Virginia Second State to Enact Far-Reaching Consumer Privacy Law

Virginia Consumer Data Protection Act (“the Act”) Signed Into Law With Overwhelming Bi-partisan Support

On March 2, 2021, Virginia Governor Ralph Northam (D) signed the Virginia Consumer Data Protection Act (“the Act”) into law.  The Act, which takes effect on January 1, 2023, is the second state comprehensive consumer data privacy law enacted in the United States after the California Consumer Privacy Act of 2018 (CCPA), now amended by the Consumer Privacy Rights Act (CPRA) passed by way of referendum in November 2020.  The Act received extensive bipartisan support and passed the Virginia State Senate unanimously.  Similar legislation is currently pending in multiple states including New York, Florida, and Oklahoma. 

Key Provisions

Data Types Covered

The Act covers “personal data” of consumers, defined as “any information linked or linkable” to a natural person who can be readily identified, directly or indirectly, excluding public information.[1]  This invites arguments that the information is not readily linkable to a person, or that the information has been made public by the consumer, for example, by visiting websites or online commercial activities.  “De-identified information”, defined as information that cannot reasonably be linked to an identified or identifiable person, is likewise excluded.[2]

Who Does It Cover?

The Act covers “consumers” defined as natural persons residing in Virginia, acting in an individual or household context.[3]  The Act does not apply to any data collected in the course of an individual’s employment or work as an independent contractor, data collected from job applicants, or data collected for administration of employee benefits, or employees’ emergency contact information.[4]

Who Must Comply With the Act?

The Act applies to entities and individuals that:

1. have a certain nexus to, or physical presence in, the Commonwealth of Virginia, i.e.,
   1. conduct business in Virginia; or, alternatively,
   2. produce products or services targeted to Virginia residents
2. and either:
   1. “control or process personal data of at least 100,000 consumers” in a single year; or,
   2. “control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.”[5]

The Act defines a “controller” as a person or entity that “determines the purpose and means of processing personal data”.[6]  This definition is intended to apply to entities meeting such criteria, regardless of whether or not they have any physical presence in Virginia.

The Act does not cover nonprofit organizations and institutions of higher education, and exempts regulated entities subject to, among others, sector-specific federal privacy laws such as HIPAA, GLBA, or FCRA.[7] 

Notice and Fair Processing Obligations for Controllers

The Act requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, disclosing, among other things, the purposes for processing each category of personal data collected by the controller and information as to how to how to exercise consumer rights.[8]  

Moreover, it imposes certain automatic limitations on controllers with respect to the scope and manner of data processing activities.  It requires controllers to limit the collection of personal data to data that is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and not process personal data for purposes “neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer” without a consumer’s consent.[9]

Consumer Rights

The Act requires a “controller” to comply within 45 days and without undue delay with an authenticated consumer request to exercise the right to

1. confirm if it is processing the consumer’s personal data and access such data;
2. correct inaccuracies of such data;
3. delete personal data provided by or obtained about the consumer; 
4. obtain a copy of the personal data the consumer previously provided to the controller; and,
5. opt out of processing of personal data for the purposes of:
   1. targeted advertising,
   2. the sale of personal data, or,
   3. certain profiling activities. [10]

Contracts waiving these rights are unenforceable as a matter of public policy discrimination against consumers who exercise any such rights.[11] 

Processing of Sensitive Data

The act prohibits the processing of “sensitive data” without a consumer’s prior express consent and defines “sensitive data” as:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
3. Personal data collected from a child known to be under the age of 13; or
4. Precise geolocation data.[12]

Security Requirements                          

The Act requires controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” to protect personal data that are “appropriate to the volume and nature of the personal data at issue.”[13] The Act also requires controllers to conduct and document data protection assessments of processing activities involving personal data.[14]  Unlike the New York SHIELD Act, a comprehensive state data security statute that took effect on March 21, 2020, the Act does not provide any further guidance regarding what constitutes such reasonable practices.

Enforcement

The Act is exclusively enforceable by the Virginia Attorney General and does not include a private right of action for any violations unlike CCPA, which includes a private right of action for certain violations.[15]