Meet the CDPA: Virginia’s New Data Privacy Law

The push for states to create their own data privacy laws gained momentum as the Virginia Consumer Data Protection Act (CDPA) was signed into law by Governor Ralph Northam on March 3, 2021. Strongly influenced by the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the CDPA is a major piece of privacy legislation that also differs from both of those laws in a number of ways.

The CDPA goes into effect on January 1, 2023, giving businesses some time to familiarize themselves with their new legal responsibilities under the state law and decide on a compliance strategy. Here is a brief introduction to the law’s major terms and concepts.

CDPA Terminology

Though the CDPA borrows terms from the GDPR and the CCPA, it sometimes uses them in different ways. Here are some of the most important terms, as defined in the Virginia law.

Personal Data - Any information that is linked or reasonably associated to an identified or identifiable natural person; does not include de-identified data or publicly available information.

Consumer - A natural person who is a Virginia resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.

Controller – A natural or legal entity that determines the purpose and means of processing data. This is a familiar term from the GDPR, and analogous to a “business” under the CCPA.

Processor – Natural or legal entity that processes personal data on behalf of a controller. Similar to a CCPA “service provider,” disclosure of personal data by a controller to a processor is not considered a sale.

Processing - Any operation or set of operations performed on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

Targeted Advertising - Displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Much like the amended CCPA’s “cross-context behavioral advertising,” this is treated in a similar manner to the selling of personal data.

What Businesses Are Covered by the CDPA?

When compared to the GDPR and CCPA, the Virginia law has a more limited scope. The CDPA applies to persons that (1) conduct business in Virginia or produce products and services that are targeted to Virginia residents, and (2) also do one of the following:

• Control or process the personal data of at least 100,000 consumers in a calendar year

• Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal information.

There is no revenue floor provision in the CDPA, in contrast with the CCPA which has an additional category for any business with gross annual revenue in excess of $25 million.

The CDPA also identifies five categories of entities that are completely exempt:

• Virginia state and local government organizations

• Financial institutions or data covered by the Gramm-Leach-Bliley Act (GLBA)

• Organizations subject to regulations under the Health Insurance Portability and Accountability Act (HIPAA) 

• Nonprofit organizations

• Institutions of higher education

There are also a number of exemptions for personal data that is processed pursuant to specified federal laws, such as HIPAA and the Fair Credit Reporting Act.

Consumers’ Personal Data Rights

The CDPA establishes five personal data rights for consumers. These should all look familiar to anyone already well-versed in the GDPR or CCPA.

1. Right to confirm whether or not a controller is processing the consumer's personal data and to access such personal data

2. Right to correct inaccuracies in the consumer's personal data

3. Right to delete personal data provided by or obtained about the consumer

4. Right to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and readily usable format

5. Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

There is also, arguably, a sixth consumer right in the CDPA, and that is the right to non-discrimination for exercising their rights.

Businesses’ Responsibilities Under the CDPA

The CDPA creates a number of new legal responsibilities for businesses. Though we won’t set out all the requirements in exhaustive detail (especially as the CDPA might undergo some amount of alteration before it goes into effect), we can describe some of the biggest changes that companies will have to make in order to become CDPA compliant.

First, businesses have a duty of transparency toward consumers. They must provide a “reasonably accessible, clear, and meaningful privacy notice” that covers such information as what data is being collected, for what purpose, who it is shared with, and how to exercise consumer rights. If the business sells personal data or processes it for targeted advertising, they must also “clearly and conspicuously” disclose this fact and inform consumers how to opt out.

Once a business has received an authenticated privacy request from a consumer (e.g., a request to delete personal data), businesses have 45 days to comply. This can be extended for another 45 days when reasonably necessary.

There are also some minimization requirements when it comes to collecting and using personal data. Businesses must limit personal data collection to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” They must also not process personal data “for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed,” unless they get the consumer’s consent.

Businesses must implement and maintain reasonable administrative, technical, and physical data security practices. What is considered reasonable will depend on the volume and nature of the personal data involved.

