And Then There Were Two: Virginia Enacts Comprehensive Data Privacy Law

April 9, 2021 UPDATE re Virginia’s Ban on Facial Recognition Technology:  In addition to the comprehensive data privacy bill, the Virginia legislature also passed House Bill 2031. This Bill effectively bans the use of facial-recognition technology by police departments without first getting legislative approval. This ban applies to police or sheriff’s departments, including campus police departments. However, the ban does not apply to airport police forces or state police in Virginia. Read more about the ban here.

ORIGINAL POST:  Virginia has become the second state, after California, to enact a data privacy law.  Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law on March 2, 2021. It is the second broadly applicable data privacy legislation enacted in the U.S. and becomes effective on January 1, 2023.

Overall, the VCDPA is a step toward protecting Americans’ data privacy.  The VCDPA follows in the footsteps of the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act/Prop 24 (“CPRA”)), which went into effect at the beginning of 2020.  The VCDPA grants consumers similar rights over their data as those granted by the CCPA/CPRA, imposes similar obligations, and imposes similarly hefty fines on businesses that fail to comply. That said, it is only a step in the right direction because it omits some of the more powerful provisions included in the CCPA/CPRA. Most notably, it excludes an authorized agent provision thereby placing the burden solely on the consumer to know and exercise their privacy rights. It also provides for watered-down enforcement exclusively by the Attorney General with no private consumer right of action.

However, Virginia’s law also contains some unique provisions as well.  Below, we break down of some of the most important provisions in Virginia’s new law and note where provisions of the law materially differ from the CCPA/CPRA.

What is “Personal Data” under the VCDPA?

Virginia’s law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”  This language is very similar to the definition used in California, though it is called “personal information” and not “personal data” in the Golden State.  Semantics aside, both states explicitly exclude de-identified data and publicly available information from their definitions.

Under the VCDPA, de-identified data is “data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.”  This means data that is disassociated from a particular person, but still connected with a device that can be linked to that person, does not qualify as de-identified data under the VCDPA.  This clarification is not explicit in the CCPA/CPRA.  However, both Virginia and California obligate businesses, and their subcontractors, to take certain steps to ensure de-identified data stays de-identified.

The VCDPA’s definition of publicly available information tracks changes to this category of data seen in California.  While the CCPA counts only information from lawfully available government records as public, both the CPRA and VCDPA expand the definition to also include information shared over widely distributed media.

Under the VCDPA, publicly available information also includes “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”  The CPRA language for this provision is substantially the same.  Without further guidance about how this provision will be interpreted, it seems that public posts on social media may not qualify as “personal data” under the VCDPA and CPRA, and therefore may be open season for businesses to collect and use.

What rights do consumers have under the VCDPA?

The VCDPA grants Commonwealth residents with certain new rights related to their data.  These rights are based on the Fair Information Practice Principles and track those enjoyed by Californians and Europeans, with a couple of key differences:

The Right to Know and Access.  Like Californians, Virginians will have a right to confirm whether or not a controller (data collector) is processing their personal data.
The Right to Access.  Like Californians, Virginians will have a right to access their personal data.
The Right to Correction.  Like Californians, Virginians will have a right to correct inaccuracies in their personal data.
The Right to Delete.  Like Californians, Virginians will have a right to request a business delete personal data provided by or obtained about them.
The Right to Data Portability.  Like Californians, Virginians will have a right obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
The Right to Opt-Out.  Virginians will have a right to opt out of the processing of their personal data for purposes of targeted advertising, sale, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  

This opt-out right is both more and less inclusive than the CPRA.

On the one hand, the VCDPA’s opt-out right is more expansive in that it allows consumers to opt out of the processing of their data for targeted advertising, while Californians are limited to opting out of the sharing of their personal information for the purpose of cross-context behavioral advertising.

On the other hand, the VCDPA defines “sale” as the exchange of personal data for money by the controller to a third party, whereas the CPRA definition is broader and includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration.”  

