Virginia’s Sweeping Data Protection Law Sets Company Rules and Consumer Rights

Virginia is now the second state in the nation to adopt a comprehensive data protection law, after California. The Virginia Consumer Data Protection Act (CDPA) became law March 2. It takes effect on January 1, 2023. In general, the law sets standards for entities that control and process personal data in Virginia. It also provides consumers—a natural person and Virginia resident acting only in an individual or household context—with valuable rights over their personal data.

“Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This does not include de-identified or publicly available data. Notable exemptions include:

• Certain commercial and employee personal data
• Data protected under the Driver’s License Protection Act, Farm Credit Act, Gramm–Leach–Bliley Act (GLBA), HIPAA, Fair Credit Reporting Act, and Family Educational Rights and Privacy Act
• Specific data about agents and independent contractors

The CDPA applies to all people who conduct business in Virginia and meet either one of these conditions:

• Control or process personal data of at least 100,000 consumers
• Control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data

The law does not apply to state or local governments, financial institutions subject to GLBA, covered entities or business associates governed by HIPAA, institutions of higher education or nonprofits.

Entities that define the purpose and means of processing personal data, called controllers, and those that process the personal data on the controller’s behalf, called processors, have different duties under the CDPA. In short, processors must follow the controller’s instructions and help it comply with the law. Controllers must:

• Limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed 
• Process personal data for reasons reasonably necessary and compatible with the disclosed purposes for which such data is processed
• Set up, employ and maintain reasonable data security practices 
• Not discriminate against consumers for exercising their rights 
• Not process certain sensitive data without getting consent 
• Provide consumers a meaningful privacy notice with relevant disclosures about its data processing practices and consumers’ rights  
• Conduct and record a data protection assessment that identifies and weighs the benefits and risks of certain processing activities 
• Enter into data processing agreements with its processors that “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties"

Consumers, on the other hand, have the following rights:

• The right to confirm whether a controller is processing their personal data and to access the data 
• The right to correct inaccuracies in their personal data  
• The right to delete personal data provided by or obtained about the consumer
• The right to get a copy of their personal data in a readily usable and transmissible format
• The right to opt out of data processing for the purpose of targeted advertising, the sale of personal data, or profiling to further decisions that produce legal or similarly significant effects for the consumer   

The Virginia Attorney General is the only one who can enforce the CDPA. No private right of action exists, although a controller must provide a way for consumers to appeal any denial of their rights. Before taking action, the Attorney General must give written notice of the alleged violation. If the controller or processor cures the violation within 30 days of notice, no action will be taken. If the violation is not cured, the Attorney General may seek an injunction and civil penalties of up to $7,500 per violation.  

Virginia wasn’t the first state to address data protection, and it won’t be the last. Companies should look at how they handle personal data to make sure they comply with the latest laws. An information inventory is a good place to start. Please contact any member of Phelps’ Cybersecurity, Privacy and Data Protection team if you have questions or need compliance advice or guidance.