Virginia data protection bill signed into law

On March 2, Virginia’s Democratic Governor Ralph Northam signed into law the nation’s second major piece of state legislation that governs consumer data privacy and protection. Virginia’s Consumer Data Protection Act (CDPA) follows the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. In a referendum last fall, California citizens voted to amend the CCPA by approving the California Privacy Rights and Enforcement Act (CPRA), which will mostly go into effect on January 1, 2023.

All three laws follow the European Union’s landmark data protection law, the General Data Protection Regulation (GDPR), implemented on May 25, 2018. Although the CCPA, CPRA and CDPA borrow heavily from the GDPR, each data privacy vehicle contains provisions that vary from the other laws.

CDPA mandates how larger companies control or process data

Virginia’s CDPA, also set to go into effect January 2023, spells out a complex framework for how businesses or “persons conducting business in the Commonwealth” control or process data. The bill’s provisions apply only to businesses that control or process personal information of at least 100,000 consumers, defined as Virginia residents, or companies that control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.

The legislation spells out that some organizations and data are exempt from the bill’s requirements. Among the exemptions in the CDPA are state and local governments, non-profit organizations, and higher education institutions. Information subject to the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), and personal data processed in employment contexts are also exempt. The bill further exempts institutions subject to the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).

The CDPA gives Virginia consumers the right to access, correct, delete, and obtain a copy of the personal information that covered businesses hold about them. The legislation also gives consumers the right to opt out of personal data processing for targeted advertising purposes, which will likely require companies to issue the kind of cookie use notices that have proliferated following the GDPR. Covered businesses must make additional disclosure around this data processing and are obligated to tell consumers how they may exercise their rights.

Businesses, who are referred to as controllers, are also required to perform impact assessments to ensure they are not infringing on consumers’ rights when processing their data. Controllers must further implement appropriate technical and security controls and have appropriate agreements in place with vendors, referred to as processors.

The bill authorizes only the attorney general to bring legal actions against both controllers and processors. It also gives violators 30 days to “cure” their problems before they start incurring penalties up to $7,500 per violation.

CDPA combines CCPA, CPRA and GDPR

“The CDPA is basically a combination of the CCPA, CPRA, and GDPR,” Kristen Mathews, partner at law firm Morrison and Foerster, tells CSO. But there are many apparent differences between the Virginia bill and its California counterparts too.

For example, “the definition of personal information in the CDPA is narrow because it only includes data that is identifiable to a natural person, as opposed to data that is identifiable to a device or a household,” Mathews says.

Another difference deals with the de-identification of data, which businesses often implement to avoid privacy laws’ burdens. “The CDPA has conditions on de-identification that are beyond the conditions that are present in the CCPA and the CPRA. There are more hurdles to successfully de-identifying data under the Virginia law,” she says.

One significant difference between the CDPA and the California law, or perhaps most consumer protection laws in general, is that if the consumer makes the request and the business declines the request, the consumer has to be given an appeals process. “This is not present in the California law. And if the business at the end of the appeals process still declines the request, the business has to give the consumer contact information for the attorney general to make a complaint,” Mathew says. “What this means is that businesses are not going to reject these complaints unless they really have to because they don’t want to send the person to the AG.”

“On a high level, the most important thing about the Virginia law is that it was passed and signed by the governor,” Michael Vatis, partner at law firm Steptoe LLP tells CSO. “I think those of us who practice in this field have been watching as half dozen or more other states have proposed legislation similar to the CCPA but didn’t get anywhere in 2020.”

Vatis thinks the CDPA owes a lot to the framework adopted in the GDPR. “I think one of the distinguishing characteristics of the Virginia legislation, which makes it more similar to the GDPR, is that it imposes [data collection obligations] on companies as data controllers, which is itself is a GDPR term. But more fundamental than that is the obligation to limit the collection of personal data to that which is adequate, relevant, and reasonably necessary for the purpose for which the data is processed. In GDPR parlance, they talk about proportionality and necessity.”

Other states may quickly adopt data protection laws

The Virginia legislation could spur other states, including New York and Washington, that have introduced similar laws to take quicker action. “The fact that Virginia is now number two will start the ball rolling a little more quickly in other States,” Vatis says.

Mathews agrees. “I would not be surprised if a few or a handful of other states enact similar laws this year,” she says.

“It’s almost a déjà vu moment for anyone who lived through the 20 years or so watching, states pass data breach notification laws,” Vatis says. “First California, then they’re in a couple more states, then in a couple more, until we finally got all 50 states plus four territories. I think what we are likely to see is a very similar scenario in which more and more states enact laws that are derived from and similar to the California CCPA, but are just different enough to make compliance a nightmare for businesses.”

As each state passes its own unique set of laws, the pressure will mount for a federal law that preempts the turmoil of the differing state requirements. “Every year, each of these companies would have to Institute a new silo,” Vatis says. “That won’t work. I think where companies will probably end up is having to have one compliance regime, one privacy policy that deals with all of them.”

Morrison and Foerster’s Mathews thinks federal data privacy legislation could be an uphill battle in Congress. “The problem is that, regardless of whether you’re a Democrat or Republican in Congress, you represent a state. Every person in Congress represents the state, and the states want to be able to continue to legislate in this area. They don’t want a federal law that preempts their laws.”