TK Data Privacy and Cybersecurity Blog

Posted by Craig Carpenter

On March 2^nd Virginia Gov. Ralph Northam signed Virginia’s comprehensive consumer data privacy bill in to law, joining California as one of the few states with comprehensive privacy statutes. The law is expected to go into effect on January 1, 2023.

Like the California Consumer Privacy Protection Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), Virginia’s Consumer Data Protection Act has a broad scope and jurisdiction, but it is viewed by many as more business friendly than California’s CCPA and CPRA. Below is a summary of some of the key provisions in the Virginia statute.

Virginia’s Consumer Data Protection Act (CDPA)

• The CDPA will apply to businesses that:
  • Conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:
    • Control or process the personal data of at least 100,000 consumers during a calendar year.
    • Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.
  • However, there are a few exceptions, including nonprofits and institutions of higher education.
• Under the CDPA, a “Consumer” is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context” – which would exclude employee data and some business-to-business data. “Personal Data” is defined as information that is linked or reasonably linkable to an identified or identifiable natural person, but excludes de-identified data or publicly available information.
• Under the CDPA, a “sale of personal information” occurs when personal data is exchanged for monetary consideration.
• Virginia’s CDPA gives consumers certain rights with respect to their data, including:
  • Right of access;
  • Right to correct;
  • Right to delete;
  • Right of data portability;
  • Right to opt out of sale and targeted advertising; and
  • Right to appeal a business’s denial to act on a request within a reasonable time (generally 45 days, with a possible additional 45-day extension).
• Additional obligations on businesses subject to the statute include:
  • Limitations on data collection;
  • Limitations on the use of data collected;
  • Requirement of “reasonable” safeguards;
  • A requirement to conduct “data protection assessments”;
  • A requirement to use data processing agreements with all third party processors; and
  • Providing consumers with access to a detailed privacy policy.

Notably, the CDPA does not include a private right of action and will be enforced by the attorney general. If enforcement is undertaken, companies will have an opportunity to cure violations or face fines of up to $7,500 per violation.

However, as we learned with the CCPA rollout in California, passing the Act is just the beginning, there is still much discussion about interpretation and regulation to be had.

Other State Comprehensive Laws

The Virginia statute has naturally brought comparison to California’s CCPA and CPRA and the proposed Washington Privacy Act that failed in 2019 and 2020, but has recently been reintroduced. Many of the CDPA’s key provisions mentioned above mirror similar language in California’s laws and Europe’s GDPR.

California has been the clear frontrunner in terms of comprehensive consumer data privacy law in the U.S. At the end of 2020, the CPRA was passed by California voters. The CPRA broadens the scope of the previously implemented CCPA and creates a new agency (effective July 2023) to enforce privacy obligations. As with the CCPA, the CPRA is expected to directly affect many companies that do business in California as well as influence legislation in other states.

A few other states have passed consumer privacy laws, but so far none have the breadth or impact of the California laws. Nevada’s SB 220 has broad application, but generally only concerns sales of personal data for monetary consideration. Maine enacted an Internet privacy law in 2019, but that law only applied to internet service providers. 

Where Does that Leave Texas?

Texas has not passed a comprehensive consumer data privacy bill. Although comprehensive CCPA-like bills have been introduced, Texas decided in 2019 to form a committee to study potential privacy laws and make recommendations to the legislature on specific statutory changes regarding the privacy and protection of personal information deemed necessary based on the study.

In September of last year, that committee (the Texas Privacy Protection Advisory Council) released its interim report to the 87th Legislature. While the report does not propose specific statutory provisions, it does provide a framework for future Texas privacy legislation based on six general recommendations:

1. State agencies should adhere to privacy standards that are continually reviewed and updated;
2. Legislative proposals should consider a balance between consumer privacy concerns and business compliance;
3. Legislative proposals should consider the impact on highly regulated data (e.g., health and financial information) and complement existing federal laws;
4. Legislative proposals should be written broadly enough to allow for the adoption of new technology and business standards;
5. Legislative proposals should consider existing laws in Texas and in other states so as not to create conflict; and
6. Texans have a right to know how their personal information is being used.

Early in the year, it appeared that privacy was going to be back on the agenda for the 2021 legislative session . . . that is until the electricity grid stole the show. It remains to be seen whether Texas will make any progress on a comprehensive privacy bill this year.

Where Does that Leave Businesses?

For businesses that operate in more than one state (let alone country) the challenge is obvious: How do you meet each current state standard that applies to your business, as well as those likely to be enacted in the future? While no rulebook currently exists, as these statutes go into effect companies need to have a strategy to determine if new laws apply to their businesses and establish compliance programs that address the existing state laws but that are also flexible enough to adapt to newly adopted ones.