The Right Against the Processing of Sensitive Data.  Unless Virginians provide affirmative, freely given, specific, informed, and unambiguous consent, the law protects their sensitive personal data from being processed.  Sensitive data is defined as a subset of personal data that includes:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;

3. The personal data collected from a known child; or

4. Precise geolocation data

The Right Against the Processing of Sensitive Data in the VCDPA is more substantial than that in the CPRA, which only provides a right to limit a business’s use and disclosure of sensitive personal information.

The Right to Appeal.  Unlike California’s laws, Virginians will have a right to appeal a business’s refusal of a request to exercise their rights by way of a “conspicuously available” appeals process to be established by the controller (data collector) that can culminate with the submission of a complaint to the Attorney General.

While the VCDPA provides an impressive battery of rights to Virginians, a few rights granted by the CPRA are notably absent.  One such right that is missing for Virginians is the right to receive a list of the third parties to which personal data has been disclosed by the controller (data collector) in the past 12 months.

Another one that is missing for Virginians is the right to use an authorized agent to exercise data privacy rights under the law.  By failing to include this right, the law puts the burden on each individual Virginia consumer to exercise their privacy rights, which is a tall order considering the sheer volume of different entities that collect, use, and control consumer information.  Without an authorized agent mechanism, it is unlikely that consumers will spend the time necessary to meaningfully exercise and protect their privacy rights.

Business Obligations

In addition to the rights granted to consumers under the VCDPA, businesses covered by the law will be legally bound to meet certain obligations.

Data Minimization.  Data collectors can only collect personal data that is reasonably necessary to the purpose for which it is collected.

Data Security.  Data collectors must have security practices in place to protect consumer data.

Non-Discrimination.  Data collectors must not process personal data in violation of state and federal anti-discrimination laws and must not discriminate against consumers who exercise their rights under the VCDPA.


Contractual Control of Third-Party Processors.  Data collectors must include contractual provisions with third-party data processors that govern the third-party’s use of the personal data. Among other things, these provisions must require confidentiality, and obligate any subcontractors to uphold the same commitments.

Notice.  Data collectors must conspicuously post a privacy notice containing the following: certain information about the categories of personal data processed by the collector, the purposes for the processing, consumer rights under the VCDPA, and information about data sharing with third parties.

Data Protection Assessments.  Data collectors must conduct Data Protection Assessments (“DPAs”) to evaluate the risks of privacy harms to consumers that may result from data processing in the following areas: (i) targeted advertising; (ii) sale of personal data; (iii) profiling; (iv) sensitive data; and (v) any other activities involving personal data that present a heightened risk of harm to consumers.  DPAs must be made available to the Attorney General at request.

The DPAs are similar to the Risk Assessment process required by the CPRA, though the VCDPA spells out with more specificity the precise situations in which they are needed.  It is unclear from the law how often businesses will need to conduct DPAs.

Enforcement

The VCDPA will be exclusively enforced by the Virginia Attorney General’s office.  Civil penalties for violations of the VCDPA can reach up to $7,500 per violation, which will be set aside in a Consumer Privacy Fund to be used by the Attorney General to enforce the provisions of the VCDPA.   Businesses will have 30 days to cure noticed violations. Notably, this grace period was removed from California’s law with the passage of the CPRA.

Conspicuously absent from the VCDPA enforcement mechanism is any semblance of a private right of action.  Under the CCPA/CPRA, consumers whose personal information is subject to an unauthorized exfiltration, theft, or disclosure as a result of a business’s ineffective security practices may sue the company for statutory and actual damages. Also absent from the VCDPA is a standalone agency to enforce data privacy violations, such as the one created in California by the CPRA.

Conclusion

Though it is not perfect, the passage of the Virginia Consumer Data Protection Act represents progress in the fight for data privacy in the U.S. With the enactment of each new privacy law, businesses are increasingly put on notice to stop exploiting consumers’ personal information.

Stay in the loop and Join DDP to keep up with all the important developments related to your online privacy!