While Virginia’s new Consumer Data Protection Act (VCDPA) remains a far cry from the EU’s comprehensive GDPR, it offers a less “unique” approach to reinventing the privacy wheel than what California has given us with the CCPA/CPRA.
The VCDPA goes into effect on January 1, 2023.
Far from the 99 Articles of the GDPR, the VCDPA wraps up its legislation in 11 short sections, which I’m reading across roughly 13 cleanly-formatted pages. Right off the bat, we find GDPR-familiar definitions and naming conventions for “controllers” and “processors.” And we have a fair understanding and expectation from those familiar definitions about who we are talking about.
Scope of Application
Akin to California, however, the VCDPA has scope limitations and is applicable to companies who control or process personal data of at least 100,000 consumers — or 25,000 consumers if they derive 50% of their revenue from the sale of personal data. Further, there are carve-outs for HIPAA and other federal privacy laws.
Personal Data Rights of Consumers
The VCDPA § 59.1-573 sets out consumer personal data rights, providing for rights to know, access, correct, delete, obtain a copy, and opt out of processing.
Data Controller Responsibilities
Under the VCDPA, “‘Consent’ means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.'” VCDPA § 59.1-571.
Controllers have purpose limitation responsibilities “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” VCDPA § 59.1-574(A)(1).
Likewise, controllers are forbidden from processing “personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal processed, as disclosed to the consumer.” VCDPA § 59.1-574(A)(2). Additional processing beyond that scope requires the controller to obtain the consumer’s consent for those additional purposes.
Additionally, controllers are required to “[e]stablish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” VCDPA § 59.1-574(A)(3). Virginia missed a golden opportunity to codify the CIA Triad (i.e., choosing the term “accessibility” over “availability“).
VCDPA § 59.1-574(A)(4) requires consent for processing sensitive data and adopts COPPA as the standard for processing a child’s data.
No Waiver of Consumer Rights
VCDPA § 59.1-574(B) outlaws any attempt to waive a consumer’s rights – such provisions “shall be deemed contract to public policy and shall be void and unenforceable.”
Controller Privacy Notice to Consumers
Controllers are required to “provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:”
- The categories of personal data processed by the controller;
- The purpose for processing personal data;
- How consumers may exercise their consumer rights pursuant to § 59.1-573, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data. VCDPA § 59.1-574(C).
Personal Data Processing Opt-Out
Controllers are required to “clearly and conspicuously disclose” the sale of personal data to third parties or processing personal data for targeted advertising. The disclosure must include info on the manner in which a consumer may opt-out of either. VCDPA § 59.1-574(D).
Consumer Rights Portal Requirement
VCDPA § 59.1-574(E) requires controllers to establish a “secure and reliable means for consumers” to exercise their rights under the VCDPA. This method (or portal) must be described in the controller’s privacy notice.
Controllers can’t require consumers to create a new account with the controller to use its portal; however, it can require users with an existing account to use the account.
Controller vs. Processor Responsibilities
Processors take orders from the controller but must assist the controller in complying with the VCDPA, including using appropriate technical and organizational controls, as well as aiding in breach notification duties and “providing necessary information” for the controller’s data protection assessments.
Data processing agreements between a processor and controller must “include requirements that the processor shall:”
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request; and
- Engage any subcontractor pursuant to a written contract in accordance with subsection C that requires the subcontractor to meet the obligations of the processor with respect to the personal data. VCDPA § 59.1-575(B).
The “subsection C” referenced above states:
Nothing in this section shall be construed to relieve a controller or a processor from the liabilities imposed on it by virtue of its role in the processing relationship as defined by this chapter.
VCDPA § 59.1-575(C).
Determining Controller vs. Processor Status
Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.
VCDPA § 59.1-575(D).
Data Protection Assessements
Certain data processing activities require a controller to conduct a data processing assessment (DPA):
- Processing for targeted advertising
- Sale of personal data
- Profiling, when there is a risk of:
- unfair or deceptive treatment / unlawful disparate impact
- financial, physical, or reputational injury
- invasion of privacy
- other substantial injury
- Sensitive data processing
- Any processing with a heightened risk of harm
VCDPA § 59.1-576(A).
DPAs must weigh benefits and risks, as mitigated by the controller’s safeguards. The use of de-identified data, consumer expectations, and the context of the processing in the controller/consumer relationship must all be factored into the DPA. VCDPA § 59.1-576(B).
The Attorney General can request DPAs that are relevant to investigations; however, the DPAs remain confidential and exempt from Virginia FOIA requests, and AG disclosure doesn’t amount to a waiver of attorney-client or work product privileges. VCDPA § 59.1-576(C).
De-Identified Data
The controller in possession of de-identified data shall:
- Take reasonable measures to ensure that the data cannot be associated with a natural person;
- Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
- Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter.
VCDPA § 59.1-577(A).
Legal, Safety, and Research Limitations
There are several common carveouts found in VCDPA § 59.1-578 that exempt actions taken by controllers and processors in order to comply with laws and investigations, defend legal claims, protect life, respond to security incidents, and engage in research.
Additionally, controllers and processors have restrictions removed for internal research, product recalls, identifying and repairing technical errors, and “internal operations that are reasonably aligned with the expectations of the consumer.”
Wrapping up the limitations, VCDPA § 59.1-578(F) notes that processing under this section must be:
- Reasonably necessary and proportionate to the purposes listed in this section; and
- Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section.
The burden of proof lies on the controller to demonstrate an exemption under § 59.1-578 applies.
Enforcement and Penalties
There is no private right of action for violations of the VCDPA. Exclusive authority to enforce the VCDPA lies with the Virginia Attorney General.
The AG must give a controller or processor 30 days’ written notice of the specific provisions the AG alleges are being violated. The controller/processor then has 30 days to cure the violation and provide a written statement of the cure (and a promise not to violate again). If cured, the AG will take no further action.
If a violation continues beyond the cure period (or if a previously-cured violation reoccurs), then the AG brings an action against the controller/processor. The AG can seek an injunction and/or civil penalties of up to $7500 for each violation, along with reasonable expenses and attorney fees.
VCDPA § 59.1-5710
Consumer Privacy Fund
Civil penalties, expenses, and attorney fees collected by the AG will go into a newly-established Consumer Privacy Fund, which will be exclusively used to support the AG’s enforcement of the VCDPA.
VCDPA Work Group
A work group will be formed to review the VCDPA and “issues related to its implementation. This work group will be composed of:
- Secretary of Commerce and Trade
- Secretary of Administration
- Attorney General
- Chairman of the Senate Committee on Transportation
- Representatives of businesses who control or process personal data of at least 100,000 persons
- Consumer rights advocates
The work group’s “findings, best practices, and recommendations” regarding the implementation of the VCDPA are set to be delivered to Virginia Senate and House committees by November 1, 2021.
VCDPA § 59.1-581
Leave a Reply