Virginia's new Consumer Data Protection Act (CDPA) means many businesses serving consumers in the state of Virginia will need to follow new rules on data privacy and handling. As with California's CCPA, the measures can affect businesses from outside the state.
Here's what you need to know and do to comply with the new rules.
- 1. The Background of the CDPA
- 2. Who is Covered by the CDPA?
- 3. Exemptions to the CDPA
- 4. Key Definitions Under the CDPA
- 4.1. Personal Data and Consumers
- 4.2. Sensitive Data
- 4.3. Controllers and Processors
- 5. Consumer Rights Under the CDPA
- 6. Requirements of the CDPA
- 6.1. Data Access Requests
- 6.3. Data Collection and Use
- 6.4. Consent For Data Use
- 6.5. Data Controllers and Processors
- 6.6. Securing Data
- 7. Penalties For Breaching the CDPA
- 8. Summary
The Background of the CDPA
The CDPA passed into law in March 2021 and its measures will take effect on 1 January 2023. In broad terms, it combines elements of Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Supporters of the CDPA argue that its measures take into account the differing levels of success enjoyed by different elements of other privacy laws. In particular, the CDPA aims to balance establishing and upholding consumer privacy rights with minimizing the burden on businesses.
Who is Covered by the CDPA?
The primary criteria and threshold for the CDPA is that it applies to businesses that process personal data of more than 100,000 Virginia consumers in the same year. This threshold is designed to cover business-consumer relationships so doesn't cover personal data about a business's own staff in an employment context.
The threshold falls to 25,000 if the business gets more than half of its gross revenue from selling personal data.
Unlike some privacy laws, the revenue of the business does not matter.
Exemptions to the CDPA
Even if a business meets the threshold, it will be exempt from the CDPA in some circumstances.
A business based outside of Virginia that does not "target" Virginia consumers is exempt. As a guideline, simply having a website that is accessible in Virginia does not automatically make a business subject to the CDPA. However, marketing products or services that are available to buy or order from Virginia would count as targeting Virginia consumers.
"Target" doesn't mean the business prioritizes getting Virginia customers over those in other states. Rather it means consumers in Virginia are among its intended audience or customer base.
Businesses that are already subject to a federal privacy scheme are exempt. Key examples include the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act for financial institutions, and HIPAA for health information.
Businesses that act in a Business-to-Business (B2B) role will be exempt in practice. This isn't an automatic exemption based on status, but rather a simple result of the fact such businesses won't meet the 100,000/25,000 consumer thresholds.
Key Definitions Under the CDPA
The CDPA defines several concepts and these definitions sometimes vary from those used in other privacy laws.
Personal Data and Consumers
The CDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable natural person."
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
This is an intentionally broad definition.
However, the law only covers personal data about consumers, defined as somebody "acting only in an individual or household context" and not "acting in a commercial or employment context." Again, this means the CDPA doesn't cover information about employees.
Like some other privacy laws, the CDPA has special rules for data classed as "sensitive."
This covers personal information that reveals any of the following:
- Citizenship or immigration status
- Mental or physical health diagnosis
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
It also covers the following:
- Biometric or genetic data used to identify somebody
- Personal data collected from somebody you know to be a child
- Precise geolocation data
Controllers and Processors
As with the GDPR, the CDPA has different rules for data controllers and data processors. It uses a similar definition, with controllers being the businesses that decide what data is collected and why. Processors are businesses that physically carry out processing on behalf of (and following the instructions of) a data controller.
Consumer Rights Under the CDPA
The CDPA's express intention is to establish and uphold a series of consumer rights. These rights underpin the various requirements the CDPA places on businesses. Because the rights are expressly stated in the law, they may act as guiding principle if a court ever has to rule on the interpretation of the CDPA's specific measures.
The rights are as follows:
- The right to know if a business is processing the consumer's personal data and, if so, to access it
- The right to correct inaccuracies in personal data
- The right to demand a business delete personal data (when such demands should be met is not firmly established yet)
- The right to get a copy of the personal data in a form that the consumer can transfer to another data controller
- The right to opt out of personal data being sold, being used for targeted advertising, or being used for profiling that produces a legal or significant effect
Data controllers cannot discriminate against a consumer for exercising these rights.
Requirements of the CDPA
If you are a data controller subject to the CDPA you have several legal obligations. And data processors must follow the data controller's orders to make sure these obligations are met.
Data Access Requests
The CDPA sets out specific rules for the way consumers can exercise their rights. Any consumer can make two data access requests a year without charge. Any further requests must also be without charge unless you can show that the request is "manifestly unfounded, excessive, or repetitive." Even if this is the case, any charge must be reasonable and only cover administrative costs.
Once you receive a request, you must either respond within 45 days or, if "reasonably necessary", tell the consumer within 45 days that it will take longer. In the latter case, the final deadline for responding extends to 90 days.
Regardless of these two deadlines, you must always respond without undue delay: in other words, as soon as possible.
You can only refuse a request if it is not possible to do so using "commercially reasonable efforts." If you do not have enough information from the consumer, you must ask for it. If you do refuse a request you must say why and tell the user that they have the right to appeal your decision.
If the consumer appeals, you have 60 days to decide how to respond to this appeal and explain this response to the consumer. You must also give them details of how to complain to the Attorney General.
