On March 2, 2021, Virginia Governor Ralph Northam signed the Commonwealth’s first comprehensive data privacy law, the Consumer Data Protection Act. This makes Virginia the second state, after California, to do so. California’s Consumer Privacy Act (CCPA) amended by voter referendum in November of 2020 as the California Privacy Rights Act (CPRA) represented the first such data privacy law in the United States. The law will go into effect Jan. 1, 2023.
In general, data privacy in the United States is a patchwork quilt of federal, state and local laws and regulations that typically protect data based on the residence of the data subject, the type of data collected, the entity that has collected it, as well as whatever notices or consents the data subject may have agreed to. Thus, health information or financial information may or may not be protected from disclosure, depending on who has collected it and for what purpose. In Europe or other foreign jurisdictions, however, the approach to data privacy is more comprehensive. They assume that consumers have a general human right to data privacy, and they require entities that collect, store, process or use people’s personal information (and sensitive personal information like healthcare, financial, religion or political information) to state the nature of the information being collected. They also enforce that data is only to be used for the purpose it has been collected, and only if such collection is objectively reasonable. The approach adopted by California is generally in conformity with the European model, albeit, significantly less restrictive in Europe.
Virginia’s new law requires companies collecting data about Virginia residents to advise them of what data is being collected, and to provide them with a meaningful opportunity to “opt out” of having their data collected and sold. The law, like that in California and Europe, limits the authority of those within its ambit to collecting consumer data which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” Once the data is collected, the company can only process the data for purposes that are “reasonably necessary” or “compatible with” the reasons that the entity told the consumer they were collecting the data. Although, other use or processing may be done with the consumer’s consent.
As with other general privacy laws, this law also gives Virginians the rights of transparency and data accuracy, to see what data has been collected and to have incorrect information deleted or corrected. This is similar to how people can access their credit reports and request correction of inaccurate information. The law also protects “data portability,” the right to download the data collected if this is reasonably technically feasible. Unlike the California law, the Virginia statute does not create a “private right of action,” but instead, empowers the Virginia Attorney General to prosecute violations as consumer protection violations. If the AG initiates an enforcement action, they must notify the data controller, who has 30 days to certify that the violation has been corrected or face fines of $7,500 per violation.
Unlike its California counterpart, the Virginia law only relates to companies that conduct business in Virginia, or produce products or services that are targeted to Virginia residents and that control or process the personal data of either (1) at least 100,000 consumers [during a calendar year]; or (2) at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data, which is twice the threshold for coverage than its California counterpart. This lacks the California “catchall” provision for high-revenue companies that don’t meet those personal data thresholds.
The Virginial law defines “consumer” to mean someone acting in their personal or “household” context, exempting employee or vendor data from privacy protection. Personal data is “sold” under the Virginia law when it is exchanged “for monetary compensation” and not, as in California, if it is exchanged for something other than money. The law also excludes from the definition of “sale” transfers to certain data processors, third party servicers, affiliates, or entities necessary to fulfill the consumer’s demands or requests.
Not protected, is information that the consumer has made available without restriction to the general public (via a mass media channel), or information that is lawfully available through federal, state, or local government records.
The Virginia law not only exempts “public” information, but also exempts personal data that is otherwise regulated by specific federal laws. These include educational records under FERPA, financial records under GLBA, credit reports under the Fair Credit Reporting Act, driver’s license information under the Driver’s Privacy Protection Act, and data protected under the Farm Credit Act, as well as certain specific employee and job applicant data. The Virginia law also exempts from its coverage certain entities. These include Virginia government entities, financial institutions regulated by GLBA, healthcare providers under HIPAA/HITECH, colleges and universities covered by FERPA and nonprofit institutions. Significantly, the entity exemptions exempt the described entities and not just the data that is otherwise protected by law.
In addition to the “opt out” on sharing provisions, the Virginia law also requires consumers to affirmatively “opt in” to the collection of certain types of “sensitive personal information” such as location data, genetic data or certain ethnic data.
Like other data privacy laws, the Virginia law requires companies covered to have reasonable data privacy policies and data security programs, including the following requirement:
- Companies must regularly conduct and effectively respond to “data protection assessments”
- They must ensure that they have agreements with third parties with which they share data that “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties”
- Companies are also required to have readable and understandable consumer personal data privacy policies, although the statute does not state how these must be disseminated.
While other states have laws that require notification of breaches or certain personal information – and states like Nevada and Maine require the protection of certain personal information – there is no comprehensive federal data protection law. Other states, like Washington, New Jersey, Utah, Minnesota, Illinois, Iowa, Maryland, New York and South Carolina are all considering privacy legislation.
From a regulatory perspective, this means that companies that do business in Virginia, or with Virginia residents, will have to develop comprehensive data protection regimes and engage in “data mapping” so they know exactly what data they have collected about consumers and where it was gathered from. They will also have to track how they are using it, with whom they are sharing it, how it is being protected and whether it is accurate. If they have obtained consent to collect the data through an online or other privacy policy, good practices dictate that they know precisely what they can and cannot do with the data. Finally, of course, if there is a stronger or more comprehensive data privacy law applicable to the data (including federal laws, or international laws) a data collector will have to comply with the stronger law.
While the new law was welcomed by companies like Amazon, which is opening a second corporate headquarters in northern Virginia, the “state-by-state” approach to regulating online data collection presents challenges to companies which have Customer Relationship Management programs or which collect personal data. Ultimately, a reasonable federal comprehensive data privacy law – and one which subsumes state laws – may prove less unwieldy for companies that do business across state lines. Until then, companies will have to keep abreast of various state privacy laws, and develop procedures for compliance with each.
If you have any questions regarding the Consumer Data Privacy Act or any of the subjects covered in this article, please contact Mark Rasch (mdr@kjk.com / 301.547.6925).
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.