They cannot process “sensitive data” without first obtaining the consumer’s affirmative consent, or verified parental consent in the case of children under the age of 13. Sensitive data is defined as:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status

• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person

• The personal data collected from a known child

• Precise geolocation data

The last major requirement under the CDPA is that businesses must conduct and document “data protection assessments” for certain types of data practices, including the processing of personal data for targeted advertising, the processing of sensitive data, and any processing activities that present a heightened risk of harm to consumers. Data protection assessments must weigh the benefits and potential risks of these practices, consider the use of deidentified data, and more. These assessments are not public, but must be made available to the Virginia Attorney General upon request.

Businesses believed to be in non-compliance with the CDPA will receive a 30-day cure notice from the Attorney General’s office. If the business fixes any issues within that period, no further action is taken. If not, the Attorney General may seek an injunction and civil penalties of up to $7,500 per violation.

Key Differences Between the CDPA and CCPA

While the CDPA bears a strong resemblance to California’s CCPA, the two laws are not identical. Here are some of the most important differences that will affect both businesses and consumers.

Employment-Related Data

Personal information from employees and job applicants is currently exempt from privacy requests under the CCPA, but businesses must disclose what information they are collecting and for what purpose. The exemption is temporary, which the California Privacy Rights Act (CPRA) extended until January 1, 2023. It is not clear whether it will be renewed, made permanent, or allowed to expire.

The CDPA, however, defines a consumer as someone acting in an individual or household context, not in an employment or commercial context. It also exempts personal data collected from job applicants. This means companies have neither a duty to disclose nor a duty to comply with privacy requests with regard to employees, applicants, and anyone acting in a business capacity. These exemptions are permanent.

Sensitive Data

Both the CDPA and the CCPA (as amended by the CPRA) give consumers additional control over sensitive data, but each handles the issue a little differently. The CCPA defines sensitive personal information somewhat more broadly, and gives consumers the right to opt out of any use of that information beyond what is necessary.

While the CDPA categories of sensitive data are a little narrower, the Virginia law requires consumers’ affirmative consent before any processing, including collection. Once they have the consumer’s consent, however, this data is treated like all other personal information; i.e., there are no special opt-out rights in the CDPA for sensitive data.

"Do Not Sell" Links

The CCPA requires any business that sells consumers’ personal information to include a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage. (The CPRA adds “or Share,” to match its updated language.) This requirement is one of the more unpopular provisions in the CCPA for businesses due to worry about its negative effect on their brand.

It is not yet clear if the CDPA requires something like a “Do Not Sell” link. The statute doesn’t explicitly mention them, but it does state that if a business sells personal data or uses it for targeted advertising, it must “clearly and conspicuously” disclose this fact and inform consumers how to opt out. Future regulations hopefully will clarify how to comply with this requirement.

Private Right of Action

The CCPA does not create a private right of action for violations of consumers’ privacy rights, but it does create one in the event of a data breach where business failed to implement and maintain reasonable security procedures. The inclusion of statutory damages of up to $750 per consumer will likely lead to class-action lawsuits in the future.

While the CDPA imposes similar cybersecurity obligations on businesses, it does not create any private right of action. Enforcement is left entirely to the Virginia Attorney General.

What's Next for Businesses?

The arrival of the CDPA signals strongly that data privacy laws will be a permanent addition to the U.S. legal landscape. Businesses that were not affected by the CCPA or GDPR but now fall under the CDPA’s requirements are likely now  wondering what their next steps should be.

The new law does not take effect until January 1, 2023. It is also possible there will be alterations to the law before that date. The CDPA calls for the formation of a work group, composed of state officials, business representatives, and consumer rights advocates, that will study the law and make recommendations regarding its implementation to the state senate by November 2021. These findings could inform future regulations and even changes to the statute.

That does not mean businesses should wait until 2023 to begin forming a strategy. Becoming compliant with data privacy laws can be a lengthy process, sometimes requiring significant changes to daily operations. Fortunately for businesses that are already compliant with the CCPA and/or GDPR, CDPA compliance should not be a major undertaking. Those companies should be able to modify their existing compliance program to match Virginia’s specific requirements.

For now, the race is on to see which state will be next to pass their own new privacy law.