Breaking Down Virginia’s Privacy law

What is Virginia’s Consumer Data Protection Act (CDPA)?

In March of 2021, Virginia participated in the growing trend of state-enacted privacy legislation. The CDPA is set to take effect on January 1, 2023, the buffer time for compliance is coming to a close. Fortunately, this buffer is also accompanied by the fact that the CDPA takes many notes from GDPR and CCPA; providing a head start to compliance for organizations who are already compliant with these privacy regulations. 

Who Does it Apply To?

The first question organizations must ask is whether the regulation applies to them. The CDPA applies to “persons” that conduct business in Virginia or produce products or services that are targeted to residents of the Commonwealth, that either:

(a) control or process personal data of more than 100,000 residents; or 

(b) control or process personal data of more than 25,000 residents and derive over 50% of gross revenue from the sale of personal data

The Act also provides for exemptions for certain entities such as: Virginia public entities, entities covered by the Gramm-Leach-Bliley Act, HIPAA-covered entities, nonprofit organizations and higher education institutions.

What are the Consumer Rights?

The CDPA creates multiple consumer rights, many of which mirror those created by California’s privacy legislation. 

Consumer Rights Under the CDPA:

• Right to Access: the right to confirm whether a controller is processing personal data concerning the consumer and have access to their personal data.
• Right to Correction: the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data. 
• Right to Deletion: the right to request the deletion of personal data concerning the consumer.
• Right to Data Portability: the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
• Right to Opt-Out: the right to opt-out of the processing of personal data concerning the consumer for purposes of:
  • targeted advertising
  • the sale of personal data, or 
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer

The CDPA requires controllers to respond to consumer requests within 45 days, but if there is a reasonable necessity a 45-day extension will be granted. Notably, the CDPA does not create a right to action for consumers and leaves enforcement of the act in the hands of the Attorney General and District Attorneys. 

Key Definitions

Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

De-identified data means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. 

Personal data means any information that is linked or reasonably associated to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.

Sensitive data means a category of personal data that includes: 

• Personal data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
• Personal data collected from a known child
• Precise geolocation data

Controller means the natural or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

Processor means a natural or legal entity that processes personal data on behalf of a controller. 

Key Requirements for the Law

Data Controller Responsibilities

• Data Minimization: Controllers should limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes consented to by the consumer. 
• Reasonable Data Security Measures: Controllers should establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Additionally, security practices shall be appropriate to the volume and nature of the personal data.
• Non-Discrimination Against Exercising Consumer Rights’: A controller cannot discriminate against a consumer for exercising any of the consumer rights contained in this legislation. 
• Sensitive Data Processing: Controllers cannot process sensitive data concerning a consumer without first obtaining the consumer’s consent. Additionally, the processing of sensitive data of a known child must comply with the federal Children’s Online Privacy Protection Act.
• Privacy Notice: Controllers must provide a privacy notice to consumers in a reasonably accessible, clear, and meaningful privacy notice that includes:
  • The categories of personal data processed by the controller
  • The purpose for processing personal data
  • How consumers may exercise their consumer rights 
  • The categories of personal data that the controller shares with third parties, if any;
  • The categories of third parties, if any, with whom the controller shares personal data
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing. Additionally, the ability and method to opt out of this type of processing must be disclosed to consumers. 
  • They must establish, and describe in the privacy notice, at least one secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter

• Data Protection Assessments: A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:
  • The processing of personal data for purposes of targeted advertising
  • The sale of personal data
  • The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk to the consumer
  • The processing of sensitive data
  • Any processing activities involving personal data that presents a heightened risk of harm to consumers

• Processing De-identified Data: The controller should take reasonable measures to ensure that the data cannot be associated with a natural person. Publicly controllers must commit to maintaining and using de-identified data without attempting to re-identify the data. Additionally, they must contractually obligate any recipients of the de-identified data to comply with all provisions of the CDPA. 

What are the Penalties for Violations?

As stated above, the enforcement of compliance is on the shoulders of the Virginia Attorney General.  The Attorney General can levy fines of up to $7,500 per violation. To ensure resources are allocated to promote enforcement, the CDPA creates a Consumer Privacy Fund. 

We Can Help

If you need help meeting the CDPA requirements, Tevora’s team of security experts has got you covered. We are continually helping companies from every industry achieve compliance with new and emerging privacy laws. We would welcome the chance to do this for you.

Additional Resources

• Link to Full Text of the Law

Talk to an Expert 

If you have questions about CDPA or would like help implementing changes in your environment to ensure CDPA compliance, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com. Take a look at our Privacy Tracker that helps you stay up to date with every privacy regulation.