On Tuesday night, Virginia Governor Ralph Northam signed into law the country’s second comprehensive state privacy bill. Virginia’s Consumer Data Protection Act (CDPA) will come into effect on January 1, 2023, on the same day that the California Privacy Rights Act (CPRA) amendments will take effect. The CDPA will require businesses to yet again coordinate their compliance efforts with growing obligations under dynamic domestic and international privacy law developments.
Although similar in form to the California Consumer Privacy Act (CCPA), the CDPA provides Virginia consumers with rights that extend beyond those granted to California consumers and imposes GDPR-like requirements on both controllers of personal data and the processors who provide services on their behalf.
1 – Expansion of Consumer Rights
In addition to access and deletion rights, the CDPA grants consumers a right to correct inaccurate personal information. The Act also gives consumers the right to opt out of: (i) the use of their data for certain forms of targeted advertising, (ii) “profiling” in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, and (iii) the “sale” of their data, which is defined more narrowly than in the CCPA.
2 – Opt-in Requirements for Processing Sensitive Data
The CDPA also includes new requirements not found in the CPRA/CCPA, such as requiring opt-in consent to process sensitive data. The law borrows from GDPR standards to require “freely given, specific, informed, and unambiguous” consent for controllers to collect or process “sensitive data,” which includes sexual orientation, citizenship or immigration status, genetic and biometric data processed for the purpose of uniquely identifying a natural person, and precise geolocation data (accuracy within a radius of 1,750 feet) and has arguably narrower exceptions than the GDPR.
3 – Increased Responsibilities for Controllers
Controllers face increased responsibilities under the CDPA. Like the CCPA, the CDPA requires that controllers provide privacy notices that contain information such as the categories of personal data shared with third parties, the categories of third parties with whom consumers’ personal data is shared, and categories of personal data processed by the controller. But the CDPA also requires controllers to “clearly and conspicuously disclose” if they process personal data for targeted advertising and to provide a process to appeal the denial of a consumer’s request to exercise their CDPA rights.
Controllers must conduct data protection assessments for certain processing activities, including for the processing of sensitive data, the sale of personal data, or the use of personal data for targeted advertising or profiling. These assessments must identify and weigh the benefits of the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of consumers associated with such processing. Helpfully, data protection assessments conducted for compliance with other laws, such as the GDPR, for example, may comply under the CDPA where there is a reasonably comparable scope and effect.
4 – Increased Responsibilities for Processors
The CDPA also imposes some duties directly onto processors, such as ensuring that their employees and others who process personal data on their behalf are subject to obligations of confidentiality. Processors must also assist controllers in meeting their obligations to consumers, provide controllers with data necessary for controllers to perform their data protection assessment requirements, and allow for periodic audits of processors’ policies and practices.
The CDPA requires contracts between controllers and processors to include provisions similar to those required by the GDPR. Contracts with processors must contain more provisions than what the CCPA requires – including a requirement that processors return or delete all personal data upon termination of the services, at the controller’s discretion. Processors, in turn, would also be responsible for having such contracts in place with sub-processors.
5 – No Private Right of Action
While the CCPA contains a limited private right of action for certain data breaches, the CDPA contains no private right of action. Instead, all suits must be brought by the Virginia Attorney General, rather than directly by consumers. Both controllers and processors that are found to have violated a provision of the Act are subject to an injunction or penalties of up to $7,500 per violation.
Notably, many of the CDPA’s provisions are similar to provisions in the Washington Privacy Act (SB 5062), which is currently pending in the Washington legislature. Meanwhile, many, if not most, states are considering consumer privacy legislation of their own in 2021. Compounded with growing data protection obligations internationally, this growing number of recent privacy bills introduced at the state level may galvanize Congress to move faster on federal privacy legislation, which could help ease business compliance efforts.