Newsletter

Virginia Poised to Enact Comprehensive Privacy Legislation

February 2021

Privacy In Focus®

Virginia is for lovers and, in the near future, may be for privacy as well, as the Commonwealth’s legislature is currently considering adopting its own comprehensive consumer data privacy law: The Consumer Data Protection Act (CDPA).

The CDPA, which would establish a framework for controlling and processing personal data in Virginia, is comprised of House Bill 2307 and Senate Bill 1392, and appears to be close to crossing the goal line in Richmond. The House passed its bill on January 29, 2021, and subsequently referred it to the Senate Committee on General Laws and Technology on February 1. Similarly, the Senate unanimously passed its bill on February 3, and it was referred to the House Committee on Communications, Technology and Innovation on February 7. All that remains now is for the House and Senate to complete the reconciliation process and present the legislation to Governor Ralph Northam for his approval, which means the CDPA could be enacted soon. As such, we have provided a brief overview of the CDPA below:

The CDPA’s Scope

The CDPA applies to an entity (or individual) that conducts business in Virginia or targets their products or services to Virginia residents and (i) “control[s] or process[es] personal data of at least 100,000 consumers” over the course of a calendar year or (ii) “control[s] or process[es] personal data of at least 25,000 consumers and derive[s] over 50 percent of gross revenue from the sale of personal data” (Data Controller). The CDPA does not apply to state or local governmental entities, nonprofit organizations, higher learning institutions, or entities covered by the Gramm-Leach-Bliley Act, HIPAA, or the HITECH Act, and does not cover certain types of personal data already protected under federal law.

Consumer Rights Provided by the CDPA

The CDPA grants consumers five personal data rights, which consumers may invoke by submitting a request to a Data Controller: (1) the right to confirm whether a controller is processing the consumer’s data and, if so, to access that data; (2) the right to correct inaccuracies in the consumer’s personal data; (3) the right to have the consumer’s personal data deleted; (4) the right to obtain a copy of the consumer’s personal data; and (5) the right to opt out of the processing of the consumer’s personal data for purposes of targeted advertising, selling that data, or profiling in order to make impactful decisions.

In this sense, the CDPA largely parallels the California Consumer Privacy Act (CCPA), which also provides California consumers with the right to know what personal data a business has collected from them and whether that data is being sold or disclosed, the right to prevent the sale of the consumer’s personal data, and the right to access the consumer’s personal data, among other things. It goes further in extending the opt-out right to cover certain types of data processing, for targeted advertising, and some profiling.

Obligations Imposed on Data Controllers Under the CDPA

Under the CDPA, Data Controllers are subject to several general obligations. Specifically, Data Controllers must: (1) collect no more personal data than is necessary for their data processing purposes; (2) only process personal data for the purposes that they have disclosed to consumers; (3) implement reasonable data security measures; (4) refrain from discriminating against consumers that exercise their personal data rights; and (5) obtain a consumer’s consent before processing “sensitive data” – which the CDPA defines to include a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status, genetic or biometric data, personal data collected from a child, and precise geolocation data.

Beyond these general obligations, the CDPA also requires that controllers take several steps to increase transparency with consumers, like providing a clear and meaningful privacy notice and disclosing whether the controller sells personal data to third parties or processes personal data for purposes of targeted advertising. Controllers must also disclose how consumers can opt out of having their data used like this. Additionally, controllers must conduct and document a privacy risk assessment when they process data for certain purposes that pose a “heightened risk” of consumer harm.

Enforcement of the CDPA

Despite granting Virginia consumers significant personal data rights, the CDPA explicitly declines to create a private right of action to enforce these rights. Rather, the authority to enforce the CDPA is vested solely with the Commonwealth’s Attorney General.

In terms of penalties, controllers or processors of personal data that violate the CDPA could be subject to an injunction and liable for up to $7,500 per violation. The CDPA also establishes a “Consumer Privacy Fund,” into which all civil penalties collected for violations of the CDPA will be deposited in order to fund the Attorney General’s further enforcement efforts.

Looking Forward

If the CDPA is ultimately passed, Data Controllers that conduct business in the Commonwealth will find themselves subject to several important obligations, so it is vital that businesses that would be covered by the CDPA monitor its progress. The CDPA would not become effective until January 1, 2023, providing Data Controllers time to come into compliance with the CDPA’s obligations. At the same time, Data Controllers also must consider other potentially applicable state laws, such as the California Privacy Rights Act, and begin mapping out privacy compliance strategies accordingly.

Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and address compliance with new privacy laws. Please reach out to any of the authors with questions.

© 2021 Wiley Rein LLP

Read Time: 5 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek