With the recent passage of the Virginia Consumer Data Protection Act (CDPA), Virginia has joined California as the second U.S. state with a comprehensive consumer data privacy law. The Virginia legislation, which was signed into law on March 2, gives consumers new rights in controlling the processing of their personal data and will hold companies responsible for violations of the law. 

For the most part, the CDPA mirrors the provisions contained in the California Consumer Privacy Act (CCPA) of 2018 and the EU’s General Data Protection Regulation (GDPR) of 2016. The Virginia law is widely considered to be less restrictive and more industry-friendly than California’s law. The CCPA and the GDPR contain more stringent obligations for protection of consumer information, and the GDPR packs more powerful enforcement capabilities than either U.S. law. 

Unlike the near-blanket application of the CCPA and the GDPR, the CDPA is more limited in terms of the businesses covered by the law. When the newly signed legislation goes into effect in January 2023, it will apply to all businesses that control or process the personal data of at least 100,000 Virginia residents in a single calendar year or those that control or process the personal data of at least 25,000 Virginia consumers and derive more than 50% of gross revenues from the sale of that personal information in a single calendar year. This applies to businesses in Virginia, as well as those outside of Virginia that meet the aforementioned criteria.

• Definition of personal data: The Virginia law expands the definition of personal information to cover sensitive data that includes information related to race, ethnic origins, religion, sexual orientation, and mental or physical health, among others. The CDPA covers only data that is identifiable to a natural person, rather than data that is identifiable to a device or household. 

The California CCPA follows a very broad definition of sensitive data that includes information that identifies, relates to, or could reasonably be linked to an individual or their household. California recently passed a ballot initiative amending the CCPA to create a new category of sensitive data that includes Social Security and driver’s license numbers. The GDPR defines personal data as any information this is related to an identifiable natural person. 

• Private right of action: Virginia’s CDPA lacks a private right of action, meaning that consumers cannot sue companies that violate provisions of the law. The Virginia attorney general is responsible for enforcement of the CDPA. California, on the other hand, has a private right of action, and enforcement is spearheaded by, but not limited to, the attorney general. 
• Exemptions: Privacy laws typically exempt certain companies. The CDPA allows for more exempted entities compared with the CCPA. Like the CCPA, the Virginia law provides exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates governed by healthcare regulations, nonprofit organizations, and certain higher education institutions. One difference is that the CDPA exempts personal information that falls within the category of employee information, while the CCPA includes this employment data. 
• Limits on collection and processing of data: Like the CCPA and the GDPR, the Virginia law limits data collection to information that is “adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed.”
• Sale of personal information: Unlike the CCPA, the Virginia CDPA stipulates that an exchange of personal data must be monetary in order to qualify as a sale; the CCPA allows “other valuable consideration.”

More state and federal laws are on the way 

Lawmakers in a handful of additional states – Florida, Minnesota, New Jersey, New York, Washington, and Oklahoma – have introduced bills designed to strengthen protection of consumers’ personal data. But these state-centric laws vary, and in the absence of a federal privacy statute, state regulations are likely to become increasingly convoluted. Businesses that meet the requirements in different states would have to remain keenly aware of the ebbs and flows of changing regulations and operationalize solutions as needed. There is an increased expectation that as more of these state-level regulations and laws are passed, more pressure will be exerted on federal lawmakers to pass a national privacy law with a single set of guidelines. 

At the federal level, the battle to protect consumer data has spurred introduction of three national privacy bills: The Consumer Data Privacy and Security Act, the Consumer Online Privacy Rights Act (COPRA), and the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. Under these proposed bills, businesses would be obligated to comply with purpose limitation, data minimization, a privacy by design program, automated decision-making requirements, fiduciary duty, and hiring of a privacy officer, among other requirements. Thus far, there don’t seem to be full-steam-ahead efforts to make any of these proposed bills a reality. 

How privacy laws impact consumers and affected companies

It’s worth noting that the average consumer probably thinks about privacy in a different context than legislators. The typical person is more likely to be worried about privacy as it relates to personal health and safety, employment, and childcare, rather than whether companies follow the rules for processing and selling their personal data. But because the right to privacy is relatively new in the U.S., the real-world impacts and benefits to consumers are difficult to gauge. The aforementioned average consumer is still more likely to be interested in a targeted advertisement for something they merely spoke about previously, than they are about privacy legislation. In fact, in one survey of 2,000 U.S. consumers, 81% said they are willing to share personal information in exchange for more personalized services. 

Among businesses, organizations are clamoring for guidance on data privacy. Privacy regulations and compliance obligations have driven the need and processes to protect data, of course. But more recently, the principle of accountability has become prominent in global privacy law, policies, and practices, according to a report by Cisco. Accountability requires that the business itself be responsible for implementing appropriate privacy and data protection safeguards. One reason why accountability is gaining traction is that it can yield significant business advantages; 70% of respondents to the Cisco survey said their privacy initiatives have yielded business benefits such as competitive advantages and agility. 

Conclusions

The future of data privacy legislation is uncertain, but some basic elements can be deduced. Accordingly, businesses that are currently required to comply with proposed state legislative efforts should start a compliance initiative now to stay ahead of the game. Tactically, companies should:  

• Consider the applicability of existing guidelines for data protection, processing, and sales as the foundation for compliance for proposed legislation.
• Consider establishing a privacy compliance mechanism to assess and manage privacy impacts to business. The criticality of data privacy should be further elevated as new bills are introduced. 
• Begin taking inventory of data being collected, used, retained, and shared within the company, as well as with third parties. This will give a jump-start to the roadmap to minimize risks. 

Contact

Deborah Nitka, Manager, Cybersecurity, Technology Risk, Privacy

646.762.3372

Bhavesh Vadhani, Principal, National Leader, Cybersecurity, Technology Risk, Privacy

703.847.4418