Virginia is primed to become the next U.S. state to pass comprehensive data-privacy legislation with striking similarities to the California Consumers Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the E.U.’s General Data Protection Regulation (GDPR).
The legislation, known as the Consumer Data Protection Act, passed the Virginia House of Delegates on January 29 by a vote of 89-9. On February 3, the Virginia Senate unanimously approved an identical bill 39-0. All that is left now is for Gov. Ralph Northam to sign the bill into law. If passed, the law will become effective alongside CPRA, on January 1, 2023.
Key Provisions of the Consumer Data Protection Bill
This legislation is applicable to businesses that either conduct business in Virginia or “produce products or services that are targeted to” Virginia and “during a calendar year, (1) control or process personal data of at least 100,000” Virginians or that (2) “control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data.”
Interestingly, “consumer” is defined more narrowly than CCPA or CPRA, and only includes a natural person acting in an individual or household context. The definition of consumer affirmatively excepts any natural person acting in a commercial or employment context.
Additionally, there are broad exemptions for financial institutions subject to the federal Gramm-Leach-Bliley Act and covered entities and business associates governed by HIPAA or HITECH. Non-profit organizations and institutions of higher education are also exempt under the proposed legislation.
The legislation broadly defines “personal data” to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
The legislation gives consumers an opt-out right regarding “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” It also provides consumers with the right to confirm if their data is being processed, to correct inaccuracies, to data deletion, and to data portability. A similarity between this legislation and the newly enacted CPRA is that both provide an explicit opt-out right extended to targeted advertising and profiling.
Data Protection Assessments
The legislation imposes new obligations, not currently required under any U.S. privacy law, including a new requirement for data controllers to conduct data protection assessments of any processing activities that involve personal data used in any of the following: (a) targeted advertising, (b) sale of personal data, (c) for purposes of profiling, (d) sensitive data, and (e) data that presents a heightened risk of harm to consumers.
The Virginia attorney general can request that a controller disclose data protection assessments, and the attorney general is specifically tasked with evaluating data protection assessments for compliance with the responsibilities set out in the proposed legislation. There is also a specific provision that prevents the waiver of attorney-client privilege or work product protection when the assessment is requested or turned over to the attorney general for review.
The legislation defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” This is a very high standard and similar to the consent standard established by the GDPR.
Markedly, the legislation does not provide for a private right of action, rather the attorney general will have the exclusive right to enforce the law. The attorney general may seek up to $7,500 per violation of the law.
It is anticipated that the law will continue to move quickly through the legislative process and could be signed into law by the governor by the end of February. With what looks to be at least two new comprehensive state laws on the horizon, first in California with CPRA and likely in Virginia, companies need to start planning now for implementation of these laws in 2023. Bradley’s Cybersecurity and Privacy team is here to help. Stay tuned for further updates and alerts from Bradley on state privacy law developments, including Virginia’s privacy rights and obligations by subscribing to Bradley’s privacy blog, Online and OnPoint.