What the Virginia Consumer Data Protection Act means for your privacy program
With Governor Ralph Northam’s signature of the Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, Virginia has become the second state to enact a broad multi-rights privacy bill. The VCDPA will take effect on January 1, 2023, the same day as the California Privacy Rights Act proposition (CPRA) which amends the California Consumer Privacy Act (CCPA). The VCDPA is a somewhat simplified version of the Washington Privacy Act, which was introduced with fanfare two years ago, but whose passage remains uncertain. In contrast, the VCDPA flew through the Virginia legislature, passing by an overwhelming margin in fewer than two months. Already, privacy bills introduced and likely to receive serious consideration in several blue states – Colorado, Connecticut and Minnesota – resemble this Virginia law.
What are the implications of VCDPA for your privacy program? How does it differ from California requirements and what additional requirements will you need to implement over and above what you are doing for CPRA compliance? This analysis provides a preview of what else you will need to do to satisfy the VCDPA.
The VCDPA contains several new requirements, sectoral exemptions, and somewhat simpler definitions not found in the CCPA/CPRA, that have significant operational implications. Unlike CCPA and CPRA, the Virginia law does not provide for rulemakings. Although there will be a study of potential legislative modifications later this year, the VCDPA should largely avoid the “moving target” problem posed by the many rulemakings and versions of draft rules in California.
The VCDPA contains several new requirements that add operational challenges. These include:
- Broader affirmative consent or opt-in requirement to process sensitive personal data, unless an exemption applies. Note that although this is a feature of GDPR (Art. 9), the right applies only to child and young teenager data in CCPA/CPRA. Virginia data controllers will need to plan for consent to process sensitive data, unless they qualify for an exemption. For example, sensitive data includes the “personal data of an individual known to be a child,” which is broader than information obtained from a child.
- Broader opt-out right of processing that covers not only sales of personal data, but also targeted advertising, and profiling decisions that produce legal or similarly significant effects (which is narrower than the profiling items that require data protection assessments described below and does not match the broader processing limitations in Section 59.1-574),
- Mandatory data protection assessments for sales, targeted advertising and profiling, including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, or “an intrusion upon the solitude or seclusion, of privacy affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person” as well as any other processing of sensitive personal data or personal data that presents a “heightened risk of harm to consumers.” These assessments must consider privacy risks, benefits and potential mitigation steps in light of the specific use case. The assessments require covered businesses to evaluate all material new data uses that meet the above criteria. These assessments can be developed under legal privilege, and the law incentivizes doing so. Although the Attorney General may obtain them by issuing a civil investigative demand, privilege is not waived when this occurs. Note that the VCDPA assessments differ significantly from GDPR Data Protection Impact Assessments, and that although CCPA does not require impact assessments, one of the CPRA rulemakings is to address them.
- Obligation to confirm processing and broader deletion requirement in the consumer's personal data (the latter, which is also in the CPRA). Confirming processing requires some degree of data retrievability. Unlike in CCPA and CPRA, the obligation to delete personal data covers personal information not only collected from, but also collected “concerning” a consumer. This appears to reach data obtained from other sources.
- Conspicuously disclosed, mandatory right of appeal process for denials of consumer rights requests. This will require not only conspicuous notice, but more importantly, changes to the automated processes many companies have implemented related to consumer requests. Affected processes must add the additional appeals step, time frame (60 days), content (written description of actions and reasons) and an additional mechanism to inform the consumer of the option to file a complaint with the Virginia Attorney General. This will likely require establishing the appeals process, as well as human review of and response to appeals that will be new for most companies just as many were moving toward a more automated process.
- Specific processor role-based requirements to provide assistance to and adhere to the controller’s instructions. While there are fewer obligations than the CPRA, there is a mandatory requirement, upon request, to demonstrate compliance with processor obligations and to cooperate with or furnish an independent assessment of the processor’s controls framework to satisfy its obligations under the VCDPA. This will likely require changes to vendor management programs and agreements.
