Virginia Lawyers Weekly VA Lawyers Weekly
Virginia’s new Consumer Data Protection Act, or the VCDPA, goes into effect on Jan. 1, 2023, but covered Virginia businesses should begin preparing now.
The Virginia Attorney General can levy up to $7,500 per violation, so covered businesses should carefully consider the following consumer rights and action items to avoid penalties.
Who does the VCDPA apply to?
The act applies to two types of companies. It covers Virginia-based businesses and any business that controls or processes the personal data of at least 100,000 Virginia residents per year. It also applies to businesses that process the data of at least 25,000 Virginia residents per year, if the company makes more than half of its gross revenue from selling personal data.
The act does not apply to state or local governmental entities, nonprofits, higher education institutions, financial institutions (or data) subject to the Gramm-Leach-Bliley Act or covered entities and business associates subject to the privacy and security provisions of HIPAA and the Health Information Technology for Economic and Clinical Health Act.
Boerner
Who is a ‘consumer’? The act defines a “consumer” as a natural person who is a resident of the commonwealth acting only in an individual or household context. Under the act, a business or an employer is not a “consumer.” This means that the act does not apply to data collected in a business-to-business or employment context.
If your company is already compliant with the California Consumer Privacy Act, does this really matter? Yes, as the act imposes certain requirements that are not identical to those imposed by previously enacted consumer privacy laws, including the California Consumer Privacy Act, or CCPA.”
Won’t this all be moot soon since Congress is considering a federal privacy law? It’s highly unlikely that a federal law will be passed any time soon that will pre-empt the provisions of the VCDPA.
Although the bipartisan American Data Privacy and Protection Act, or ADPPA, had some bipartisan support and passed out of the House Committee on Energy and Commerce over the summer, Speaker Nancy Pelosi has expressed concerns regarding the scope of the ADPPA’s preemption provisions, suggesting that proposed preemption provisions in the ADPPA go too far, and stating that she would not advance the bill in its current form to a vote.
The ADPPA also faces some opposition in the Senate, even if it were to advance to that chamber, including Sen. Maria Cantwell.
Consumer rights: What does the VCDPA do?
Limits data collection. The act limits personal data collection to what is adequate, relevant and reasonably necessary for the business’s purpose for processing the data.
Walton
Allows consumers to know, access, correct and delete personal data. The VCDPA gives consumers a right to knowledge, including: what personal data is collected; the purpose for collection; what kinds of personal data is shared with third parties; and the identity of those third parties.
Consumers can request this information, confirm what personal data the business has, correct any inaccuracies in that data, and request that the data be deleted. Consumers also have the right to data portability.
Allows consumers to opt out of the sale of their personal data, the processing of personal data for targeted advertising purposes and profiling based on personal data. A business must disclose their intent to sell data to third parties or to process personal data for targeted advertising and must explain how the consumer can opt out. Likewise, consumers have the right to opt out of profiling decision that produce legal or similarly significant effects. Opt-in consent is required to process personal data unless an exemption applies.
Makes security a requirement. The act makes a covered business responsible for establishing, implementing, and maintaining data security practices that will protect consumers’ personal data. There is no black-and-white rule regarding appropriate practices. A covered business must do what’s reasonable in light of the entity’s size, revenues and type of data it processes. The Attorney General can request the results of a data protection assessment at any time.
Protects a consumer from discrimination. The VCDPA prohibits businesses from discriminating against a consumer for exercising rights under the act. For example, a consumer cannot be denied goods or services, charged different prices or given a different quality of goods or services for opting out of the sale of personal data or accessing, correcting or deleting their data.
Compliance: What should businesses do before Jan. 1?
Review what data is collected and processed. Data inventories are critical. Businesses should inventory what data they are collecting and for what purpose to ensure that they are not collecting any more data than necessary.
Again, the touchstone here is reasonableness. Is the purpose for collecting data reasonable? Is the type and amount of data collected reasonable for that purpose? It is not yet clear how this standard will be enforced, but businesses should be aware of the VCDPA’s emphasis on reasonableness when evaluating its data privacy practices.
Create or update a personal data notice. The VCDPA makes this notice a requirement. Covered businesses must provide consumers with an accessible, clear and meaningful privacy notice that informs them of what personal data will be processed, and for what purpose.
The notice must also inform consumers of their rights under the VCDPA, how they can exercise those rights, and how they can appeal adverse decisions.
Finally, the notice must inform consumers what categories of third parties who purchase or receive their data, and the categories of personal data shared with these third parties.
This notice must also be given to employees and job applicants, and should be distributed before any data is collected, including online and over the phone. It is a good idea to have this notice reviewed by a consumer privacy attorney to ensure compliance with the VCDPA’s content requirements.
Create a standard procedure for answering consumer requests. Develop or revisit policies and procedures for responding to consumer requests. The VCDPA has strict requirements, e.g., providing a response to a consumer request within 45 days of receipt.
Businesses must also have a procedure for proactively obtaining consent from consumers to process sensitive data, or to deviate from the data purposes disclosed in its privacy notice.
Businesses with policies that already comply with the GDPR or the CCPA will have a head start, as the VCDPA has similar consumer protections. But your consumer privacy compliance professional will be able to highlight the nuances, such as the VCDPA’s broader opt-out rights.
Panek
Another reason to have your procedures reviewed by a consumer privacy attorney: the VCDPA provides some exceptions to consumer rights that may benefit businesses. For example, consumers’ rights do not apply to data that has been de-identified and cannot be traced back to an individual. But businesses using de-identified data must still comply with detailed exemption requirements under § 59.1-581 of the act.
Review data security policies. Businesses should ensure that their current security policy adequately protects personal data. Review these policies with an eye to the VCDPA — as mentioned, the Attorney General can request that a business disclose any data protection assessments that is relevant to an investigation, and the attorney general will evaluate it for compliance.
A must-do for all covered businesses: review all agreements with third parties and data processing vendors. A covered business’s data processor(s) — and third parties with access to consumers’ personal data — are also subject to the VCDPA. The data security policies in these agreements should reflect all of the covered business’s own policies and procedures and inform the data processor or other third party of their obligations under the VCDPA.
The VCDPA’s effective date is fast-approaching, but it’s not too late to begin preparing. Employers should quickly understand how the act will affect their business and make sure their data policies are VCDPA-compliant.
Risa Boerner is a partner and co-chair of Fisher Phillips’ Data Security and Workplace Privacy Practice Group. She is a certified information privacy professional (CIPP/US) and certified information privacy manager (CIPM).
Dave Walton, a certified privacy professional (CIPP/US), is a partner at Fisher Phillips and a member of its Data Security and Workplace Privacy Practice Group.
Kayla Panek is an associate at Fisher Phillips where she defends and advises employers in a range of employment-related cases.
