What Is the Virginia CDPA?
In 2021, Virginia passed the Consumer Data Protection Act (CDPA), becoming the second U.S. state to enact a comprehensive data privacy law. Strongly influenced by the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the CDPA is a major piece of privacy legislation that also differs from both of those laws in a number of ways.
The CDPA goes into effect on January 1, 2023, giving businesses some time to familiarize themselves with their new legal responsibilities under the state law and decide on a compliance strategy. Here is a summary of the law’s major terms and concepts.
CDPA Terminology
Though the CDPA borrows terms from the GDPR and the CCPA, it sometimes uses them in different ways. Here are some of the most important terms, as defined in the Virginia law.
Personal Data - Any information that is linked or reasonably associated to an identified or identifiable natural person; does not include de-identified data or publicly available information.
Consumer - A natural person who is a Virginia resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
Controller – A natural or legal entity that determines the purpose and means of processing data. This is a familiar term from the GDPR, and analogous to a “business” under the CCPA.
Processor – Natural or legal entity that processes personal data on behalf of a controller. Similar to a CCPA “service provider,” disclosure of personal data by a controller to a processor is not considered a sale.
Processing - Any operation or set of operations performed on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Targeted Advertising - Displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Much like the amended CCPA’s “cross-context behavioral advertising,” this is treated in a similar manner to the selling of personal data.
Consumers’ Personal Data Rights
The CDPA establishes five personal data rights for consumers. These should all look familiar to anyone already well-versed in the GDPR or CCPA.
- Right to confirm whether or not a controller is processing the consumer's personal data and to access such personal data
- Right to correct inaccuracies in the consumer's personal data
- Right to delete personal data provided by or obtained about the consumer
- Right to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and readily usable format
- Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
There is also, arguably, a sixth consumer right in the CDPA, and that is the right to non-discrimination for exercising their rights.
Businesses’ Responsibilities Under The CDPA
The CDPA creates a number of new legal responsibilities for businesses. Though we won’t set out all the requirements in exhaustive detail, we can describe some of the biggest changes that companies will have to make in order to become CDPA compliant.
First, businesses have a duty of transparency toward consumers. They must provide a “reasonably accessible, clear, and meaningful privacy notice” that covers such information as what data is being collected, for what purpose, who it is shared with, and how to exercise consumer rights. If the business sells personal data or processes it for targeted advertising, they must also “clearly and conspicuously” disclose this fact and inform consumers how to opt out.
Once a business has received an authenticated privacy request from a consumer (e.g., a request to delete personal data), businesses have 45 days to comply. This can be extended for another 45 days when reasonably necessary.
There are also some minimization requirements when it comes to collecting and using personal data. Businesses must limit personal data collection to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” They must also not process personal data “for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed,” unless they get the consumer’s consent.
Businesses must implement and maintain reasonable administrative, technical, and physical data security practices. What is considered reasonable will depend on the volume and nature of the personal data involved.
They cannot process “sensitive data” without first obtaining the consumer’s affirmative consent, or verified parental consent in the case of children under the age of 13. Sensitive data is defined as:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
- The personal data collected from a known child
- Precise geolocation data
The last major requirement under the CDPA is that businesses must conduct and document “data protection assessments” for certain types of data practices, including the processing of personal data for targeted advertising, the processing of sensitive data, and any processing activities that present a heightened risk of harm to consumers. Data protection assessments must weigh the benefits and potential risks of these practices, consider the use of deidentified data, and more. These assessments are not public, but must be made available to the Virginia Attorney General upon request.
Businesses believed to be in non-compliance with the CDPA will receive a 30-day cure notice from the Attorney General’s office. If the business fixes any issues within that period, no further action is taken. If not, the Attorney General may seek an injunction and civil penalties of up to $7,500 per violation.
Key Differences Between The CDPA And CCPA
While the CDPA bears a strong resemblance to California’s CCPA, the two laws are not identical. Here are some of the most important differences that will affect both businesses and consumers.
Employment-Related Data
Personal information from employees and job applicants is currently exempt from privacy requests under the CCPA, but businesses must disclose what information they are collecting and for what purpose. The exemption is temporary, which the California Privacy Rights Act (CPRA) extended until January 1, 2023. It is not clear whether it will be renewed, made permanent, or allowed to expire.
The CDPA, however, defines a consumer as someone acting in an individual or household context, not in an employment or commercial context. It also exempts personal data collected from job applicants. This means companies have neither a duty to disclose nor a duty to comply with privacy requests with regard to employees, applicants, and anyone acting in a B2B capacity. These exemptions are permanent.
Sensitive Data
Both the CDPA and the CCPA give consumers additional control over sensitive data, but each handles the issue a little differently. The CCPA defines sensitive personal information somewhat more broadly, and gives consumers the right to opt out of any use of that information beyond what is necessary.
While the CDPA categories of sensitive data are a little narrower, the Virginia law requires consumers’ affirmative consent before any processing, including collection. Once they have the consumer’s consent, however, this data is treated like all other personal information; i.e., there are no special opt-out rights in the CDPA for sensitive data.
"Do Not Sell" Links
The CCPA requires any business that sells consumers’ personal information to include a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage. This requirement is one of the more unpopular provisions in the CCPA for businesses, due to worry about its negative effect on their brand.
It is not yet clear if the CDPA requires something like a “Do Not Sell” link. The statute doesn’t explicitly mention them, but it does state that if a business sells personal data or uses it for targeted advertising, it must “clearly and conspicuously” disclose this fact and inform consumers how to opt out.
Private Right of Action
The CCPA does not create a private right of action for violations of consumers’ privacy rights, but it does create one in the event of a data breach where business failed to implement and maintain reasonable security procedures. The inclusion of statutory damages of up to $750 per consumer has already led to class-action lawsuits.
While the CDPA imposes similar cybersecurity obligations on businesses, it does not create any private right of action. Enforcement is left entirely to the Virginia Attorney General.