The Virginia Consumer Data Protection Act (CDPA): applying learning from California and the EU
Table of contents
At a glance
The United States does not yet have a federal privacy law, but led by California more states are getting on board with their own. Virginia was the second state to pass consumer privacy legislation, followed by Colorado. We can already see how technology, global business and the law continue to evolve. Virginia’s law is clearly influenced by California and the European Union, and it will be interesting to see how the CDPA influences other states in turn.
Introduction to the CDPA
The Virginia Consumer Data Protection Act (“CDPA” or the “Act”) was signed into law in March 2021, and will take effect January 1st, 2023, the same day as California’s Consumer Privacy Rights Act (CPRA). The abbreviation VCDPA is also sometimes used.
Virginia was the second state after California to enact a state-wide privacy law. It takes some influence from California’s CPRA and the earlier California Consumer Privacy Act (CCPA) – for simplicity we’ll refer to the CCPA and CPRA as the “California laws” – as well as the European Union’s General Data Protection Regulation (GDPR), but it is by no means a “copy cat” law.
Who is affected by the CDPA and how
The CDPA affects companies that do business in Virginia, or that produce products or services targeted to residents of Virginia. So like the California laws, companies do not have to be headquartered in the state to be affected.
The Act includes fair information practice principles (FIPPs). Foremost among these is to have a specific, disclosed purpose for collecting personal data, and limiting collection of that data to what is reasonably necessary to fulfill that purpose. It also imposes limitations on use and prohibits processing that isn’t reasonably necessary or compatible with the purposes that have been communicated to consumers.
Companies need to provide notice to consumers and get “freely given, specific, informed and unambiguous” consent for the processing of their personal data, particularly sensitive personal data, especially for any purpose beyond the disclosed one(s). These consent requirements are similar to those required by the GDPR, and do not allow essentially “pre-checking” boxes for consumers.
Companies also need to have reasonable security practices to protect the “confidentiality, integrity and accessibility of personal data”, and communicate to consumers what these practices are.
What is the CDPA?
The CDPA is a state-level law that protects personal data belonging to consumers who are residents of Virginia. Consumers in this context refers to natural persons, or people acting as representatives of households. Unlike the CPRA, the Virginia Act does not include a natural person acting in a commercial or employment context.
For-profit entities that are subject to the CDPA are referred to as “Controller”, which is a term used in the GDPR, meaning:
“…the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.”
Another key definition in the CDPA is that of “Processing”, also used in the GDPR, which refers to whatever is being done with or to consumers’ data:
“…any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
The CDPA governs processing of consumers’ data, including their requests and consent regarding its use. These terms are also used in the GDPR, but are not used in the California laws.
Definitions and use of data under the CDPA
All current privacy laws have generally consistent definitions of what constitutes personal data or information, but there are a number of variations at the granular level. See Personally Identifiable Information (PII) vs. Personal Data – What’s the difference? There’s also linked vs. linkable personal information, definitions that depend on how many combined data points are needed to establish an individual’s identity.
Some laws, like the upcoming CPRA, have further defined “sensitive personal data”. This data can establish identity usually with a single data point, or due to the nature of the data it can be more easily used to cause harm to an individual if stolen or misused.
What is defined as sensitive data under the CDPA?
The CDPA does have a definition for sensitive data, which is applied to the following categories of personal data:
- Collected from a known child under the age of 13 (consent to process this data must come from the parent or guardian)
- Genetic or biometric data, if processed for the purpose of identifying an individual
- Geolocation data (precise to within a radius of 1,750 feet)
- Personal data that reveals any of:
- citizenship or immigration status
- racial or ethnic origin
- religious beliefs
- sexual orientation or activities
- health diagnosis (mental or physical)
What is defined as the sale of personal data under the CDPA?
The CDPA applies to companies doing business in Virginia that either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of their gross annual revenue from the sale of that personal data, and they control or process personal data of 25,000 or more consumers in a calendar year.
“Sale” is defined as “the exchange of personal data for monetary consideration by the controller to a third party”, which still leaves some room for interpretation. This is similar to how sale is defined in Nevada’s internet privacy law, and is more clear than how it’s defined by the California laws.
There are transactions that are not categorized as sales, however, including the following disclosures of personal data:
- To a processor working on behalf of the controller
- To a third party as part of a merger, acquisition, bankruptcy, or other transaction
- To a third party to provide a product or service that the consumer has requested
- To an affiliate of the controller
- That the consumer intentionally made public without restriction (e.g. social media privacy settings)
How does the CDPA affect consumers?
