How Strong Is Virginia’s New Privacy Law?

By Carolyn Wimbly Martin and Ethan Barr

On March 2, 2021, Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) into law, making Virginia the third U.S. state to pass its own data privacy regulations. The CDPA, which will take effect in 2023, is generally viewed as less robust than the California Consumer Privacy Act (CCPA), which passed in 2018. As other states continue to push for similar legislation and regulation of the tech industry, Virginia may set the stage for the next wave of state privacy laws. However, increasingly decentralized enforcement mechanisms may continue to ignite the call for a federal tech privacy law.

The CDPA applies to anyone conducting business in the Commonwealth of Virginia who either “control[s] or process[es] personal data of at least 100,000 consumers” or “derive[s] over 50 percent of [its] gross revenue from the sale of personal data and control[s] or process[es] personal data of at least 25,000 consumers.” Essentially, it subjects mostly large tech companies to liability. However, some tech companies may fall outside these two requirements, and therefore, the scope of the regulation. Additionally, while the law places responsibility on data controllers and processors, it creates exemptions for state and local governments, data strictly regulated by federal privacy law(s), nonprofit organizations, institutions of higher education and certain political bodies. It is also worth noting that the CDPA does not apply to collection of employee data, and the category of information regulated by federal privacy laws is quite broad. For example, this includes but is not limited to data covered by the Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley Act (GLBA). More importantly, the law only regulates the sale of personal data, not the use of such data.

Businesses that fall within the scope of the CDPA have a few primary responsibilities. First, the law requires that all data controllers provide consumers with a privacy policy that clearly explains the type of data collected, purposes of data use, consumer rights, appeals processes and details of any third-party data sharing. Additionally, the law places limits on such data collection and use. Covered businesses are only permitted to collect data that is pertinent and “reasonably necessary” to the purposes they disclose to their consumers. Businesses are also obligated to establish and maintain reasonable data protection practices and risk assessments, although the law is unclear regarding frequency and recordkeeping. Finally, the CDPA requires that data controllers and processors be bound by data processing agreements, listing several terms that must be included.

Six primary consumer rights are created by the CDPA. First, consumers have the right to confirm whether their personal data is being processed, as well as have the right to access their data. Second, they have the right to correct false or inaccurate data. Third, there is a right to delete data if the consumer so chooses. Fourth, the law creates a right to data portability, meaning the consumer may obtain a copy of the collected data in a portable and transmittable format. Fifth, there is a robust right of the consumer to opt out of the processing and collection of personal data for purposes of advertising, sale and user profiling. Finally, if a business does not fulfill its obligations under the CDPA within the statutory period of 45 days, the consumer has the right to appeal the denial of their complaint to the business. If the business denies that appeal, the data controller must direct them to the Attorney General (AG) of Virginia.

While many federal privacy laws are overseen by entire agencies, committees or multiple individuals, the CDPA is enforced solely by the AG of Virginia. Once notified by the AG, businesses have 30 days to respond to the violation and provide the AG with a written acknowledgement that the violation was cured. Otherwise, they may be fined up to $7,500 for each violation. It is also worth noting that the CDPA does not provide a private right of action, so it is entirely up to the AG to enforce the law.

The CDPA has been widely supported by Big Tech companies, perhaps because the Virginia law is not as robust as California’s. However, although these businesses are not clamoring for stricter legislation, they may still prefer more clarity around the existing law. Indeed, numerous privacy experts have already recommended additional provisions that may strengthen the law before it takes effect in 2023. For example, some have called for legislators to protect consumers further by adding a private right of action. Others have suggested expanding the scope of the law to subject a wider swath of businesses to liability, as well as amending portions of the law to make it easier for consumers to opt out of data collection and processing, much like the CCPA in California. There will likely be much debate surrounding the CDPA as consumer advocates and businesses both attempt to understand and take advantage of the law. It will be important to keep an eye on any further legislation, critiques of the existing law and the actions of the AG of Virginia (currently Mark Herring).

Regardless, the CDPA has placed a spotlight on other states that are considering or in the process of enacting consumer data privacy laws. Many states have passed privacy laws targeted at specific industries and individuals—for example, Delaware Code § 1204C focuses on children’s online privacy. However, California, Nevada and now Virginia are the only states to have passed comprehensive consumer privacy laws. With these laws serving as models, states like Utah and Washington are now drafting similar broad legislation for consumer protection.

Nevertheless, a patchwork of state privacy laws has also ignited a push for a more uniform federal privacy law. While the CCPA is considered the most protective state privacy law, of course many companies operate in and many consumers reside in states other than California. From a practical standpoint, entities doing business with California residents can streamline their systems by applying the CCPA’s elevated standard to all of its consumers. However, this decentralized approach to privacy law has still contributed to substantial confusion and general uncertainty, and even more state privacy laws may pose additional obstacles. Businesses may be forced to abide by differing statutes and codes, and consumers may be unequally protected across various states. Accordingly, this may foreshadow an obvious need for a singular set of streamlined federal privacy rules.

Although Virginia’s new privacy law is a step in the right direction, we will continue to monitor and report any developments prior to and following its enactment. Lutzker & Lutzker is also available to review your website and assist in drafting privacy policies.