With Gov. Ralph Northam’s, D-Va., signature of the Virginia Consumer Data Protection Act March 2, 2021, Virginia became the second state to enact a broad, multi-rights privacy bill. The new law will take effect Jan. 1, 2023, the same day as the California Privacy Rights Act proposition that amends the California Consumer Privacy Act.
Virginia's CDPA is a somewhat simplified version of the Washington Privacy Act, which was introduced with fanfare two years ago but whose passage remains uncertain. By contrast, the CDPA flew through the Virginia Legislature, passing by overwhelming margin in fewer than two months. Already, privacy bills introduced and likely to receive serious consideration in several blue states — Colorado, Connecticut and Minnesota — resemble this Virginia law.
What are the implications of the CDPA for your privacy program? How does it differ from California requirements, and what additional requirements will you need to implement over and above what you are doing for CPRA compliance? Here's a preview of what else you will need to do to satisfy the CDPA.
The CDPA contains several new requirements, sectoral exemptions and somewhat simpler definitions not found in the CCPA/CPRA that have significant operational implications. Unlike the CCPA and CPRA, the Virginia law does not provide for rulemakings. Although there will be a study of potential legislative modifications later this year, the CDPA should largely avoid the “moving target” problem posed by the many rulemakings and versions of draft rules in California.
The CDPA contains several new requirements that add operational challenges. These include:
- Broader affirmative consent or opt-in requirement to process sensitive personal data, unless an exemption applies. Note that although this is a feature of Article 9 of the EU General Data Protection Regulation, the right applies only to child and young teenager data in the CCPA/CPRA. Unless they qualify for an exemption, Virginia data controllers will need to plan for consent to process sensitive data from adults, as well as children (i.e., sensitive data means: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child).
- Broader opt-out right of processing that covers not only sales of personal data, but also targeted advertising and profiling decisions that produce legal or similarly significant effects, which is narrower than the profiling items that require data protection assessments described below and does not match the broader processing limitations in Section 59.1–574.
- Mandatory data protection assessments for sales, targeted advertising and profiling, including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, “an intrusion upon the solitude or seclusion, of privacy affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person,” or any other processing of sensitive personal data or personal data that presents a “heightened risk of harm to consumers.” These assessments must consider privacy risks, benefits and potential mitigation steps in light of the specific use case and require covered businesses to evaluate all material new data uses that meet the above criteria. These assessments can be developed under legal privilege, and the law incentivizes doing so. Although the attorney general may obtain them by issuing a civil investigative demand, privilege is not waived when this occurs. Note the CDPA assessments differ significantly from GDPR data protection impact assessments, and that although the CCPA does not require impact assessments, one of the CPRA rulemakings is to address them.
- Obligation to confirm processing and broader deletion requirement in the consumer's personal data (the latter, which is also in the CPRA). Confirming processing requires some degree of data retrievability. Unlike in the CCPA and CPRA, the obligation to delete personal data covers personal information not only collected from but also collected "concerning" a consumer. This appears to reach data obtained from other sources.
- Conspicuously disclosed, mandatory right of appeal process for denials of consumer rights requests. This will require not only conspicuous notice, but more importantly, changes to the automated processes many companies have implemented related to consumer requests. Affected processes must add the additional appeals step, time frame (60 days), content (written description of actions and reasons) and an additional mechanism to inform the consumer of the option to file a complaint with the Virginia attorney general. This will likely require establishing the appeals process, as well as human review of and response to appeals that will be new for most companies just as many were moving toward a more automated process.
- Specific processor role-based requirements to provide assistance to and adhere to the controller’s instructions. While there are fewer obligations than the CPRA, there is a mandatory requirement, upon request, to demonstrate compliance with processor obligations and cooperate with or furnish an independent assessment of the processor’s controls framework to satisfy its obligations under the CDPA. This will likely require changes to vendor management programs and agreements.
