Virginia Adopts the Consumer Data Protection Act

On March 2, Virginia passed HB 2307 (Ch. 36) to enact the Consumer Data Protection Act (VCDPA), which becomes effective Jan. 1, 2023. The privacy concepts included in this act are similar to those found in the California Consumer Privacy Act (“CCPA”)/California Privacy Rights Act (“CPRA”) or General Data Protection Regulation (“GDPR”) and uses similarly defined terms such as “consumer,” “controller,” “processor,” and “personal data;” however, the VCDPA puts its own spin on privacy regulation.

Unlike the CCPA/CPRA or the GDPR, the jurisdictional scope of the VCDPA is more limited. The VCDPA only applies to data controllers (a) conducting business in Virginia or producing products or services that are targeted to Virginians, and (b) that control or process personal data of at least:

• 100,000 consumers during a calendar year, or
• 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

In addition, the VCPDA includes some business-friendly limitations, such as not being intended to restrict a controller or processor from conducting internal research, effectuating a recall, or performing internal operations that are reasonably aligned with consumers’ expectations. In addition, unlike the CCPA/CPRA, the VCDPA does not provide for a private cause of action.

However, like the CCPA/CPRA and the GDPR, the VCDPA contains various consumer rights for individuals whose information is collected and processed by the company.

Consumer Rights

Within 45 days of receiving a request from a consumer, a controller must comply with requests to:

1. Confirm whether or not the controller is processing the consumer’s personal data and it will provide access to such data, and
2. Correct inaccuracies, or
3. Delete the consumer’s personal data if and as sought by the consumer, and
4. Provide a copy of the consumer’s personal data, or
5. Opt out of targeted advertising, the sale of personal data, or “profiling in furtherance of decisions that produce legal or similarly significant effects” for the consumer.

Controller’s Responsibilities

Data controllers must:

1. Not process sensitive personal data without consent, where sensitive personal data is defined as personal data that:
   • Reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, or
   • Is genetic or biometric data processed for the purpose of uniquely identifying a natural person, or
   • Is of a known child, or
   • Is precise geolocation data.
2. Provide a privacy notice that is reasonably accessible, clear, meaningful, and contain specific information, such as the categories of personal data processed; the purpose of processing personal data; how consumers can exercise their consumer rights (including methods that take into account the ways consumers normally interact with the controller); the categories of personal data shared with third parties (if any); the categories of third parties (if any) with whom the controller shares personal data.
3. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes in which the personal data was disclosed.
4. Not process personal data for purposes that are not reasonably necessary or compatible with the reasons for which the consumer disclosed the personal data (unless consent obtained from the consumer).
5. Clearly and conspicuously disclose any targeted advertising that uses personal data, as well as how a consumer can opt out.
6. Establish, implement, and maintain reasonable administrative, technical and physical security practices to protect personal data collected.
7. Not process personal data in a way that discriminates against consumers in violation of state and federal laws.
8. Conduct data protection assessments when processing sensitive personal data, processing targeting advertising, selling personal data, processing personal data for the purposes of profiling with a risk of harming the consumer, or any processing with a heightened risk of harm to consumers.

Processors

The VCPDA requires a contract between a controller and a processor that contains specific provisions, such as setting forth what personal data is to be processed, instructions about how the data will be processed, and the duration of processing. In addition, the contract also must require the processor to ensure that each person processing personal data (e.g., subcontractors, vendors, and agents) for the processor be subject to a duty of confidentiality and return or delete personal data once the contract has been fulfilled.

If there is confusion about whether a party is a controller or processor, the VCPDA provides that a “fact-based determination that depends upon the context in which personal data is to be processed” should be used. If one party adheres to the instructions of a controller, then such party remains a “processor”.

Investigations and Enforcement

The Virginia Attorney General will have the power to conduct civil investigations and enforce the provisions of this act. Notably, controllers have 30 days after the Attorney General notifies them of violations to cure these defects; however, continued violations may result in civil penalties of up to $7,500 for each violation plus expenses.