By John Babione, Kurt Hunt and Matt Diaz, Dinsmore & Shohl LLP
On March 2, 2021, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA or law) into law. This makes Virginia the second state, behind California, to adopt a comprehensive consumer data privacy law.
Like the California Privacy Rights Act (CPRA) and EU General Data Protection Regulation (GDPR), the CDPA creates a number of privacy obligations for businesses and gives Virginia consumers more control over their personal data. The CDPA takes effect on Jan. 1, 2023, but companies should begin evaluating their obligations to ensure they have sufficient time to comply. This would certainly include Indiana-based companies who conduct business online or may otherwise collect data from anyone in Virginia. Below is a breakdown of key provisions within the CDPA.
Scope of the CDPA and Exemptions
To fall within the scope of the CDPA, a business must (1) conduct business in Virginia or produce products or services that targeted Virginia consumers, and (2) meet one of the following requirements:
- During a calendar year, control or process personal data of at least 100,000 consumers; or
- Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Notably, the CDPA does not have a revenue threshold to qualify as a CDPA-covered business like the CPRA. In addition, the CDPA expressly exempts the following entities:
- Virginia public entities;
- GLBA-covered entities;
- HIPAA-covered entities;
- Nonprofit organizations; and
- Higher education institutions.
As a result, businesses should expect the CDPA to apply quite broadly. Even if your business is not subject to the latest California privacy laws, you should evaluate whether the CDPA applies.
Despite the general breadth of the CDPA’s applicability, several types of data are expressly exempted from the scope of the law. In total, the CDPA sets out 14 exemptions, including:
- Employer Data, including data maintained in the course of an individual being employed by a business, as emergency contact information, or to administer benefits;
- Protected Health Information under HIPAA;
- Data regulated under the federal Family Educational Rights and Privacy Act; and
- Various other health-related data under various regulatory frameworks.
Data Processing Obligations
The CDPA sets out numerous obligations for businesses processing personal data. These obligations include:
- Data Minimization: Businesses must limit the collection of personal data to “what is adequate, relevant, and reasonably necessary” in relation to the purpose for the data processing;
- Security Controls: Businesses must establish, implement, and maintain “reasonable administrative, technical, and physical data security practices” to protect the confidentiality of personal data;
- Data Protection Assessments: Businesses must conduct data protection assessments (DPAs) to evaluate the risks associated with the following data processing activities:
- The sale of personal data;
- When processing sensitive personal data;
- When processing personal data for targeted marketing purposes;
- When processing personal data for profiling purposes; and
- Instances where processing presents a heightened risk of harm to consumers.
Data Processing Agreements
Like the CPRA and GDPR, the CDPA requires businesses (i.e., data controllers) to execute written agreements with third-party vendors (i.e., data processors) to outline the scope of data processing. These agreements are generally called data processing agreements and can be either standalone agreements or addenda to existing agreements. The CDPA requires that the following items be included in a data processing agreement:
- Set out instructions for: (1) processing data, (2) the nature and purpose of processing, (3) the type of data being processed, (4) the duration of processing, and (5) the rights and obligations of both parties;
- An express indication of which party is the data controller and data processor;
- Require the data processor to adhere to the following obligations:
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- At the data controller’s direction, delete or return all personal data upon termination of the agreement;
- Upon the data controller’s reasonable request, make available all information in its possession necessary to demonstrate the data processor's compliance with the CDPA;
- Upon the data controller’s reasonable request, cooperate with audits of the data processor’s data security practices;
- Require that sub-processors retained by the data processor adhere to the obligations set out in the data processing agreement;
- Maintain appropriate technical and organizational measures to assist the data controller in fulfilling its obligations to respond to consumer rights requests;
- Maintain reasonable administrative, technical, and physical data security controls to protect personal data; and
- Assist the data controller in fulfilling its obligations in the event of a data breach.
Transparency and Privacy Policies
- The categories of personal data processed;
- The purpose for processing personal data;
- A description of how consumers may exercise their consumer rights;
- The categories of personal data that the business shares with third parties; and
- The categories of third parties with whom the business shares personal data.
The CDPA further requires businesses that sell personal data or process personal data for targeted marketing purposes to “clearly and conspicuously” provide a mechanism to opt out of such sales or marketing. This requirement is similar to the “Do Not Sell My Information” requirement in the CPRA.
Consumer Privacy Rights
In what has become a global privacy trend, the CDPA enumerates six privacy rights for Virginia consumers. These rights include the:
- Right to Access;
- Right to Rectification;
- Right to Deletion;
- Right to Data Portability;
- Right to Object to Data Processing; and
- Right to be Free from Discrimination.
In addition, the CDPA sets out strict timelines for when businesses must respond to consumers exercising their privacy rights. Like in the CPRA, businesses have 45 days to respond to consumer requests and can extend this period for one additional 45-day period when reasonably necessary.
Enforcement and Remedies
Although consumers have no private right of action, the CDPA designates the Virginia attorney general (Virginia AG) as the chief enforcer of the CDPA and grants the Virginia AG the authority to bring civil actions against businesses for violations of the CDPA. However, before the Virginia AG can initiate an action, businesses in violation of the CDPA have a 30-day period to cure the violation. If a business certifies that an alleged violation has been cured, the Virginia AG will not bring an action for statutory damages. Violations of the CDPA can result in fines as high as $7,500 per violation.
With the effective date of the CDPA two years away, businesses should start evaluating their current data processing activities and begin developing a compliance program for the CDPA, CPRA, and other consumer privacy laws likely to be enacted this year. Businesses currently working toward or already in compliance with the CPRA or GDPR should feel well positioned to seamlessly expand the scope of their compliance efforts to include the CDPA.
If you would like to submit content or write an article for the E-Discovery, Information Governance & Cybersecurity Section, please email Kara Sikorski at firstname.lastname@example.org.
Subscribe to E-Discovery, Information Governance & Cybersecurity Section news here!