What You Should Know about the Virginia Consumer Data Protection Act

The Consumer Data Protection Act (HB2307/SB1392) isn’t law yet, but it may be in a matter of days or weeks.

We’re not lawyers. This isn’t legal advice. (The final version of the legislation may look different than what’s in there now.) But here’s what we know so far.

Like recent data privacy legislation in Europe and California, the Consumer Data Protection Act (CDPA) regulates how businesses collect and manage “personal data.” Personal data is data that can be tied to an individual (e.g., phone number, email address) or a specific device (e.g., via IP address).

The CDPA would add a chapter to Title 59.1 of the Code of Virginia. Even if it becomes law, none of its provisions would take effect until January 1, 2023.

Questions you probably have—and some preliminary answers

Who would it apply to?

The CDPA would apply to Virginia-based businesses and businesses that market and sell to Virginia residents. As it’s drafted now, it would apply only to businesses that “control or process personal data of at least 100,000 consumers” in a calendar year, so mom-and-pops are likely unaffected.

(Caveat: If your company makes at least 50% of its revenue by selling consumer data, the consumer threshold drops to 25,000.)

The legislation exempts non-profits, universities, and government agencies. It also excludes organizations whose data management must already comply with GLBA (for financial information) or HIPAA (for medical information).

What would it require?

1. Responding to consumer data requests

Within 45 days of a consumer request, companies would be required to let someone:

• Know if the company processes or has access to their personal data.

• Correct inaccuracies in their personal data.

• Delete their personal data.

• Get a copy of their personal data.

• Opt out of allowing a company to sell their personal data or use it for targeted advertising. (Companies can’t discriminate against those who opt out, with exceptions, like loyalty programs.)

A company can request a 45-day extension to respond to or even refuse to provide the data (with a valid justification for why they can’t provide it). A business must also offer instructions for how the consumer can appeal such a decision. Companies must respond to consumer requests at no charge up to twice annually. Beyond that, they can charge consumers “a reasonable fee.”

While the language is general, the legislation states that companies are not required to go to heroic lengths to find or, more explicitly, to associate de-identified data with a specific person. So, for example, just because you have a name and email address in your CRM doesn’t mean you have to try to work backward in Google Analytics to find out which form they filled, when they filled it, and what other de-identified data may be associated with them in Analytics.

2. Adding transparency to your privacy policy

You may need to expand the language in your privacy policy to include:

• The categories of data you process as well as which categories of that data you share with third parties (and the types of third parties that receive such data).

• The purpose of collecting the personal data that you collect.

• Details on how consumers can contact you to request their data, opt out, delete their data, etc.

3. Assessing your data security

There’s additional language that requires a company to “conduct and document a data protection assessment” on how it processes and uses personal data.

If your company is investigated, the Virginia Attorney General could request a copy of the assessment to help determine whether you’re in compliance. Your security assessment would not be retroactive, applying only to data present or collected after January 1, 2023.

Companies are not responsible for the actions of third parties that have access to their data. (Similarly, a third-party data processor isn’t responsible for the actions of the company that shared the data with them.)

How will it be enforced?

The Virginia Attorney General, not individual residents, can file suit and levy fines.

In the event of a violation, the Attorney General would give a company 30 days’ written notice of the violation. If the company fixes the issue and commits, in writing, that no further violations will occur, no fines are to be assessed.

Failing that, the Attorney General is able to levy a fine of up to $7,500 per violation. (Although not explicitly stated, if the interpretation aligns with other data-privacy legislation, the penalty would be calculated at $7,500 per consumer violated—not per violation affecting any number of consumers.)

The penalty funds, in turn, would be used to support other CDPA investigations.

How does it compare to GDPR and the California Consumer Privacy Act?

While the Virginia legislation is broad, it’s not as aggressive as the EU's GDPR and scales back a few aspects of the California Consumer Privacy Act (CCPA) legislation that took effect in 2020 in that state.

The broad parallels:

• All three give consumers the right to find out what personal data a company has about them, to request that the company not sell it, and to ask that they delete it.

• The scope of the law works the same. If you’re a business located in the EU, it applies to you, and if you’re a business outside the EU that targets EU consumers, it applies to you. Substitute “Virginia” for “EU,” and the rule is the same. Any business that markets to people in Virginia (and meets the other scope requirements) must comply.

• Businesses are protected from lawsuits brought by individuals. For CCPA and CDPA, for example, the Attorney General in each state must file a suit on behalf of a resident.

Some meaningful differences:

• CCPA has exclusions for data that’s regulated by GLBA or HIPAA (i.e. financial and health data) but not for the institutions that manage the data. So, under the California law, banks and hospitals have to manage data about account balances or medical history separately from data used for marketing purposes. The CDPA excludes the institutions—if you’re subject to GLBA or HIPAA, you’re not subject to the CDPA.

• CCPA has fuzzy language when it comes to “selling” data. In some cases, data sharing could be interpreted as “selling” data, even though the businesses involved wouldn’t see it that way. For example, if a vendor or partner with whom you freely shared data then used that data for something else, CCPA could qualify that as a “sale.” CDPA makes explicit that there must be direct, monetary compensation for an exchange of data to count as a “sale.”

• Unlike the CCPA, the VA bill excludes employee data entirely—it applies only to “the individual or household context."