Virginia Joins California in Consumer Rights Protection

Enhanced data privacy rights are coming your way. The Europeans started it with the GDPR in 2018, followed soon thereafter by California’s California Consumer Privacy Act (CCPA).

As businesses focused on GDPR and CCPA compliance, California voters passed an initiative and a new law known as the California Privacy Rights Act (CPRA) that takes effect January 1, 2023.

The newest kid on the block is Virginia, with Governor Northam signing into law the Virginia Consumer Data Protection Act (CDPA) on March 1, 2021. It takes effect the same day as the CPRA — January 1, 2023. 

Not many were paying attention as the CDPA flew through the Virginia Legislature, passing by overwhelming margin in fewer than two months. Similar privacy legislation has been introduced in other states including Washington, Colorado, Connecticut, and Minnesota.  

What are the implications of the CDPA and how is it different than the CCPA or CPRA? 

The Virginia law differs from the California approach and adds a few operational challenges for businesses, including:

• A broader affirmative consent or opt-in requirement to process sensitive personal data. 
• A broader opt-out right of processing personal data that covers not only sales of personal data, but also targeted advertising and profiling decisions that produce legal or similarly significant effects.
• Similar to the GDPR, mandatory data protection assessments are required for sales, targeted advertising, and profiling, including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment. 
• The roles of controllers and processors are defined with specific processor role-based requirements and obligations to provide assistance to and adhere to the controller’s instructions and to demonstrate compliance with processor obligations. 

There is some good news for businesses:

• Employee data and B2B data is not covered under CDPA. Personal data under the CDPA excludes employee, business-to-business data, de-identified data, and publicly available information. 
• “Sale” of data under the CDPA is narrower than the CCPA and is limited to the exchange of personal data for monetary consideration by a controller to a third party. 
• The CDPA does not include a private right of action. The Virginia attorney general can, however, seek fines for failure to cure a violation of up to $7,500 per violation.

The CCPA, CPRA, and CDPA will likely be followed by other states and add further complexity to a confusing and sometimes contradictory array of global data privacy compliance requirements. 

As more and more states enact similar laws the drumbeat for a comprehensive federal data privacy law will grow louder. Stay tuned!