The CDPA also features some key differences from the California Consumer Privacy Act that businesses should be aware of.
On March 2, 2021, the Virginia Legislature adopted and Governor Ralph Northam signed the Virginia Consumer Data Privacy Act (CDPA), which goes into effect on January 1, 2023. The law applies to companies that conduct business in the state of Virginia or whose products or services are directed to residents of Virginia and either: (1) process or control the personal data of 100,000 consumers (Virginia residents) or more, or (2) derive over 50 percent of its revenue from the sale of personal data and process or control personal data of at least 25,000 consumers. (59.1-572.)
The CDPA also features some key differences from the California Consumer Privacy Act that businesses should be aware of, discussed below.
What Data Is Covered?
The CDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” (Emphasis added.) This does not include deidentified data or publicly available information.
What Are Consumers’ Rights Under CDPA?
- Confirmation: Consumers have the right to confirm whether a controller is processing their personal data and access that data. (59.1-573)
- Access/Portability: Consumers have the right to obtain their personal data in a readily usable format. (59.1-573(a)(1), (a)(4).)
- Correction: Consumers have the right to correct inaccurate personal data. (59-1-573(a)(2).)
- Deletion: Consumers have the right to deletion of personal data provided by or obtained about them. (59-1-573(a)(3).)
- Opt out: Consumers have the right to opt out of the processing of personal data for targeted advertising, sale for monetary consideration or profiling in furtherance of decisions that produce legal or significantly similar effects concerning the consumer. (59.1-53(a)(5).)
What Are Businesses’ Obligations?
- Limit data collection and use “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” unless the business has customer consent. (59.1-574(A)(1)).
- Provide a policy notice that is “reasonably accessible, clear, and meaningful” that sets forth (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) the method by which consumers may exercise their rights and appeal a controller’s decision regarding their request; (4) the categories of personal data the controller shares with third parties; and (5) the categories of third parties with whom personal data is shared. (59.1-574(C)).
- Implement and employ technical safeguards: The law requires businesses to “[e]stablish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” (59.1-574(A)(3)).
- Conduct data protection assessments designed to assess the risk of engaging in specific processing activities. (59.1-576(C)).
- Utilize data processing agreements with processors to govern the way data is processed and handled. (59.1-575(B)).
How Does the Law Compare to California Consumer Privacy Act?
- Certain key terms have a narrower scope and more limited application (e.g., “personal data” includes only the consumer’s data, not a household’s, and “sale” concerns only data exchanged for monetary consideration).
- CDPA contains no private right of action and is solely enforced by the attorney general.
- Affirmative consent is required to process sensitive data and the definition of sensitive data includes the broader concept of “personal data of an individual known to be a child,” rather than information that is obtained from a child.
- Consumers have greater opt-out rights than from sale of their data and they can also opt out of targeted advertising and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- Deletion rights are broader and include the right to deletion of data they provide as well as data obtained about them.
- Consumers have a right to appeal denials of a data request, requiring businesses to establish an appeal process and respond within 60 days from receipt of the appeal to inform the consumer in writing of its decision regarding the appeal. (59.1-573(C)).
- Data protection assessments are mandatory and CDPA provides details as to the kind of analysis that must be performed.
- Broader exemptions exist under CDPA to include businesses subject to certain federal regulatory schemes (e.g., HIPAA, GLBA, and HITECH), nonprofits, and educational institutions, as well as information subject to the FCRA, B2B transactions and related to employees or applicants.
For More Information
If you have any questions about this Alert, please contact Sandra A. Jeskie, Michelle Hon Donovan, Simeon S. Poles, Anjali Kulkarni, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.