The Commonwealth of Virginia is on the verge of becoming the second state with a consumer data protection law. The Consumer Data Protection Act (“CDPA”), which awaits signature by Governor Northam (who is expected to sign the bill into law), would go into effect on January 1, 2023. Like California’s CCPA (and CPRA, also set to take effect January 1, 2023), the CDPA establishes a “comprehensive” framework for the collection and use of personal data of Virginia residents while also (and ironically) not applying to companies across the board. The CDPA would apply “to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Unlike CCPA, the CDPA does not contain an “annual revenue” threshold.

A few key points:

  • The CDPA specifically requires controllers, defined as in GDPR as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing”, to limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
  • The CDPA contains an exclusion for individuals acting in the employment context, which differs somewhat from CCPA in that CCPA merely limits certain rights for personal information collected and processed in the employment context. Notably, the CDPA’s definition of “consumer” also specifically excludes a natural person acting in a “commercial context” – this has yet to be vetted, but could prove to be a significant exclusion.
  • The CDPA exempts organizations subject to HIPAA and GLBA (among others). CCPA, on the other hand, excludes the personal data specifically covered by other regulations, such as PHI subject to HI{AA, but other personal information collected by the same entities may still be subject to CCPA. The CDPA also excludes certain types of personal information from its scope.
  • The CDPA “borrows” the concepts of controller and processor from the GDPR, and requires a contract outlining the obligations and responsibilities of the parties, much like Article 28 of the GDPR with some differences. By contrast, the CCPA requires service providers to certify to their limited processing of personal information (i.e., that they will not sell personal information), but provides little more detail.
  • The CDPA provides consumers with the rights to delete, access, correct, as well as data portability. It also has a right of non-discrimination – like CCPA – for consumers exercising their rights.
  • The CDPA also allows consumers to opt-out of the processing of their personal data “for purposes of (i) targeted advertising, (ii) the sale of personal data or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.” By specifically identifying targeted advertising, Virginia has avoided the proverbial elephant in the room that has generated so much confusion with CCPA. Still, it continues the tradition, here in the U.S., of placing the burden of blocking online tracking on consumers rather than companies.
  • Notably, the CDPA specifically requires a “data protection assessment” – that the Attorney General may request in connection with an investigation – with respect to certain processing activities, including processing in connection with targeted advertising, the processing of sensitive data, and other activities that may heighten risks/harm to consumers. This is actually broader, or at least more specific, than the DPIA mandate under GDPR, meaning that some organizations that have complied with GDPR requirements, but never otherwise engaged in processing activities requiring  a DPIA under GDPR, may easily be required to conduct a data protection assessment for purposes of the CDPA.
  • Speaking of “sensitive data”, the CDPA defines this as (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; and (4) precise geolocation data. The collection of precise geolocation data is a big issue when it comes to privacy, and the CDPA has clearly identified it as such. Circling back to the point above, companies collecting sensitive data must conduct (and document) a data protection assessment, which is a significant endeavor for many companies that have been “casually” collecting some of the personal data included in the definition of sensitive data.
  • Unlike CCPA, which carries a limited private right of action for certain data breaches, the Attorney General retains exclusive authority to enforce the CDPA, with a 30-day cure period (like CCPA).

Businesses that already comply with CCPA will certainly have a strong head start, but additional requirements, such as a data impact assessment, will also needed to be addressed. 2023 is still almost two years away, but as other states consider consumer data protection laws, Virginia’s CDPA is now just another piece of our massive privacy patchwork here in the U.S.. Despite the fact that, unsurprisingly, the CDPA (like CCPA) does not come close to the EU’s high bar when it comes to privacy standards, it does beg the question: when will a federal privacy law finally see the light?

Updated March 3, 2021: the CDPA has been signed into law and will take effect January 1, 2023.