Update: The governor of Virginia has signed the CDPA into law. It will go into effect on January 1, 2023. The latest version of the law creates a working group that will be responsible for proposing changes and recommendations to the Virginia legislature. For an analysis on what the CDPA means for the privacy debate nationally, please review this article.
The long wait to see if any state would join California in passing a comprehensive privacy law is finally coming to an end, as the Virginia Senate passed the Virginia Consumer Data Protection Act (CDPA) on February 3. An identical version of the bill had already passed the Virginia House of Delegates on January 29, which means that reconciling the two versions of the bill before the February 11 deadline will likely be a mere formality. The bill will then be sent to the governor of Virginia for his signature. Should it be signed into law, the Virginia CDPA will go into effect on January 1, 2023, the same day as the California Privacy Rights Act (CPRA).
The CDPA borrows principles from the CPRA, the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) but also differs from all three in key respects. Below we have summarized the key provisions of the CDPA. We will continue to provide updates as the bill moves through the Virginia legislature.
- Applicability. The CDPA borrows from the CCPA in terms of using threshold requirements to determine applicability. The law applies to “persons that conduct business in [Virginia] or that produce products or services that are targeted to residents of [Virginia] and that: 1) during a calendar year, control or process personal data of at least 100,000 Virginia residents or 2) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data.”
- Exemptions. Despite being labeled a “comprehensive” privacy law, the CDPA has a number of exemptions (much like the CCPA and CPRA). Some of these exemptions are similar to those in the CCPA and CPRA, but in some cases they are broader than those in the other two laws. For example, instead of only exempting information that is subject to the Gramm-Leach-Bliley Act (GLBA) or protected health information under the Health Information Portability and Accountability Act (HIPAA), the CDPA does not apply to “financial institutions . . . subject to [the GLBA]” or to any “covered entity or business associate governed by [HIPAA].” The law also exempts information subject to most other federal laws, such as information regulated by the Family Education and Privacy Act, the Fair Credit Reporting Act, the Farm Credit Act, the Children’s Online Privacy Protection Act (COPPA), and the Driver’s Privacy Protection Act.
- Controller/processer distinction. Like the GDPR (and unlike the CCPA, which distinguishes between “businesses” and “service providers”), the CDPA uses a controller/processor dichotomy to distinguish between entities that are responsible for determining the purposes and means of processing personal data and the entities that process personal information on their behalf. Like the GDPR, the CDPA creates specific obligations for both controllers and processors (and both can be held liable under the law).
- Broad definition of personal data. Similar to the other three privacy laws discussed, the CDPA has a broad definition of “personal data.” It defines the term as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition of personal data explicitly excludes publicly available information and de-identified data (and the law has specific standards for how businesses must treat de-identified data).
- Inclusion of sensitive data category. The CDPA has a separate category labeled “sensitive data” that is defined as 1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 2) genetic or biometric data (used for the purpose of identifying a natural person); 3) personal data collected from a child; or 4) precise geolocation data. Controllers may only process sensitive data with consumer consent (or with parental consent in accordance with COPPA, in the case of children’s data).
- Individual rights. Like all three laws previously discussed, the CDPA creates individual rights for Virginia residents that are protected under the law. These include 1) the right to access; 2) the right to amend; 3) the right to delete; 4) the right to data portability; and 5) the right to opt out of the processing of personal data for the purposes of targeted advertising, sale and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Data protection assessments. Like the GDPR and CPRA, the CDPA requires entities to conduct data protection assessments when processing data in certain contexts. Specifically, the CDPA requires a data protection assessment when a controller is 1) processing personal data for the purposes of targeted advertising; 2) selling personal data; 3) processing personal data for purposes of profiling (in certain contexts); 4) processing sensitive data; and 5) conducting any processing activity that presents a heightened risk of harm to consumers.
- Enforcement. Like the CCPA, the CDPA is enforceable through civil actions brought by the attorney general and also includes a 30-day cure provision. Penalties under the CDPA for both controllers and processors can be as high as $7,500 per violation. Unlike the CCPA, the CDPA does not have any private right of action, even for security incidents.