- Different data minimization standards for controllers. The CDPA ties its data minimization limitations to what is “disclosed” or compatible with purposes disclosed to consumers unless consent is obtained or another exemption applies. This places a greater emphasis on transparency to consumers about data uses, instead of compatibility with the original purpose of collecting the data. For this reason, controllers should consider potential uses, carefully disclose them in privacy notices, and determine operationally how to track purposes and data uses unless the controller has the ability to deliver a subsequent notice to the consumer.
The CDPA contains broader sectoral exemptions than the CCPA/CPRA, notably for small businesses, regulated financial institutions (not just Gramm–Leach–Bliley Act regulated data), Family Educational Rights and Privacy Act regulated data, Health Insurance Portability and Accountability Act deidentified data, patient safety data, and for a broader range of clinical trials data than the CCPA/CPRA.
The Virginia law also contains a somewhat broader internal operations exception, which requires reasonable alignment with consumer expectations or compatibility of the consumer’s relationship with the business, but not the CPRA condition of that uses be compatible with the context in which information was collected. This difference avoids the operational challenge of tagging state resident data based upon the context of collection in order to exclude it from other controls.
The CPDA has different definitions of several key terms that may make operational compliance somewhat more difficult for companies with CCPA programs. However, some but not all of these different definitions are generally clearer, for example:
- “Personal data” largely tracks the Federal Trade Commission Privacy Staff report definition of “covered information” and completely excludes employee, business-to-business data, deidentified data and publicly available information. “Any information that is linked to or reasonably linkable to an identified or identifiable natural person” may seem broad without the CCPA example list. On the other hand, this definition removes the word “relate to, describe” and "household," avoiding scoping uncertainty under the CCPA (i.e., is data that “describes” an individual but doesn’t identify them still personal information?). Yet, what is “reasonably linkable” will vary based upon the circumstances so your program needs to develop guidelines on its application. Quite apart from this, the definition provides certainty that only consumer data must be subject to your CPDA program, which makes scoping simpler than under the CCPA partial moratorium for employee and business-to-business data.
- “Sale” means the exchange of personal data for monetary consideration by a controller to a third party. The definition of sale excludes transfers to affiliates and avoids the open-ended “other consideration” element in the CCPA/CPRA. However, the opt-out under the law also applies to “targeted advertising” and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- “Pseudonymous data” is exempt from consumer rights requests (although not assessment or processor requirements) if it is “kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.” However, there is an operational burden to ensure those controls are in place and are documented. Further, controllers who wish to use this exception must exercise oversight to monitor that any downstream recipients observe these conditions, which itself presents a potentially significant operational challenge if the data travel widely.
- “Sensitive data” is subject to an opt-in for processing, instead of the opt-out of secondary uses, sharing and sales that applies under the CPRA. This may prove an interesting operational challenge because sensitive data includes racial or ethnic origin, religious beliefs, mental and physical health diagnosis, and precise geolocation to name a few. However, this term is defined more precisely under the CDPA. It does not include the California data breach notice data elements, contents of communications, email account credentials, philosophical beliefs or union membership. Thus, the universe of sensitive data under the CDPA is significantly narrower, avoiding including items like email account credentials, which are commonly held by businesses. In addition, as explained above, the CDPA contains somewhat broader sectoral and operational exemptions, including for the health sector, which narrow somewhat the applicability of the sensitive data opt-in.
The bill precludes any class action enforcement. The Virginia attorney general can levy fines for failure to cure a violation after notice of up to $7,500 per violation.
Overall, the variations between the California and Virginia laws add some further complexity to a confusing and sometimes contradictory array of global requirements and exceptions, especially for third-party use. However, the CDPA avoids several areas of significant uncertainty in the CCPA and may provide an overall clearer model with more consumer rights for other states.
Stay tuned! As of now, other states to watch closely for other potential privacy laws this at this year are Colorado, Connecticut, Florida, New York, Minnesota, Oklahoma, Ohio and Washington.
Photo by ThisisEngineering RAEng on Unsplash
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
If you want to comment on this post, you need to login.