Following Calif.’s Lead, Data Privacy Laws Reach East Coast
April 26, 2021
Reprinted with permission from the April 23, 2021 edition of The Legal Intelligencer © 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.’
Virginia has followed in California’s footsteps and passed its own data and consumer privacy law, making it the second state (or, commonwealth) to pass a proactive data privacy law governing the collection and use of consumers’ personal information. The Virginia Consumer Data Protection Act (CDPA) was signed into law in March. While there is time to prepare before the CDPA goes into effect Jan. 1, 2023, the law brings privacy regulations closer to home for businesses on the East Coast and in the mid-Atlantic that may have ignored the potential applicability of the California Consumer Privacy Act.
Applicability of the CDPA
The first question for businesses to ask themselves is whether the CDPA will even apply to them. The CDPA applies to organizations that conduct business in Virginia or target their products and services to residents of Virginia; and either process personal data of at least 100,000 consumers during a calendar year, or process personal data of at least 25,000 consumers and derive more than 50% of gross revenues from sales of such data.
To understand the applicability of the CDPA, it is important to define both “consumers” and “personal data.” Within the context of the CDPA, “consumers” are persons residing in Virginia and “acting in an individual or household context.” Note that this definition excludes persons acting in an employment context—we will discuss that caveat in greater detail later. “Personal data” is defined as information that is linked or is reasonably linkable to an identified or identifiable natural person, but not data that has been de-identified or is publicly available. Other specific types of information have been specifically excluded from the definition of “personal data,” including:
- Data being processed as part of an employment relationship with an individual.
- Data already protected under the Health Insurance Portability and Accountability Act of 1996.
- Data subject to the Gramm-Leach-Bliley Act.
- Data regulated by the Family Educational Rights and Privacy Act.
- Data bearing on a consumer’s creditworthiness where the processing of such data is regulated by and authorized under the Fair Credit Reporting Act.
In addition to excluding certain types of data from the law’s reach, the CDPA also specifically exempts nonprofit organizations and institutions of higher education.
- A note about employee data.
As mentioned above, the CDPA does not consider individuals to be “consumers” when they are acting in an employment context. This means that the CDPA does not impose additional privacy obligations or responsibilities on employers as to job applicants, current employees, and past employees.
The decision of the Virginia legislature to exclude employment data stands in contrast to the choices made for the California Consumer Privacy Act and California Privacy Rights Act. Under California law, business will soon be required to follow specific rules for the collection and handling of employee data. Currently, businesses are granted certain carveouts for the employment data of Californians. However, those exemptions for employment data will expire on Jan. 1, 2023. Luckily for employers with employees in Virginia, there are no “coming soon” obligations applicable to personal data in an employment context.
- Requirements for businesses.
When it goes into effect, the CDPA will require businesses to provide consumers with privacy notices disclosing the categories of personal data being collected; the purposes for processing that data; how consumers may exercise their rights; how consumers may appeal a decision with regard to requests to exercise their rights; the categories of personal data shared with third parties; and the categories of third parties with whom their data is shared.
Those consumer rights created by the CDPA and referenced by privacy policies include the rights of Virginia residents to:
- Request access to, as well as deletion, correction, and copies of personal data.
- Opt out of the processing (i.e., the use) of their personal data for purposes of:
- Targeted advertising.
- The sale of personal data.
- Profiling in furtherance of decisions that produce “legal or similarly significant effects” concerning the individual.
Virginia will also join the ranks of states like New York who require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. For a separate discussion on what is “reasonable,” check out Defining Reasonable Care for the Protection of Personal Data.
Additional requirements for businesses include the obligation to conduct data protection assessments in particular situations, such as when a business is selling personal data or processing it for purposes of targeted advertising. Businesses should remember to document those assessments and revisit them whenever their practices change or expand.
If a business uses third-party vendors to process consumers’ personal data (such as mailing vendors or online advertising vendors) then there must be a contract in place that limits the vendors’ use of such data. Thankfully, for large vendors like Google Analytics, that requirement will likely be addressed through revisions to their online terms of service. For smaller vendors, businesses may need to require the execution of data processing addendums to their existing contracts.
Equally important as to what business must do is what businesses are prohibited from doing. Specifically, the CDPA forbids businesses from collecting personal data unless that information is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.”
Referring to the aforementioned consumer rights created by the CDPA, businesses will be prohibited from discriminating against consumers for exercising those rights. However, the CDPA will not prohibit a business from providing a different price, rate, level, quality, or selection of goods or services to a consumer if the offer is “… related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.”
Additional restrictions placed on businesses include a prohibition on processing “sensitive data.” Under the CDPA, “sensitive data” includes racial and/or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data, and geolocation data. In order to process sensitive data, businesses must first obtain the individual’s “freely given, specific, informed, and unambiguous” consent.
Unlike the California Consumer Privacy Act, the CDPA does not create a private right of action for consumers, rather it is the Virginia attorney general who is exclusively vested with the power to enforce and bring actions for a violation of the CDPA.
If a business commits a violation, the attorney general must give the business 30 days’ notice and an opportunity to cure any violations prior to bringing an enforcement action. If the violation has not been cured in that time, the business can face steep penalties. For each person whose information is improperly collected or processed, the business could face a civil penalty of up to $7,500 per violation.
Virginia may only be the second state (commonwealth) to pass comprehensive data privacy legislation, but it certainly will not be the last. As of the time of this writing at least 26 bills have been introduced in 2021 to implement privacy laws at the state level (some states have introduced multiple bills). Businesses must be constantly aware of the quickly changing data privacy landscape and must be ready to adapt as new laws come online.
Devin Chwastyk is a member of McNees Wallace & Nurick and the chair of the firm’s privacy and data security group. Christian Wolgemuth is an associate at the firm in the privacy & data security group, and previously worked as a cybersecurity consultant for an international accounting and consulting firm.