On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. The CDPA, which takes effect January 1, 2023, will look familiar to those who work with the GDPR and California’s Consumer Privacy Act and Privacy Rights Act (CCPA and CPRA, respectively). Companies that have already invested in GDPR and CCPA/CPRA compliance will find that most CDPA obligations are similar to what they have already addressed in some form for Europe and California. But the new Virginia law also contains some novel provisions, such as excluding a broad range of “publicly available information” from the definition of personal data, contractual requirements for sharing de-identified data, and establishing an appeals process for data rights requests.

Scope of the CDPA

The CDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but does not include de-identified data or publicly available information. The CDPA’s definition of publicly available information is broader than under CCPA/CPRA, including not only government records but also “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” Among other things, this definition suggests the CDPA may exempt some information published on social media.

In addition, the scope of the CDPA is narrower than CCPA/CPRA, as it covers consumers acting only in “individual and household” contexts, rather than also including “commercial or employment” contexts.

Controllers and Processors

The CDPA is the first US state privacy law to borrow the GDPR terms “controllers” and “processors.” Unlike GDPR, however, “processors,” as with “service providers” under California law, are permitted to undertake some activities, such as internal research and development and product improvement or repair, without crossing the line into being deemed a controller.

Controllers have obligations to inform consumers of the controllers’ privacy practices, maintain reasonable security of personal data, and enable consumers to exercise privacy rights similar to those available to EU and California residents. As will be discussed below, controllers engaging in some types of processing will be required to perform data protection assessments. Processors must be contractually required to assist controllers in fulfilling all of these obligations and with fulfilling any of the controller’s data breach notice responsibilities.

Expanded Privacy Rights

Like the CCPA/CPRA and the GDPR, Virginia’s Act establishes a number of privacy rights for Virginia consumers, including rights of data access and portability, and certain data deletion rights. It also gives consumers the right to opt out of certain activities including data sales, targeted advertising, and profiling, where profiling is “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

When a consumer makes an authenticated rights’ request, the controller has 45 days to respond, which may be extended once by another 45 days. Consumers may request access to information twice per year, and a controller may charge a reasonable fee to cover administrative costs associated with the request if the requests are “manifestly unfounded, excessive, or repetitive,” but the controller bears a burden of demonstrating this nature of the requests.

If a controller declines to perform the action the consumer requests, the controller must document the reasons it declined the request and establish a process for the consumer to appeal the decision. If the consumer appeals, the controller must inform the consumer, in writing, of any actions taken or not taken, and reasons for those decisions. The controller must then provide the consumer with an online or other method to contact the Attorney General to submit a complaint.

Sensitive Data

Like the GDPR and CPRA, the CDPA creates a category of “sensitive data.” Such data includes (1) “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child [under the age of 13]; or (4) precise geolocation data,” where precise geolocation data is “information derived from technology, including but not limited to [GPS] level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.”

Controllers must obtain consumers’ consent—which carries the same definition as under the GDPR (meaning specific, opt-in consent)—before processing their sensitive data. In the case of a known child, the consent must be from a parent or guardian in compliance with the federal Children’s Online Privacy Protection Act (COPPA).

Data Protection Assessments

As mentioned above, controllers must perform data protection assessments for some types of data processing initiated January 1, 2023, or later. The assessments are similar to the GDPR’s Data Protection Impact Assessments (DPIAs) and incorporate a weighing of risks and benefits that resembles the GDPR legitimate interests balancing test. The triggering processing activities include targeted advertising, the sale of personal data, certain profiling activities, processing of sensitive data, and processing activities “that present a heightened risk of harm to consumers.”

Although it’s currently unclear what form these data protection assessments should take, controllers should use them to weigh and document benefits of the processing to the controller, consumer, third party, or the public against the risks to the consumer, after accounting for any actions the controller takes to mitigate those risks. Further, if the controller engages in similar analyses to comply with other laws, such as a Data Protection Impact Assessment, those analyses will be sufficient to comply with the CDPA. Notably, however, the CDPA’s data protection assessments must be provided to the Virginia Attorney General upon request, pursuant to a Civil Investigative Demand.

Other Noteworthy Elements of Virginia’s Consumer Data Protection Act

Data Collection and Usage

The CDPA codifies the GDPR principle of collection limitation, in which controllers must limit the collection of personal data to that which is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”

The law also regulates data usage in several ways. In addition to using the data for the purposes disclosed to the consumer, controllers and processors are permitted to engage in a number of activities secondary to the purpose of collection, including, among other activities, to develop and improve their products and services, to engage in public or peer-reviewed scientific or statistical research (under certain conditions), and to perform internal operations that are reasonably anticipated or within the expectations of consumers, given the nature of the consumers’ relationships’ with the relevant controllers. However, as described above, certain uses are subject to consumer opt-out rights and any use of sensitive data requires the opt-in consent of the consumer.

Processing of Pseudonymous and De-Identified Data

Many of the consumer rights described above (i.e., right of access, correction, and deletion) do not apply to pseudonymous data, information that cannot be attributed to a specific natural person without the use of additional information, where the controller can demonstrate that “any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to prevent the controller from accessing such information.”

Controllers who possess de-identified data, which is data that “cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person,” however, must “take reasonable measures to ensure” data is not associated with a natural person; “publicly commit to maintaining and using de-identified data without attempting to re-identify the data;” and “contractually obligate recipients” of such data to comply with the Act. This later provision may require some contracts that involve sharing de-identified data to be updated.

Controllers who share pseudonymous or de-identified data have a duty to “exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.”

Finally, similar to the GDPR, the CDPA specifies that controllers and processors are not required to re-identify de-identified or pseudonymous data, or maintain such data in an identifiable form, to comply with an authenticated consumer rights’ request.

Enforcement

The Virginia Attorney General has exclusive authority to enforce the provisions of this Act; the Act expressly excludes a private right of action. If the Attorney General has reasonable cause to believe there is or will be a violation of the Act, the Attorney General can send a notice to entities describing the specific defects, which the entities have 30 days to cure. If the defects are not cured within 30 days, the Attorney General may seek an injunction and civil penalties of up to $7,500 for each violation.