The long wait to see whether another state will pass a comprehensive data protection law after California has finally come to an end: on February 3, the Virginia Senate passed the Virginia Consumer Data Protection Act (CDPA). An identical version of the law had already passed the Virginia House of Representatives on January 29, which means voting on the two versions of the law before the February 11 deadline will likely be a mere formality. The bill will then be submitted to the Virginia governor for signature. If signed, the Virginia CDPA will come into effect on January 1, 2023, the same day as the California Privacy Rights Act (CPRA).
The CDPA is based on the principles of the CPRA, the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), but also differs from all three in important points. We have summarized the most important provisions of the CDPA below. We will continue to update you as the bill passes through the Virginia legislature.
1. Applicability. The CDPA is based on the CCPA by using thresholds to determine applicability. The law applies to “individuals who do business in [Virginia] or who manufacture products or services aimed at residents of [Virginia] who: 1) Control or process personal information of at least 100,000 residents of Virginia during a calendar year or 2) control or process personal information of at least 25,000 residents of Virginia and earn more than 50 percent of gross income from sales of personal information. “
2. Exceptions. Although the CDPA is referred to as a “comprehensive” data protection act, it has a number of exceptions (similar to the CCPA and CPRA). Some of these exemptions are similar to those of the CCPA and CPRA, but in some cases they are broader than those of the other two laws. For example, instead of only exempting information that is subject to the Gramm-Leach-Bliley Act (GLBA) or proprietary health information under the Health Information Portability and Accountability Act (HIPAA), the CDPA does not apply to “Financial Institutions … subject to [the GLBA] “or for” affected companies or business partners who fall under [HIPAA] “. The law also excludes information that is subject to most other federal laws, such as: B. Information governed by the Family Education and Privacy Act, Fair Credit Reporting Act, Farm Credit Act, Children’s Online Privacy Protection Act (COPPA), and Driver’s Privacy Protection Act.
3. Differentiation between controller / processor. Like the GDPR (and in contrast to the CCPA, which differentiates between “companies” and “service providers”), the CDPA uses a dichotomy of “controller / processor” to differentiate between the companies that are responsible for determining the purposes and means of the Processing of personal data are responsible, and the companies that process personal data on their behalf. Like the General Data Protection Regulation (GDPR), the CDPA creates specific obligations for both controllers and processors (and both can be held liable under the law).
4. Broad definition of personal data. Similar to the other three data protection laws discussed, the CDPA has a broad definition of “personal data”. It defines the term as “any information that is or can reasonably be linked to an identified or identifiable natural person”. The definition of “personal data” specifically excludes publicly available information and de-identified data (and the law has specific standards for how companies should handle de-identified data).
5. Inclusion of the “sensitive data” category. The CDPA has a separate category called “sensitive information” which is defined as 1) personal information that provides information about racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation or nationality, or immigrant status ; 2) genetic or biometric data (used for the purpose of identifying a natural person); 3) personal data collected from a child; or 4) precise geolocation data. Data controllers can only process sensitive data with the consent of the consumer (or with the consent of the parents in accordance with COPPA in the case of data relating to children).
6. Individual rights. Like all three laws discussed above, the CDPA creates individual rights for Virginia residents that are protected by law. These include 1) the right of access, 2) the right to change, 3) the right to erasure, 4) the right to data portability and 5) the right to object to the processing of personal data for the purposes of targeted advertising, sales and marketing profiling to encourage decisions that have legal or similarly significant effects on consumers.
7. Privacy Ratings. Like the GDPR and the CPRA, the CDPA also requires companies to conduct a data protection review when processing data in certain contexts. In particular, the CDPA requires a data protection review if a controller 1) processes personal data for the purposes of targeted advertising; 2) sells personal data; 3) processes personal data for the creation of profiles (in certain contexts); 4) processes sensitive data; and 5) carries out a processing activity that presents an increased risk of harm to consumers.
8. Enforcement. Like the CCPA, the CDPA can be enforced through civil actions brought by the Attorney General and also includes a 30-day healing period. Penalties under the CDPA can be up to $ 7,500 per violation for both controllers and processors. In contrast to the CCPA, the CDPA does not have a private right to take legal action, not even in the event of security incidents.