In a development certain to increase pressure on Congress to get moving on passing federal data privacy legislation, the Commonwealth of Virginia appears to be on track to become the next state to enact a comprehensive consumer data privacy law. Both the Virginia Senate and House of Delegates recently passed nearly identical pieces of data privacy legislation with strong bipartisan support, which bodes favorably for a straightforward reconciliation of the two bills.
Virginia's Consumer Data Protection Act (CDPA) now heads to Governor Ralph Northam's desk for him to sign the bill into law or to veto it. Presuming the bill is signed into law, the CDPA will become the next state-level data privacy law in the United States, and the next in a landscape (in the absence of federal data privacy legislation) that looks to be shaping into a patchwork of individual state privacy laws.
The CDPA closely mirrors other sweeping data privacy laws before it, like the California Consumer Privacy Act (CCPA) and the European Union's General Data Protection Regulation (GDPR). Once Virginia's law is passed, it will become effective on January 1st, 2023, affording Virginia residents extensive data protections and holding to account the organizations that process Virginians' personal data.
Consumers in Virginia will be granted the following five rights under the CDPA:
- The right to confirm whether a controller is processing personal data and the right to access that data (Right to Access).
- The right to correct inaccurate personal data (Right to Correction).
- The right to delete personal data (Right to Deletion).
- The right to obtain personal data in a portable and readily usable format (Right to Data Portability).
- The right to opt-out of the processing of personal data for targeted advertising, sale of personal data, and "profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer" (Right to Opt-out).
The CDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable natural person," not including "de-identified data or publicly available information."
As far as data controllers are concerned, the CDPA would apply to any organization that conducts business in Virginia or produces products or services targeted at Virginia residents, and either controls or processes the data of at least 100,000 Virginia residents in one calendar year or controls or processes the "personal data of at least 25,000 consumers and derive(s) over 50 percent of gross revenue from the sale of personal data."
Data controllers would be obligated under the law to maintain a level of transparency regarding their data practices, including drafting privacy notices and informing consumers of the sale of their data or any use of their personal data for targeted advertising. On top of that, controllers would be required to adhere to principles of data minimization and purpose limitation. Additional data controller obligations under the law would include completing data protection assessments for the processing of highly sensitive personal data and the requirement to obtain informed consent from consumers prior to processing sensitive personal data.
Any organization bound by the CDPA would face fines of up to a maximum of $7,500 per violation, enforced exclusively by the Virginia Attorney General. Notable also is that private rights of action are explicitly prohibited in the CDPA, meaning consumers themselves wouldn't have the right to bring any action against a particular organization for any perceived violation under the law.
Though compliance with such laws can be expensive and resource-intensive, the January 2023 effective date should give businesses enough time to get their ducks in a row and prepare for compliance with the law. Indeed, organizations across the country should be preparing for data privacy compliance in any case, as more and more states will certainly be introducing similar legislation moving forward as progress on a national data privacy law remains stalled due to a partisan impasse in Congress.
It is clear that American consumers are desperately in need of strong data privacy protections. But in the absence of federal legislation protecting all Americans equally across the board, it has been up to individual states to introduce data privacy laws to protect consumers and hold companies accountable for their data practices.
A patchwork of 50 different state-level data privacy laws in the US is not an ideal scenario, but that is where the country will be headed if Congress remains unable to agree on how a national law should be implemented. Perhaps Virginia following in the footsteps of California and passing a comprehensive data privacy law of its own will put added pressure on Congress to finally get something accomplished on the federal level.