Virginia swiftly passes Consumer Data Protection Act

Authored by Mike Vanderbilt and Rachael Reinis

Virginia’s Consumer Data Protection Act (CDPA), known formally as Senate Bill 1392, flew through the Virginia legislature after being introduced in mid-January of this year. Governor Ralph Northam signed the bill into law on Tuesday, March 2, and it will become effective on Jan. 1, 2023.

The passage of the CDPA provides residents of Virginia with a comprehensive data privacy law governing the collection, control and processing of their personal data. The law draws many similarities to the European Union’s General Data Protection Regulation (GDPR), including in its definitions of personal and sensitive personal data, and seems to be modeled after the Washington Privacy Act, which has not yet made it through the Washington state legislature.

The law’s material scope, the “who” that will be required to comply, is reminiscent of the Washington Privacy Act as well as the California Consumer Privacy Act (CCPA). Persons and entities that conduct business within the commonwealth and/or target their products and services to residents of the commonwealth will be required to comply in instances when:

1. The personal data of 100,000 Virginia residents, at minimum, is processed in a given calendar year; or
2. The personal data of 25,000 Virginia residents is processed and over 50% of gross revenue is derived from the sale (as defined) of personal data

To be sure, there are exemptions to compliance. We will not list them all here, but personal data governed under federal law, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), is generally exempt.

Resembling the GDPR, the CDPA adopts the terms “controller” and “processor” as well as similar meanings and responsibilities such as recognizing “personal data rights,” transparency through privacy notices and governing the relationship under a formal contracts. Another similarity is the requirement for controllers to perform “data protection assessments.” The goal of such assessments is consistent: identify and weigh the potential benefits of the activity against the potential risks to the rights of the consumer.

However, the CDPA goes a step further by defining within its text when businesses must perform an assessment. In addition to the general requirement that an assessment take place any time a processing activity will present a heightened risk of harm to consumers, the CDPA specifically requires an assessment for each of the following personal data processing activities:

• Targeted advertising
• Sale
• Profiling
• Any activity involving sensitive personal data

The second, but certainly not the last, state to pass such a law shows the determination of states to provide their residents with privacy protections that the federal government does not. The CDPA doesn’t give consumers everything they might have hoped for (most notably, it lacks a private right of action), but it is a big step forward and provides a model for other states that haven’t had the same success in getting a privacy bill passed.

With almost two years in between its passage and the effective date, there is time for any issues to be resolved and possible amendments to be added. And if that 2023 date looks familiar, that’s because California’s privacy act goes into effect on the same date.

Steps to take now

If your business operates nationally, now is an opportunity to begin your organization’s compliance evaluation. For more information on this topic, or to learn how our privacy specialists can help, contact our team.