The Virginia Consumer Data Protection Act (CDPA) was passed into law on March 2, 2021, and it represents the second state-level rights-based data protection law in the United States. Perhaps the best way to understand its scope is to compare it to California’s rights-based laws, the CCPA and CPRA. First, some noteworthy differences:
No revenue requirement for applicability. The CDPA applies “to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth[.]” This “targeted to residents” criterion is not present in the CCPA/CPRA and seems to expand the reach of the statute more explicitly, perhaps to entities outside of the U.S. An additional criterion requires that either “(i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” This criterion set eliminates the $25 million revenue threshold featured by the CCPA/CPRA and does not include “households” along with consumers as counting towards the 100,000/25,000-unit threshold. Note that the statute does not apply to government agencies, non-profit institutions, entities governed by HIPAA/HITECH or GLBA (see discussion below).
Mandate for a data protection assessment. In what may be the most salient requirement of the statute, sales of personal data and certain types of processing require a data protection assessment. This could include the processing of personal data for targeted advertising or profiling, as well as the processing of sensitive personal data. While industry-focused cybersecurity statutes (e.g., NYC Part 500) commonly require assessments, the CDPA is the first broadly applicable statute to require one.
No private right of action. A “private right of action” is a right sometimes granted by civil and criminal statutes to an aggrieved party to bring a lawsuit in civil courts for damages and other relief against an alleged wrongdoer. Such a right is granted under section 150 of the CCPA/CPRA in the event a data breach is the result of inadequate information security controls; however, this is not the case with the CDPA.
Opt-in for sales of “sensitive” personal data. The CPRA created an additional class of personal information, “sensitive” personal information (“SPI”). Examples include information about a consumer’s racial or ethnic origins, religious beliefs, and personal health. The statute enables consumers to limit business use of SPI to that which is necessary to offer the goods or perform the services in question. The CDPA’s version of SPI is not quite as extensive as that of the CPRA (e.g., the contents of email/text messages are not included) but goes further in protecting such data by requiring consumer consent for its processing.
No “business” vs. “commercial” purpose. The CCPA/CPRA creates a distinction between a “business” purpose for the use of personal information and a “commercial” one; the former denotes an operational or other internal use of the information by a business, whereas the latter denotes a money-making purpose. The idea behind this distinction is to limit applicability of the law in cases where personal data is not being directly used for monetary gain. The CDPA does not per se make this distinction but does cite several kinds of transfers of personal data as not being a “sale,” such as to a data processor.
Narrower definition of “sale.” The CDPA’s definition of “sale” in the context of selling personal data is narrower than that of the CCPA/CPRA. The former limits the definition to include “the exchange of personal data for monetary consideration,” while with the latter the consideration can be monetary or “other valuable consideration.”
Exemption of certain institutions. Like the CCPA/CPRA, the CDPA exempts from its scope personal data that is governed by federal law, such as data subject to HIPAA/HITECH, GLBA, COPPA, and the FCRA. In contrast to the CCPA/CPRA, however, the statute also exempts certain institutions, namely those governed by HIPAA/HITECH and GLBA. This means that, for example, advertising and marketing programs at these institutions that would have fallen under the scope of the CCPA/CPRA will not under the Virginia statute.
Penalties. The Virginia Attorney General may pursue fines of up to $7,500 per violation and/or an injunction, which is the same maximum under the CCPA/CPRA (albeit for intentional violations or for those involving the personal information of a minor.) The Attorney General shall offer an offending business 30 days to cure the violation, and if cured then that will end the matter. Under the CCPA/CPRA, the California Privacy Protection Agency will not have to offer a cure period.
And a few (but important) similarities:
Consumer rights. The CDPA effectively offers to consumers the same rights concerning their personal data as does the CCPA/CPRA. Those rights include obtaining a copy of their personal data in a “portable … and readily usable format,” correcting inaccuracies, and deletion. In terms of opting out of the sale of personal data, the CDPA is somewhat broader, enabling consumers to “opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
The law will take effect on January 1, 2023. As with other new data protection laws, businesses should begin reviewing their compliance posture immediately by determining what personal/special person data is under their control, conducting data protection assessments (or updating existing ones), and reviewing contracts with business partners that involve the transfer or sharing of personal data. While being compliant with the CCPA will certainly make compliance with the CDPA easier, the constantly evolving nature of personal data and how it’s being used make compliance mandates a moving target.