Virginia's Consumer Data Protection Act: Not Quite The CCPA

Though it seems Virginia is following California's lead by becoming the second state with its own comprehensive data privacy legislation, Virginia's Consumer Data Protection Act (CDPA) diverges from the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) in that it is far more business-friendly and does not have the “teeth” that the CCPA does. 

The Virginia House of Delegates adopted the CDPA, HB 2307, on January 29, 2021, and the Virginia Senate approved an identical companion bill, SB 1392, on February 5. The General Assembly voted to send the CDPA to Governor Ralph Northam, who is expected to sign the bill into law. The new legislation would take effect on January 1, 2023.

What the CDPA Means for Businesses 

The CDPA applies to persons that conduct business in, or produce products or services that are targeted to residents of the Commonwealth, and that (i) during a calendar year, control or process personal data of at least 100,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. 

Critics note that the CDPA is broader than the CCPA and CPRA as it has a number of notable carve-outs applying to both data and covered businesses. For instance, not only is there an exemption for personal health information (PHI) collected and/or used pursuant to HIPAA and other healthcare statutes, but covered entities and business associates subject to HIPAA are also entirely exempt. There are exceptions for data regulated by the Fair Credit Reporting Act, Drivers Privacy Protection Act, Family Education Rights and Privacy Act, and Farm Credit Act, as well as financial institutions subject to the Gramm-Leach-Bliley Act, non-profit organizations, higher education institutions, and government agencies. 

Data controllers are required to respond to consumer rights requests within 45 days of receipt, with one 45-day extension period allowed when “reasonably necessary.” The CDPA allows limited exceptions to a controller's obligation to respond to a consumer right request, including instances when complying with the request would both be unreasonably burdensome and the controller does not sell personal data or voluntarily disclose it to a third party other than a processor.

The CDPA will also impose strict requirements on how businesses obtain consent from consumers before processing “sensitive data.” “Sensitive data” is defined as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (ii) personal data collected from a child, (iii) genetic or biometric data, or (iv) precise geolocation data.

Virginia borrowed this stricter standard from the European Union's General Data Privacy Regulation, requiring businesses to obtain affirmative consent as opposed to the opt-out rights written into California's CCPA and CPRA. Accordingly, businesses should be prepared to organize compliance programs to ensure consent is obtained before any sensitive data is collected and processed. 

What the CDPA Means for Individuals 

Under the CDPA, consumers would have the right to access, correct, obtain a copy of, and request the deletion of personal data. Virginia residents would also be able to opt out of the sale or sharing of their personal data for monetary consideration, and out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

One core difference between the Virginia and California legislation is that Virginia's CDPA provides no private right of action for residents of the Commonwealth. The law would be enforced exclusively by the state attorney general, which can seek damages of up to $7,500 per violation. As such, Virginia residents will be limited in their ability to sue businesses for alleged violations, either in the individual or class action context, leaving enforcement entirely up to the attorney general.

“Consumer data” is also defined more narrowly in the CDPA than the CCPA and CPRA, meaning less is protected. For instance, emergency contact information, as well as employee or applicant data used in the context of the employee or applicant's role is exempt.

Indeed, while Virginia's CDPA may be seen by some as strict legislation, it appears to impact businesses less than California's CCPA due to these numerous carve-outs. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.