Virginia Consumer Data Protection Act Signed into Law
The Virginia Consumer Data Protection Act (CDPA) has been signed into law by Governor Ralph Northam. CDPA requires persons conducting business in the Commonwealth of Virginia to comply with new data privacy and security requirements. The CDPA takes effect on January 1, 2023.
The CDPA mirrors some of the privacy and security provisions of the EUs General Data Protection Regulation (GDPR) that took effect on March 25, 2018, and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020. While there are similarities with the GDPR and the CCPA, there are some differences, so compliance with either the CCPA or the GDPR does not guarantee compliance with the CDPA.
Like the CCPA, the CDPA only applies to organizations that control or process significant amounts of consumer data, with the data threshold twice as high as the CCPA, although there is no minimum revenue threshold in the CDPA.
The CDPA applies to any person or business that:
- Controls or processes the personal data of 100,000 or more Virginia residents in a calendar year; or
- Controls or processes the data of 25,000 or more Virginia residents in a calendar year and also derives 50% or more of its gross revenue from the sale of personal data.
Virginia Consumer Data Protection Act Exemptions
Entities already covered by certain Federal laws that include data privacy and security provisions are exempt from compliance with the CDPA. These are entities covered by:
- The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- The Gramm-Leach-Bliley Act (GLBA)
HIPAA-and GLBA-covered entities are fully exempt, not only for data collected that is covered by the respective acts, but also any other data which would otherwise be covered by the act.
There are also exceptions for data covered by the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Drivers Privacy Protection Act, the Farm Credit Act, the Family Educational Rights and Privacy Act, and personal data processed in employment contexts.
Other entities exempt from CDPA compliance are:
- Any body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.
- Nonprofit organizations.
- Higher education institutions.
Virginia Consumer Data Protection Act Requirements
The CDPA covers the personal data of any consumer who is “a natural person who is a resident of the Commonwealth acting only in an individual or household context,” but not if they are “acting in a commercial or employment context.” The personal data definition is “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
The CDPA does not apply to deidentified data nor to data in the public domain. The definition of data in the public domain is “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.”
CDPA prohibits covered entities from selling personal data without consent, with sale defined as “the exchange of personal data for monetary consideration by the controller to a third party.”
CDPA places restrictions on data collection, limiting information to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” Data can only be used for purposes that are reasonably necessary and compatible with the purposes that consumers have consented to.
Covered entities must ensure that reasonable administrative, technical, and physical safeguards are implemented to protect any data collected or processed, and data controllers must conduct data protection assessments, although the frequency that assessments need to be performed is not defined.
Consumer Rights Under CDPA
Virginia residents are given the right to:
- View the personal data held by a covered entity.
- Correct errors in the personal data held by a covered entity.
- Delete personal data held by a covered entity.
- Obtain a copy of the personal data held by a covered entity.
- Opt out of processing of personal data for targeted advertising purposes.
- Appeal the denial of a business to act on a request within a reasonable time frame (45 days). A response to any appeal must be provided within 45 days.
Penalties for Noncompliance with the CDPA
There is no private right of action under the CDPA, so consumers cannot take legal action against a business if they believe their CPDA rights have been violated. Enforcement of compliance lies with the Virginia Attorney General, which can impose a fine of up to $7,500 per violation. However, the state Attorney General must provide businesses with the opportunity to correct or “cure” the violation, with financial penalties applying only if those violations have not been “cured” within 30 days.