- Different data minimization standard for controllers. The VCDPA ties its data minimization limitations to what is “disclosed” or compatible with purposes disclosed to consumers – unless consent is obtained or another exemption applies.[i] This places a greater emphasis on transparency to consumers about data uses, instead of compatibility with the original purpose of collecting the data. For this reason, controllers should consider potential uses, carefully disclose them in privacy notices, and determine operationally how to track purposes and data uses unless the controller has the ability to deliver a subsequent notice to the consumer.
Exemptions
The VCDPA contains broader sectoral exemptions than CCPA/CPRA, notably for small businesses, regulated financial institutions (not just GLBA regulated data), FERPA regulated data, HIPAA deidentified data, patient safety data, and for a broader range of clinical trials data than CCPA/CPRA.
The Virginia law also contains a somewhat broader internal operations exception, which requires reasonable alignment with consumer expectations or compatibility of the consumer’s relationship with the business, but not the CPRA condition of that uses be compatible with the context in which information was collected. This difference avoids the operational challenge of tagging state resident data based upon the context of collection in order to exclude it from other controls.
Definitions
The VCDPA has different definitions of several key terms that may make operational compliance somewhat more difficult for companies with CCPA programs. However, some but not all of these different definitions are clearer. For example:
- “Personal data” largely tracks the FTC Privacy Staff report definition of “covered information” and completely excludes employee, B2B data, deidentified data and publicly available information. “Any information that is linked to or reasonably linkable to an identified or identifiable natural person” may seem broad without the CCPA example list. On the other hand, this definition removes the words “relate to, describe” and “household”, avoiding scoping uncertainty under the CCPA (i.e., is data that “describes” an individual, but doesn’t identify her or him, still personal information?). On the other hand, what is “reasonably linkable” will vary based upon the circumstances, so your program needs to develop guidelines on its application.
Quite apart from this, the definition provides certainty that only consumer data must be subject to your VCDPA privacy program, which makes scoping simpler than under the CCPA partial moratorium for employee and business-to-business data. - “Sale” means the exchange of personal data for monetary consideration by a controller to a third party. The definition of sale excludes transfers to affiliates and avoids the open-ended “other consideration” element in the CCPA/CPRA. However, the opt-out under the law also applies to “targeted advertising” and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- “Pseudonymous data” is exempt from consumer rights requests (although not assessment or processor requirements) if it is “kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.” However, there is an operational burden to ensure those controls are in place and are documented. Further, controllers who wish to use this exception must exercise oversight to monitor that any downstream recipients observe these conditions,[1] which itself presents a potentially significant operational challenge if the data travel widely.
- “Sensitive data” is subject to an opt-in for processing, instead of the opt-out of secondary uses, sharing and sales that applies under CPRA. This may prove an interesting operational challenge because sensitive data include racial or ethnic origin, religious beliefs, mental and physical health diagnosis and precise geolocation, to name a few. However, this term is defined more precisely under the VCDPA. It does not include the California data breach notice data elements, contents of communications, email account credentials, philosophical beliefs, or union membership. Thus, the universe of sensitive data under VCDPA is significantly narrower, avoiding including items like email account credentials, which are commonly held by businesses. In addition, as explained above, the VCDPA contains somewhat broader sectoral and operational exemptions (including for the health sector), which narrow somewhat the applicability of the sensitive data opt-in.
Enforcement / no data breach class action
The bill precludes any class action enforcement. The Virginia Attorney General can levy fines for failure to cure a violation after notice of up to $7,500 per violation.
Overall, the variations between the California and Virginia laws add some further complexity to a confusing, and sometimes contradictory, array of global requirements and exceptions, especially for third party use. However, the VCDPA avoids several areas of significant uncertainty in the CCPA and may provide an overall clearer model with more consumer rights for other states. Stay tuned! As of now, other states to watch closely for other potential privacy laws this year are: Florida, Colorado, New York, Connecticut, Washington, Oklahoma, Ohio and Minnesota.
This article originally appeared in IAPP Privacy Perspectives on March 8, 2021.
[1] §59.1-577(D) and (E).
[i] §59.1-574A(1) & (2).