Virginia Consumer Data Protection Act 2021
After California, Virginia became the next state in line in the US to pass a consumer data protection act. The new law shall provide a series of rights to the individuals in Virginia and put mandates on businesses that are managing and handling consumer data.
- The House of Delegates of the Virginia State Legislature has approved a version of the bill (House Bill 2307) on 29th January 2021 and the Virginia State Senate has passed an almost identical version of the bill (Senate Bill 1392) on 5th February 2021 as well.
- Virginia Gov. Ralph Northam signed the Consumer Data Protection Act into law on 2nd March 2021, giving consumers the right to access their personal data and request it be deleted by businesses.
- Will be enforced from 1st January, 2023.
The Virginia CDPA categorizes some data as "Sensitive data" which includes:
- Personal data which indicate towards racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The collection and processing of genetic or biometric data for the purpose of identifying an individual or consumer;
- The personal data collected from minors or children;
- Precise geo-location data.
- Publicly available and de-identified personal data are not covered under the law.
- Medical data covered under any medical laws: Any health information, records, data and documents protected and covered under HIPAA, other federal or state medical laws including de-identified medical data and medical data for public health use or medical research under HIPAA or any other medical law or policy;
- FCRA covered data: Any personal information of consumers used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
- Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
- FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
- Farm credit data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act.
Data Controller Obligations
- Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geo-location data)
- Comply with data processing principles such as purpose limitation and data minimization.
- Implement and maintain the cybersecurity and network security infrastructure so that it does not hamper the confidentiality, integrity and accessibility of personal data.
- They should enter into a written contract with data processors to provide instructions and put limitations on its code of conduct such as the methodology of processing the data, type of data to be processed, time limit for processing the data and mandates of both the parties.
- Conduct a data protection impact assessment and document the whole process formally while processing of sensitive personal data is taking place or associating with activities related to advertisement, selling of personal information of consumers, profiling and other activities which put consumers at high risk of breach.
- Inform consumers of the various privacy rights afforded to them under the CDPA and honour those rights.
Data Subject Rights
The following are the rights of a data subject under VCDPA:
- Right to Confirm- The consumer shall have a right to confirm whether or not a controller is processing his/her personal data.
- Right to Access- The law provides the consumer right to access his/her data which is collected and processed by the data controller.
- Right to Rectify- The consumer has a right to have inaccurate personal data being stored or processed by the data controller be corrected.
- Right to Delete- The consumer has the right to have his personal data stored or processed by the data controller is deleted.
- Right to Data Portability- The consumer has a right to obtain a copy of the data he/she provided to the data controller in a machine readable format. The law subjects the consumer the right to transfer his/her data to another data controller without any hindrance.
- Right to Opt-out- The consumer has the right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling.
The following points should be kept in mind with regards to data subject rights (DSR) -
- Time period to fulfil DSR request: All data subject rights’ requests (DSR requests) must be fulfilled by the business within a 45 day period.
- Extension in time period: Businesses may seek for an extension of 45 days in fulfilling the request depending on the complexity and number of the consumer's requests.
- Denial of DSR request: If a DSR request is to be denied, the business must inform the consumer of the reasons within a 45 days period. Businesses can deny DSR requests from a consumer if they are unfounded, excessive, or repetitive.
- Appeal against refusal: Consumers have a right to appeal the decision for refusal of grant of the DSR request. The appeal must be decided within 60 days.
- Limitation of DSR requests per year: Information provided in response to a consumer request shall be provided by a controller up to twice annually per consumer.
- Charges: DSR requests must be fulfilled free of charge. However, if requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request.
Entities who need to comply
Virginia CDPA applies to all businesses in Virginia or those who produce products or services that are targeted to residents of Virginia and “control and process” the personal data of:
- At least 100,000 Virginia residents; or
- For an entity that derives over half (50%) of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.
The following entities are exempt from complying with the VCDPA:
- Public/government bodies: Any body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth;
- GLBA entities: Financial Institutions or data which is subject to Title V of the federal Gramm-Leach-Bliley Act (GLBA);
- HIPAA/HITECH covered entities: Any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (HHS) pursuant to the federal Health Insurance Portability and Accountability Act (HIPAA) or the federal Health Information Technology for Economic and Clinical Health Act (HITECH);
- COPPA compliant entities: Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (COPPA) will be deemed to be in compliance with the obligation to obtain parental consent.
The Virginia Attorney General has exclusive enforcement authority under the CDPA and may issue civil penalties of up to $7,500 per violation. Unlike the CCPA, the Virginia CDPA does not create a private right of action for Virginia consumers.
Rather than wait for January 1, 2023, all businesses, especially those with a national footprint, should begin the process of compliance with data mapping and get visibility on use of data & flows in their company.
Prantik Mukherjee is a lawyer specializing in data protection and privacy compliance.