The CDPA gives consumers several key rights:
- To inquire if a controller is processing their personal data, and receive confirmation if it is
- To receive access to their personal data, provided by the controller, if it is being processed
- To request and be provided with a copy of their requested personal data in a portable and usable format, with considerations for the “reasonableness” of the volume and frequency of requests
- To have the processor not discriminate for exercising any of their rights
- To correct inaccuracies in their data
- To have personal data deleted upon request, if it was provided by the consumer or was obtained about them
- To opt out of having their data processed for the purposes of:
- targeted advertising
- profiling for decisions that would affect the consumer in a legal or similarly significant way
One interesting omission is that under the CDPA consumers do not have to be separately or explicitly notified when data is collected (unless it’s classified as “sensitive”), which differs from the California laws. Most of the expected disclosures would be found in a privacy notice, which companies are required to publish under a number of circumstances.
Under the CDPA there is also no private right of action, unlike the California laws and GDPR. This means that consumers cannot sue companies (or controllers) for alleged violations of the Act. Complaints would have to be directed to the Virginia Attorney General, who will have responsibility for investigating allegations of violations and enforcing the law.
How does the CDPA affect businesses?
Most broadly, the CDPA affects companies that are for-profit and doing business in Virginia or producing products and services for consumers who are Virginia residents. If they;
- Control or process personal data of 100,000 or more consumers during a calendar year, or
- Control or process personal data of 25,000 or more consumers and derive over 50 percent of their gross revenue from the sale of that personal data
These requirements differ from the California laws in that:
- A company’s gross annual revenue is not a criterion on its own
- Gross revenue from the sale of personal data is tied to a threshold number of consumers
Violations of the CDPA can result in fines up to $7500 per violation, levied by the Virginia Attorney General. This is consistent with fines under the California laws, though potentially much less than the fines that can be levied under the GDPR, which can be up to 20 million Euros or four percent of annual revenue, whichever is higher.
The Attorney General has to provide companies with 30 days’ notice of a violation and “opportunity to cure”, which means to correct issues that led to the violation, before fines can be levied.
Duties of controllers
The duties of controllers under the CDPA are:
- To set up and maintain administrative, technical, and physical data security practices that are reasonable and appropriate to the amount and types of personal data processed in order to protect confidentiality, integrity and accessibility of personal data.
- To respond to consumer requests regarding their data within 45 days of receipt of the request (in some cases the response period can be extended by an additional 45 days).
- To set up a process for consumers to appeal refusal by the controller to take action on consumer requests.
- To limit collection of consumers’ personal data to what is “adequate, relevant, and reasonably necessary” for the purposes that the data is being processed, as disclosed to consumers.
- To not process personal data for purposes other than those disclosed to consumers, and that are not reasonably necessary nor compatible with previously disclosed purposes, unless consumer consent has been obtained, and with certain exceptions.
- To not discriminate against consumers by processing personal data in violation of relevant state and federal laws.
- To ensure that agreements with processors do not purport to waive or limit in any way consumer rights.
- To notify the consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller (2) the purpose for processing personal data, (3) how consumer exercise their rights including appeal proceedings, (4) categories of personal data that the controller shares with third parties if any and (5) the categories of third parties if any, with whom the controller shares personal data.
- To clearly and conspicuously disclose processing if it sells personal data to third parties or processes personal data for targeted advertising, as well as the manner in which a consumer may exercise the right to opt-out.
- To establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their rights.
Regarding de-identified (anonymized) data, under the CDPA controllers have several protective duties:
- To take reasonable measures to ensure it can’t be associated with an individual (natural person)
- To commit publicly to abstaining from attempting to re-identify the data
- To contractually obligate recipients of de-identified data to comply with CDPA requirements.
Controller and processor agreements
Under the CDPA, while controllers have responsibilities to consumers, they also need to have contractual agreements with processors. This is similar to requirements under the GDPR, to ensure that only necessary data is processed, and only those who need access to the data have it. Additionally, they must also be properly trained in handling and security.
A controller/processor agreement should cover:
- Rights and obligations of both the controller and processor
- Type of data to be processed
- Nature and purpose of processing
- Duration of processing
Any agreement should also ensure that any processor:
- Ensures that each person processing personal data is subject to a duty of confidentiality regarding the data
- Upon reasonable request provides all information in its possession to demonstrate compliance with its obligations
- At the controller’s direction, returns or deletes all personal data once services provided are completed (unless retention is required by law)
- Cooperates with the controller’s or controller’s designated assessors’ assessments of the processor’s policies and organizational or technical measures for compliance
- Engages with subcontractors, which meet the obligations of the processor with respect to the personal data in a written form.
Data protection assessments
Under the CDPA, consumer consent is required before a controller can process their personal data for specific purposes. Formal consent is required, including consumer opt-in, and the creation of a Data Protection Assessment (DPA) is needed when any of the criterias listed below takes place.
