Virginia Enacts 2nd Consumer Data Protection Act in the U.S.
Jamie Bordas – Bordas and Bordas Attorneys, PLLC – https://bordaslaw.com/
On March 2, 2021, the Commonwealth of Virginia enacted the Virginia Consumer Data Protection Act (CDPA), establishing a framework for controlling and processing consumer data in the state. Following the California Consumer Privacy Act (CCPA) of 2018, the new law makes Virginia the second state to enact comprehensive privacy legislation and to grant consumers rights concerning how businesses use personal information and data. The law will take effect on January 1, 2023.
The enactment of the CDPA demonstrates a growing trend toward state oversight and regulation on consumer data privacy. The CDPA grants consumers several rights, and outlines how companies should communicate with consumers about their business with third parties. The law overlaps with the California Consumer Privacy Act, but the CDPA has its own requirements and specifications toward Virginia state businesses.
Who Does the CDPA Protect and What Rights Does It Grant Consumers?
The consumers protected by the CDPA are residents of the Commonwealth, specifically those who represent themselves or their household. For consumers, the law defines their “personal data” as information that is linked to an individual. This definition does not include de-identified data or publicly available information.
These CDPA grants consumers the rights to access, correct, delete, or obtain a copy of personal information, in addition to the right to opt out of the processing of data. The processing of personal data includes targeted advertising, selling of personal information, and profiling of consumers based on collected data. Consumers are also granted the right to appeal a business’s denial to act within a reasonable time.
Who Is Subject to The Law and What Does The CDPA Require Businesses To Do?
The CDPA applies to businesses in Virginia that handle at least 100,000 consumers’ personal data, or receive over 50% gross revenue from selling personal data and handle at least 25,000 consumers’ data. In terms of exemptions, the following entities are exempted from the law:
- Financial institutions or financial data subject to the Gramm-Leach-Bliley Act
- Companies with clients in commercial or employment contexts
- Non-profits
- Institutions of higher education
- Entities or businesses subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act
- Data and information related to credit reports and vehicle driver information
The CDPA requires businesses to comply with consumer requests to invoke their rights to their data, allowing consumers to access, correct, delete, or obtain a copy of personal information and opt out of processing data. Businesses must comply with these requests within 45 days of receiving the request and may have an additional 45 day extension when deemed reasonably necessary.
In addition, the law establishes an appeal process for consumers if their request is denied and businesses must respond to appeals within 60 days of receiving the appeal. If denied, the companies are required to give consumers notice of the denied appeal and provide them an option to submit a complaint to the Virginia Attorney General’s Office.
Furthermore, the law requires businesses to provide privacy notices of how the company uses their data, the purpose of using personal data, how consumers may invoke their rights under the CDPA, what is collected, and the third parties that share the personal information. The law further outlines additional requirements and specifications that businesses must comply with under the law.
How Does the CDPA Differ From the California Consumer Privacy Act?
Virginia is the second state to enact consumer protection and privacy legislation after the state of California enacted the California Consumer Privacy Act (CCPA) in 2018. However, the Virginia act does not have a revenue threshold, unlike the CCPA which applies to businesses with an annual gross revenue in excess of $25 million. The CDPA also doubles the number of residents’ data that must be collected or processed before the law applies to such businesses. The CCPA requires a minimum of 50,000 consumers compared to the CDPA, which requires at least 100,000 consumers. In addition, the California Consumer Privacy Act includes employee data rather than exempting it, as directed by the Virginia version of the act.
Between the two acts, the definition of “sale” is also different. The CCPA defines “sale” as means of selling, renting, releasing, or by other means, consumer data to a third party for monetary value or other compensation. As defined by the CDPA, a “sale” is simply exchanging personal data for profit to a third party. Under Virginia law, the selling of personal data is narrowly defined as an exchange for monetary consideration, while the CCPA’s broader definition includes monetary consideration or other valuable considerations.
Ultimately, the Virginia Consumer Data Protection Act is a part of state efforts to implement oversight and regulations of how companies control and use consumer data. While this act is the second of its kind, the CDPA is not identical to the California law. As concerns grow over data privacy and multiple states seek legislation, comprehensive consumer data privacy policy will continue to impact consumers and businesses across the United States. Until other states pass legislation and the law goes into effect, it is important that businesses and companies understand these laws and how they will impact their business moving forward.
