As of the official bill-passage on February 3rd, Virginia is now set to become the second state to pass a broad, state-specific privacy law. For years states and companies in the United States have been subject to either HIPAA (The Health Insurance Portability and Accountability Act) or the GLBA (Gramm-Leach-Bliley Act) for finance or health-related personal data. However, the U.S. has never implemented a comprehensive national law mandating the handling of all private data which has inspired certain states to create their own state-specific laws addressing the gap they feel exists in this area.
Inspiration Behind CDPA
In November 2020, California voters approved the creation and eventual establishment of the California Privacy Rights Act (CPRA) which will expand the CCPA, the California Consumer Privacy Act. The CCPA was the first state-specific data privacy law to be passed and also is the first to be significantly expanded.
All of the existing CCPA, impending CPRA, and now upcoming CDPA bills take inspiration from GDPR which is a strict, broad personal data protection law that is in effect across the European Union. Not all of these laws steal the same applicability, exclusions, or requirements from one another. However, they each do address the growing opinion that data on a more broad scale than just health or financial information should be protected by the respective legislature. It is very likely that these laws are only the first of many of their kind that we will see over time.
Timeline to Date
On February 3rd, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (CDPA). This privacy law was passed originally by the state’s House of Delegates on January 29th, and now the state legislature will have until February 11th to combine the two versions into a final bill, although this should just be a formality in this case. Once this has been completed, the bill will need the governor of Virginia’s signature before it can be officially signed into law. Although the Virginia Consumer Date Protection Act won’t go into effect until January 1st, 2023, which is the same day as the bolstered California Data Privacy Law will also go into effect.
The Virginia CDPA will take aspects of the CPRA, CCPA, and the GDPR plus it has some aspects that are different from all three of these previous data laws. Although this law has the potential to change before it goes into effort, we will share the important details & answer pressing questions you may have about the bill as it stands now.
Who would it apply to?
The CDPA would apply to both businesses that are Virginia-based but also those that are headquartered elsewhere but market and sell to residents of Virginia. However, it would only apply to organizations that work with the personal data of at least 100,000 individuals per year so it would likely not affect small businesses.
There are, however, a few caveats and exceptions to this. First, if a company makes 50% or more of its revenue through the sale of consumer data, then the threshold for the number of individual’s data you work with to apply goes down to 25,000 from 100,000. Second, this bill does not apply to nonprofit organizations, universities, or government agencies. Lastly, any organizations that already have to comply with either GLBA or HIPAA for their data management do not need to comply with Virginia CDPA. Although the other laws also have their own sets of exemptions, the CDPA’s HIPAA and GLA exemptions are broader than the other two.
What does the bill require of the companies?
- Responding to Consumer Data Requests
One of the requirements of the companies underneath Virginia CDPA is that companies must respond to all consumer requests within 45 days with the following as applicable:
- Let the individual know if the company stores or processes their personal data
- Correct any and all mistakes in data as necessary
- Delete their personal data if requested
- Send a copy of the personal data to that individual
- Opt the individual out of allowing the company to use or sell their personal data for advertising purposes without discrimination
There are a few exceptions to these data request requirements such as the ability for the company to request 45 additional days to complete an inquiry or even refuse to fulfill the request if there is a valid justification for that refusal. If a request is denied, the company must provide the individual with the process for appealing that decision if they choose to. Companies must fulfill these steps with no charge to the person requesting, up to 2 times per year but may charge a reasonable fee beyond those 2 requests.
First, companies must list the categories of data that they process and share with other organizations (including the variety of third parties that they may share or receive this information from). They must also clearly state their purpose in accessing the information that they do, including details on how individuals can contact the company if they want to submit a request to receive a copy of their data, opt-out of use in advertising, or have the company delete their data entirely.
- Conduct Assessment of Data Security
Within the language of the bill, it is stated that all companies are required to conduct a “data protection assessment” and document all the findings regarding how that organization process, stores, or uses this personal data. These assessments are to be conducted before the company begins any actions that may “present a heightened risk of harm to consumers” through using their sensitive data.
In the event of an investigation from the Virginia Attorney General, a copy of this data security assessment will be requested in order to prove the company’s compliance. The assessment should analyze the benefits of the processes that the organization is taking and weigh them against the risks that it creates for consumers. Just as with the liability with Business Associate Agreements under HIPAA, primary organizations are not responsible for the actions that are taken by the third parties that access their data.
The CDPA will be enforced by the Virginia Attorney General who can institute fines and file suits against organizations found in opposition to the requirements. Unlike HIPAA, many of the settlements that will be reached under the CDPA will not evolve from individual complaints.
If a violation is found, the Attorney General will give the organization at fault 30 days of written notice in advance of the violation. Within those 30 days, the company will have the opportunity to solve the issue and commit to eliminating the chance of any future violations occurring, then they will not receive any fine in that scenario.
Alternatively, if the situation is not solved within the 30 day period, then the Attorney General has the authority to levy a fine of up to $7,500 per violation with the fine amount being contributed to the investigation of future CDPA violations.
What are the Key Similarities and Differences about CDPA vs. GDPR or CCPA?
As we mentioned above, Virginia’s CDPA takes some inspiration from both the European Union’s GDPR and the California Consumer Privacy Act. There are certainly some clear similarities and differences between these three key laws that are setting the scene for upcoming privacy law changes.
Here are the Similarities:
All three of these privacy laws provide consumers with the right and authority to find out what information companies have on them and from there ask them either not to sell or delete that data. These laws also share similar scopes in terms of applicability for their respective groups - having the bill apply to those headquartered in that location or doing business with consumers from that place. One final but important similarity is that the companies are actually protected from lawsuits brought directly by an individual but instead, for the state-specific bills, the state Attorney General is the one who must file each suit following a complaint.
Here are the Differences:
The CDPA offers more exclusions in terms of applicability than either the CCPA or GDPR since it offers institution-based exclusions for certain groups that make or manage data rather than just pardoning the data itself. Another difference is the clarity of language for “selling” information within the CDPA versus a more broad, vague definition that can be found in the CCPA. This Virginia bill makes it clear that only exchanges that involve monetary compensation being traded for personal data will be considered a sale.