The Virginia House of Delegates and Senate have passed legislation known as the Virginia Consumer Data Protection Act (CDPA). The personal data act is expected to reach the desk of Virginia Governor Ralph Northam, who may sign the legislation by as early as the end of February of 2021. The CDPA is modeled on the California Consumer Privacy Act (CCPA), California’s expansive consumer data privacy protection law, and the European General Data Protection Regulation (GDPR). Details of the Consumer Data Protection Act are provided below.
Virginia Consumer Data Protection Act
The Consumer Data Protection Act is intended to serve as a comprehensive data protection law for Virginia residents. The CDPA, like the CCPA and the GDPR, gives consumers the following rights:
- Expanded consumer rights to access, correct, delete and obtain a copy of personal data that is provided to or collected by a company.
- The act gives the right to “opt out” of the processing of personal data for purposes of targeted advertising, sale, or profiling of that data.
The bill also expands Virginia’s definition of “personal data.” Personal data is now defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The act expands the definition of personal data to include “sensitive data.” Sensitive data includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal data collected from a known child; or
- Precise geolocation data.
To be covered by the CDPA, a person or entity must conduct business in Virginia, or produce products or services that are targeted to residents of the state. In addition, the entity or business must:
- During a calendar year, control or process personal data of at least 100,000 consumers; or
- Control or process the personal data of at least 25,000 consumers AND derive over 50 percent of gross revenue from the sale of personal data.
Under the CDPA, a data controller is a person that, alone or jointly with others, determines the purpose and means of processing personal data. “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. A “processor” is an entity that processes personal data on behalf of a controller.
The Consumer Data Protection Act seeks to regulate controllers by requiring controllers to (among other things):
- Limit the use of personal data to the purpose for which it was collected;
- Implement reasonable data protection safeguards;
- Establish a clear privacy policy;
- Disclose the sale of personal data for advertising purposes to consumers; and
- Provide a simple mechanism to opt out of the sale of personal data.
The CDPA also requires processors to adhere to the instructions of the controller, and requires controllers and processors to have a data processing agreement in place. HIPAA protected health information is not considered “personal data” under the CDPA.
Entities who violate the Consumer Data Protection Act are subject to being fined by the Virginia Attorney General, after being given 30 days to cure infractions. The Attorney General may seek damages of up to $7,500 per violation.