WRAP London explains how its customers can exercise their data rights. It would have been better with clearer language and explaining the term SAR (statutory access rights):
- The categories of personal data that you collect
- The purpose or purposes for which you collect and process data
- The categories of personal data that you share with third parties
- The categories of third parties with which you share personal data
- How consumers can exercise their CDPA rights
- How consumers can appeal against a decision you make regarding the exercise of CDPA rights
- Whether you sell personal data to third parties and, if so, how to opt out
- Whether you use personal data for targeted advertising and, if so, how to opt out
VMWare shows an effective way to do this to comply with California's CCPA, listing the relevant categories defined by the law and then giving specific examples. Many businesses affected by both laws will find it easiest to use the same categories for CDPA compliance:
The CDPA doesn't mandate the ways in which you must accept opt out and access requests but suggests it should be in line with the normal ways consumers contact you. Until the law is tested in practice, it will probably be safer to accept requests in a variety of ways including email (or online form), physical mail and telephone.
Data Collection and Use
The CDPA says you must only collect personal data that is relevant and necessary for the purposes you state when collecting it. You must then only use it for the stated purposes. You cannot use it for any other purpose without specific consent.
Tennis Canada gives clear explanations of the various purposes for which it collects personal data:
Consent For Data Use
In most cases, the CDPA doesn't require consent before you use personal data, but rather that you merely make consumers aware of that use. As noted, you must get consent before using personal data for a purpose other than what you have already stated.
You must also get consent before collecting or using any personal data that falls into the sensitive category.
Data Controllers and Processors
For the most part, it's data controllers who are responsible for complying with the CDPA.
However, the CDPA says any data controller who uses a data processor must have a data processing agreement with them. This must give clear instructions regarding what data to process, how to process it, how long to process it for, and the respective rights and obligations of the data controller and data processor.
The CDPA says the agreement must include the following measures:
- Anyone processing personal data must have a binding duty of confidentiality
- The processor must delete or return the data "at the end of the provision of services"
- The processor must provide any information necessary for the controller to be able to show the processor has followed the CDPA
- The processor must cooperate with any assessment by the controller or contracted third party to check compliance with the CDPA
- If the processor uses subcontractors, they must have their own data processing agreement that passes down the relevant responsibilities and obligations
The CDPA says you must take adequate security measures to make sure personal data remains confidential, accessible and complete. This should include administrative, physical and technical measures.
The CDPA also says you must also carry out a formal data protection assessment covering the way you process any of the following:
- Sensitive personal data
- Personal data you sell
- Personal data you use for targeted advertising
- Personal data you use for profiling
- Personal data used in a way that creates a "heightened risk of harm to consumers"
The assessment should take into account benefits and risks for both you and the consumer, any safeguards you use, and the relationship you have with the consumer.
The conclusions you reach from the assessment don't necessarily have to decide whether you proceed with the processing. However, you must keep a record of the assessment.
If the Attorney General later investigates an alleged breach of the CDPA, they can demand a copy of the relevant data protection assessment. This could affect their conclusions of what responsibility you bear for the breach.
Penalties For Breaching the CDPA
Unlike some privacy laws, consumers who allege a breach of the CDPA cannot take legal action themselves.
Virginia's Attorney General can order a business to correct any violation within 30 days. If the business does not do so, the Attorney General can impose a civil penalty with a maximum of $7,500 per violation. (Each individual affected by a breach counts as a separate violation.)
Let's recap what you need to know about Virginia's Consumer Data Protection Act:
- The Act's measures take legal effect on 1 January 2023.
- The CDPA affects businesses that target Virginia consumers and process the data of more than 100,000 Virginia consumers in a year. The threshold falls to 25,000 if the business makes more than half its annual revenue from selling personal data.
- The definition of "target" is broad and simply means the business intends to have customers in Virginia.
The CDPA upholds five consumer rights:
- To know what personal data you process about them
- To correct inaccuracies
- To demand you delete personal data
- To get a copy of the personal data that they can transfer to another business
- To opt out of you selling their personal data, using it for targeted advertising, or using it for profiling that creates a legal effect
- If a consumer exercises these rights, you must respond as soon as possible, with a maximum of 45 days. If it will take more than 45 days you must tell the consumer and then respond within 90 days.
- You can only refuse a request if you cannot reasonably do so. If this happens the consumer can appeal the refusal. You must respond to this appeal within 60 days.
- What personal data you collect
- Why you collect and use it
- What personal data you share with third parties and who they are
- How consumers can exercise their rights and appeal against your response
- Whether you sell personal data to third parties and how to opt out
- Whether you use personal data for targeted advertising and how to opt out
- If you use a data processor you must have an agreement in place that sets out rights and responsibilities and makes sure you continue to comply with the CDPA.
- You must secure personal data against loss, unauthorized access or damage.
- You must carry out a data protection assessment before processing personal data that is classed as sensitive; processing personal data that you sell; processing personal data that you use for targeted advertising or profiling; or processing that risks harm to the consumer. The state's Attorney General can ask to see this data protection assessment when investigating an alleged breach.
- Consumers can't take legal action over CDPA breaches. The state's Attorney General can order you to fix a breach within 45 days. If you don't, the Attorney General can fine you $7,500 per violation.