed both houses of Virginia’s state legislature on February 5, 2021, and was signed into law by Governor Ralph Northam on March 2, 2021. Virginia’s CDPA will take effect January 1, 2023, the same day as California’s expanded version of its privacy law.
Key Definitions in the CDPA
Virginia’s CDPA covers “persons” that do business in Virginia or produce products or services offered to Virginia residents and that “control or process” personal data. To be affected by the CDPA, such an entity must “control or process” either:
- The personal data of at least 100,000 Virginia residents
- The personal data of at least 25,000 Virginia residents for an entity that derives over half its gross revenue from the sale of personal data
Several organizations are exempt from the law. These include regulated financial services, health care, human research, consumer credit reporting services, and organizations that managed educational and employment data. Not-for-profit organizations and institutions of higher education are fully exempted as well.
The protected data belongs to “consumers,” a definition that does not include individuals acting in a commercial or employment context. Further, the legislation defines “personal data” broadly, including within its scope all information that is “linked or reasonably linkable to an identified or identifiable natural person.” If information is publicly available, it is not considered “personal data” for the purposes of the CDPA. Likewise, de-identified data is not considered “personal data,” because it cannot be linked to any one person or device that person owns or uses. However, de-identified data must be handled according to certain safeguards in order to prevent it from becoming re-identifiable.
CDPA also covers biometric data, which it defines similarly to the biometric privacy law enacted in Washington. Both definitions, for example, exclude photos, video, and audio recordings from their definitions of biometric data. Entities processing sensitive data must seek consent from consumers for that processing. Under the CDPA, any entity that complies with the Children’s Online Privacy Protection Rule (COPPA) in seeking verifiable parental consent will be considered compliant under CDPA when handling information regarding children under age 13.
Consumer Rights Under the CDPA
Consumers gain several listed rights under the new Virginia law. Among these new rights is the right of access, correction, deletion, and portability of their own information. They also have the chance to opt-out of targeted advertising, the sale of their data, and “profiling in furtherance of decisions that produce significant effects.” Covered entities are not, however, required to allow customers to opt-out of data use that is “solely for measuring or reporting advertising performance, reach, or frequency.”
CDPA gives covered entities 45 days to respond to consumer rights requests. An entity may be granted a 45-day extension “when reasonably necessary.” It also names several instances in which an entity may not be required to comply with such a request, such as when compliance would be “unreasonably burdensome.”
What Businesses Can Expect from the CDPA
The CDPA offers broader carve-outs for the entities it addresses than does California’s CCPA. For example, businesses that are already covered by one or more existing privacy acts may find they do not need to respond to the demands of the CDPA as well. It exempts data that is already regulated by certain listed federal laws, including HIPAA, GLBA, FCRA, FERPA, and COPPA.
Where the Virginia and California laws share similarities is in their use of threshold requirements to determine which businesses are covered by the respective acts. California’s bill, however, contains a standalone revenue threshold, automatically covering any business with $25 million or more in annual gross revenue. Virginia’s legislation contains no such threshold; it applies solely to those that handle personal data under the terms stated in the bill. As such, it is likely to apply to fewer organizations than the California law does.
Finally, Virginia’s CDPA defines “consumer” more narrowly than the CCPA or the revised and expanded version: the California Privacy Rights Act (CPRA). CDPA excludes people acting in a commercial or employment context. Again, this narrow definition means that the law will likely not affect as many businesses as California’s law will.
Consumer data privacy has been a topic of contention for several years, brought into the spotlight by legislation like the European Union’s GPDR. As additional states address consumer data privacy in their own ways, the patchwork of legal requirements for businesses engaged in interstate or international commerce will likely grow more complex.
