On March 2, 2021, Governor Northam of Virginia signed the next U.S. privacy bill into law: the Virginia Consumer Data Protection Act (CDPA) will apply as of January 1, 2023.
It will offer a range of new rights to the residents of Virginia. It’s only the second State in the U.S. to offer such comprehensive consumer privacy legislation after California.
Who Does the Virginia Consumer Data Protection Act Apply to?
Like the California Consumer Privacy Act (CCPA), the CDPA includes a clear threshold.
This means that businesses are covered as long as they process the personal data of 100,000 Virginian residents on an annual basis.
Or of 25,000 Virginia residents if over 50% of their gross revenue is from the sale of personal data.
If either threshold is met, businesses will need to offer new individual rights to their customers.
What are the New Virginia CDPA Rights?
The new Consumer Data Protection Act rights you need to know are, are right to:
- Understand if personal data about them is processed or not, including extensive notice requirements
- Access all personal data processed
- Correct any issues with personal data
- Delete personal data
- Make the most of data portability. This means ideally offering the personal data of the individual in a format to simplify the move to another data controller.
- Opt-out of the sale of personal data. This includes the processing of personal data for targeted advertising and profiling.
How Much Does It Cost Consumers, and How Often Can they Apply?
Exercising individual rights is free and applicable up to twice a year. The company will have 45 days to respond.
However the company may extend this deadline by another 45 days if more time is needed. A reason for the delay needs to be provided.
What if the Request Cannot be Met?
Any declined request must come with reasons.
At all times individuals need to make sure they prove their identity, so that the business does not provide any personal data to non-authorized persons.
How are Virginia Data Protection Act (CDPA) and EU General Data Protection Regulation (GDPR) Similar?
The CDPA has taken leads from EU GDPR by providing data protection principles.
These must be respected by businesses processing personal information.
For example: Businesses will need to ensure that the processing of personal data is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.”
And that it’s not further processed for non-relevant purposes.
Also, an obligation is introduced to ensure “reasonable administrative, technical, and physical data security practices” are in place.
The CDPA, like the draft Washington Privacy Act (WPA), also introduces the EU-inspired distinction between controllers and processors.
This includes the requirement to finish a data processing agreement to regulate all data processing on behalf of the data controller.
This is a first for enacted U.S. privacy laws.
How Does the CDPA Compare to Other U.S. State Privacy Laws?
Not all of these data protection principles are also included in privacy laws in other U.S. jurisdictions.
For example, the principle of purpose limitation is for example not included in the CCPA, although it will be introduced by the new California Privacy Rights Act (CPRA), that will apply as of 2023 as well.
On data security, both California privacy laws have more limited provisions, only linking some specific data security requirements to the need to avoid data breaches.
How Else Does the CDPA Stand Out?
Another notable provision of the CDPA requires opt-in consent for the processing of sensitive personal data.
This includes any data “revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”.
It also includes genetic or biometric data to uniquely identify a person, precise geolocation data and data from known children.
Finally, the CDPA introduces mandatory Data Protection Assessments for a range of situations.
These include for the:
- Sale of personal data
- Data processing of sensitive personal data
- Purposes of profiling and targeted advertising
- For all processing that leads to “a heightened risk of harm to consumers”.
These are standards similar to the GDPR’s obligations for conducting data protection impact assessments (DPIAs).
Of note is that data controllers are allowed to weigh any benefits of the processor, against the risks of that processing to the individual.
This is a similar provision to the one in the draft WPA, which is discussed for the third session in a row by the Washington State legislature.
A provision requiring to conduct specific data protection or privacy assessments at the same time is notably absent from the CCPA or CPRA.
How will the Consumer Data Protection Act be Enforced?
When it comes to enforcing the CDPA, authority lies with the Virginia Attorney General. They may bring civil investigations into any controller or processor.
They can also impose penalties of no more than $7,500 per violation. The same maximum applies to any damages payable by businesses violating the CDPA.
Unlike the CCPA, the CDPA does not allow for any private right of action, providing individuals with the possibility to sue a business for violation of their privacy rights.
When Does this Take Effect?
As mentioned above, the Virginia CDPA will apply as of 1 January 2023. The same date the CPRA will enter into force.
This means that companies meeting the application thresholds in both States will need to comply with multiple new rules from that date.
Some of these rules align between the two jurisdictions, but not all of them.
Will Other States Follow Suit?
More states – notably Washington, Minnesota, New York, Oklahoma and Utah – are resuming their debates on the introduction of wide-ranging privacy legislation across the U.S.
So it’s likely that more specific data protection requirements will come into force around the same time.
TrustArc keeps continuous track of the development of privacy legislation at U.S. State level and in countries around the world.
Compare the 5 U.S. State Privacy Laws
This summary provides general information about applicable laws and does not constitute legal advice regarding specific facts or circumstances.