On 2 March 2021, Governor Northam of Virginia signed the next U.S. privacy bill into law: the Virginia Consumer Data Protection Act (CDPA) will apply as of 1 January 2023 and will offer a range of new rights to the residents of the Old Dominion. Like the California Consumer Privacy Act (CCPA), the CDPA includes a clear threshold: businesses are covered as long as they process the personal data of 100,000 Virginia residents on an annual basis, or of 25,000 Virginia residents if over fifty percent of their gross revenue is derived from the sale of personal data.
If either threshold is met, businesses will be required to extend a range of new individual rights to their customers:
- A right to understand if personal data about them is processed or not, including extensive notice requirements;
- A right of access to all personal data processed;
- A right to correct any erroneous personal data;
- A right to delete personal data;
- A right to data portability, ideally offering the personal data of the individual in a readily available format to facilitate the move to another data controller;
- A right to opt-out of the sale of personal data, as well as the processing of personal data used for targeted advertising and profiling.
The exercise of individual rights is free of charge, and can be executed up to twice a year. The company will have 45 days to respond, and may extend this deadline with another 45 days if more time is needed. In this case, a reason for the delay needs to be provided. If the request cannot be fulfilled, it should be declined with justification. Individuals will need to make sure at all times they are able to prove their identity, to ensure that the business does not provide any personal data to non-authorised persons.
The CDPA has clearly taken a leaf out of the book of the EU General Data Protection Regulation (GDPR) by providing a series of data protection principles that need to be respected by businesses processing personal data. For example, businesses will need to ensure that the processing of personal data is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed” and not further processed for non-compatible purposes. Furthermore, an obligation is introduced to ensure “reasonable administrative, technical, and physical data security practices” are in place. The CDPA, like the draft Washington Privacy Act (WPA), also introduces the EU-inspired distinction between controllers and processors, including the obligation to conclude a data processing agreement to regulate all data processing on behalf of the data controller, which is a first for enacted U.S. privacy laws.
Not all of these data protection principles are also included in privacy laws in other U.S. jurisdictions. The principle of purpose limitation is for example not included in the CCPA, although it will be introduced by the new California Privacy Rights Act (CPRA), that will apply as of 2023 as well. On data security, both California privacy laws have more limited provisions, only linking some specific data security requirements to the need to avoid data breaches.
Another notable provision of the CPDA requires opt-in consent for the processing of sensitive personal data. This includes any data “revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”, as well as genetic or biometric data to uniquely identify an individual, precise geolocation data and data from known children.
Finally, the CDPA introduces mandatory data protection assessments for a range of situations, including for the sale of personal data, for data processing of sensitive personal data, for the purposes of profiling and targeted advertising, and for all processing that leads to “a heightened risk of harm to consumers,” a standard similar to the GDPR’s obligations for conducting data protection impact assessments (DPIAs). Of note is that data controllers are allowed to weigh any benefits of the processor, against the risks of that processing to the individual. This is a similar provision to the one that can be found in the draft WPA, that is discussed for the third session in a row by the Washington State legislature. A provision requiring to conduct specific data protection or privacy assessments at the same time is notably absent from the CCPA or CPRA.
With regard to enforcement of the CDPA, the exclusive authority lies with the Virginia Attorney General. They may bring civil investigations into any controller or processor, and impose penalties of no more than $7,500 per violation. The same maximum applies to any damages payable by businesses violating the CDPA. Unlike the CCPA, the CDPA does not allow for any private right of action, providing individuals with the possibility to sue a business for violation of their privacy rights.
As mentioned above, the Virginia CDPA will apply as of 1 January 2023, the same date the CPRA will enter into force. If adopted, also the WPA would apply as of this date. This means that companies meeting the application thresholds in both States will need to comply with multiple new rules from that date. Some of these rules align between the two jurisdictions, but not all of them. With more States resuming their debates on the introduction of wide-ranging privacy legislation across the U.S., notably the states of Washington, Minnesota, New York, Oklahoma and Utah, chances are increasing that more specific data protection requirements will come into force around the same timeframe.
TrustArc keeps continuous track of the development of privacy legislation at U.S. State level and in countries around the world. The results are available to subscribers of Nymity Research, as well as part of the intelligence system and engines that support our Privacy Management Platform. If you would like to understand how TrustArc can help your business to comply with privacy requirements across multiple jurisdictions, please reach out to us for a free demo.