A DPA identifies and weighs the benefits and risks of personal data processing for the controller, consumer, other stakeholders, and the public more broadly. The risks, it should be noted, are mainly for affected consumers. A DPA also includes safeguards to mitigate identified risks to processing the data.
Companies need a DPA if they engage in any of the following activities regarding personal data:
- Processing of sensitive personal data
- Processing of personal data presenting a heightened risk of harm to consumers
- Processing for targeted advertising purposes
- Profiling, if there is a reasonable risk of
- unfair or deceptive treatment of consumers, or unlawful disparate impact on them
- financial, physical, or reputational injury to consumers
- reasonably offensive intrusion on the solitude or private affairs of consumers
- other substantial injury to consumers
Controllers are also responsible for having a privacy notice under the CDPA, which needs to be in clear language, prominently displayed and accessible, and include:
- Categories of personal data the controller will process
- Categories of personal data the controller shares with third parties, if any
- Categories of third parties with whom the controller will share personal data, if any
- Purpose of the data processing
- Disclosure regarding data processing for targeted advertising purposes, and instructions to enable consumers to opt-out
Controllers also need to provide means by which consumers can exercise their rights under the CDPA and communicate with the controller. These means need to be “secure and reliable” and have to take into account ways in which the controller and consumers normally interact.
Controllers also need to be able to authenticate consumers’ identities if they make requests, but can’t require consumers to create new accounts in order to make those requests. These requirements are consistent with the California laws as well.
Exemptions and Limitations
In addition to companies that do not meet the data or revenue criteria listed above, the following types of businesses do not have to comply with the CDPA:
- Bodies, authorities, boards, bureaus, commissions, districts, or agencies of the Commonwealth of Virginia or political subdivision of the Commonwealth
- Financial institutions or data that are subject to Title V of the federal Gramm-Leach-Bliley Act (which requires companies to safeguard consumers’ sensitive data and explain their information-sharing practices)
- Covered entities or business associates governed by the Health Information Technology for Economic and Clinical Health Act (HITECH)
- Non-profit organizations
- Institutions of higher learning
Exempt Data Types
Not all processed consumer data is subject to the CDPA, and exemptions can be full or partial. Exemptions include personal data that is:
- Publicly available
- De-identified (anonymized)
- Regulated by existing laws, including:
- Consumer credit check information under the Fair Credit Reporting Act (FCRA)
- Student data regulated by the Family Educational Rights and Privacy Act (FERPA)
- Personal data regulated by the Driver’s Privacy Protection Act
- Personal data regulated by the Farm Credit Act
- Patient and health information, as well as covered entities and business associates, governed by the Health Insurance Portability and Accountability Act (HIPAA) and other laws
- Personal data of employees, independent contractors, and applicants, including data collected and used in the context of those roles
In this way the CDPA differs a fair bit from the California laws and the GDPR, as they have fewer specific exemptions based on existing laws of more limited scope. Also, employees, contractors, and applicants have wider protection under the mentioned legislations.
Limitations of Scope
The CDPA has more limitations in its scope than the California laws or GDPR, particularly regarding compliance with existing laws at varying levels. Not limiting processing of consumers’ personal data for operations “reasonably aligned with the expectations of the consumer”, also leaves a fair bit of room for interpretation.
Also unlike the California laws, under the CDPA controllers do not have to provide a “clear and conspicuous link” to enable consumers to opt out of the sale of their data, commonly referred to as a “Do Not Sell” button.
Controllers and processors do, however, have the comply with the following:
- Processing for certain business purposes, e.g. product recalls
- Federal, state, and local laws and regulations
- Criminal, civil, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities
- Investigation of, preparation for, or defence against legal claims
- Cooperation with law enforcement agencies regarding conduct or activities that processors reasonably believe may violate federal, state, and local laws and regulations
- Provide a product or service, perform a contract to which the customer is a party, or take steps as specifically requested by the consumer prior to entering into a contract
- respond to security issues or potential illegal activity
- Take immediate steps for the life and safety of individuals
- Conducting research in public interest (under certain conditions)
For companies already working to comply with, or in compliance with the California laws or GDPR, CDPA compliance should require a limited amount of work leading up to 2023. However, like the California laws, Virginia’s Attorney General has referred to the CDPA as a “work in progress”. Amendments over time are likely. In fact the law mandates a working group to review the Act and implementation issues.
While the CDPA does take influences from the CCPA, CPRA, and GDPR, it has its own definitions, requirements, and exemptions. Consult one of our experts to help ensure your company’s data compliance and happy customers.