Virginia Is Poised to Enact a Comprehensive Consumer Privacy Legislation

Virginia is poised to become the second state, after California, to enact a comprehensive consumer privacy legislation. As of February 5, 2020, the State House and Senate approved identical versions of the bill (S.B. 1392/H.B. 2307), which now heads for what appears to be a perfunctory reconciliation process. If the law is indeed enacted, it is expected to be signed by the Virginia Governor by the end of February.

Inspired by the European Union’s GDPR and the California Consumer Privacy Act, and modeled on the proposed Washington Privacy Act, the Virginia Consumer Data Protection Act (VCDPA) will introduce certain rights previously unavailable to the U.S. consumers outside of California, as well as novel obligations on controllers and processors of personal data.

Jurisdictional Scope and Applicability

The VCDPA will apply to persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to Virginia residents and (a) during a calendar year control or process personal data of 100,000 or more consumers (i.e. Virginia residents); or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.  

Exempt from the VCDPA are state and its subdivisions; financial institutions subject to Title V of the GLBA; covered entities and business associates governed by the HIPAA/ HITECH privacy, security, and breach notification rules; nonprofit organizations; and institutions of higher education. In addition, the Act exempts 14 categories of information and data from its coverage, including HIPAA protected health information, and personal data regulated by the FCRA, FERPA, the Driver’s Privacy Protection Act, and Farm Credit Acts.

Data collected in the context of employment is also outside the scope of the VCDPA.

Consumer Rights

Under the VCDPA, consumer rights with respect to personal data will include: (1) right of access, which includes a right to confirm whether an organization is processing consumer’s personal data as well as the right to access that information; (2) right to correction; (3) right to deletion; (4) right to data portability; and (5) right to opt-out of processing for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 

Responsibilities of Controllers

 Under the VCDPA, the responsibilities of a controller will include:

• Transparency. Controllers will be required to provide reasonably accessible, clear, and meaningful privacy notices which disclose categories of personal data processed, purposes for which data is processed, how and where consumers may exercise their rights, categories of data controllers share with third parties, and categories of third parties with whom controllers share personal data.
• Data minimization. Controller’s collection of personal data will need to be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purpose for which such data is processed, as disclosed to the consumer.
• Avoidance of secondary use. Controllers will not be allowed to process personal data for purposes that are not reasonably necessary to, or compatible with, the specified and express purposes for which personal data is processed, as disclosed to the consumer, unless a controller obtains consumer’s consent.
• Data security. Controllers will be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and accessibility of personal data.
• No discrimination. Controllers will not be permitted to process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers or discriminate against consumers for exercising their personal data rights.
• With respect to the data subject requests, controllers will be required to take action on consumer requests within 45 days of receipt of the request and establish an internal appeal process for cases where controller refuses to take action on a consumer request.
• Controllers will not be permitted to process sensitive data without consumer’s consent.  Sensitive data under the VCDPA includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a natural person; personal data from a known child; or specific geolocation data.

Responsibilities of Processors

Under the VCDPA, processing of personal data will be governed by a written contract between a controller and a processor which will contain processing instructions and will specify the nature and purpose of processing, type of personal data subject to processing, duration of processing, and obligations and rights of both parties.  At the direction of the controller, the processor will be required to delete or return all personal data to the controller at the conclusion of its services. The processor will be required to make available to the controller all information necessary to demonstrate its compliance with the obligations under the Act, as well as to allow for audits and inspections.

In addition, processors will be required to ensure that persons processing personal data are subject to confidentiality obligations with respect to personal data, and engage subcontractors pursuant to a written agreement which will require subcontractors to meet obligations imposed on the processors with respect to personal data.  Processors will also assist controllers in meeting their obligations under the Act and provide controllers with information necessary to conduct and document their data protection assessments.

Data Protection Assessments

The VCDPA will obligate controllers to conduct data protection assessments with respect to each of the following processing activities involving personal data: (1) processing of personal data for purposes of targeted advertising; (2) sale of personal data; (3) processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of a substantial injury to consumers; (4) processing of sensitive data; and (5) any processing activities involving personal data that present a heightened risk of harm to the consumers.

Liability and Enforcement

The Virginia Attorney General will have the exclusive authority to enforce the VCDPA and impose civil penalties in the amount of not more than $7,500 per violation. Even though the VCDPA does not provide for a private right of action, the Attorney General will be authorized to bring civil actions on behalf of the consumers, subject to a 30-day cure notice, and seek damages up to $7,500 for each violation of the Act affecting the consumer.

Effective Date

If enacted, the VCDPA will become effective on January 1, 2023.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for Privacy Compliance by calling 1-888-252-5653.