Virginia Follows California with a Comprehensive State Privacy Law

By Michael Shapiro//

On March 2, 2021, Virginia became the second U.S. state, after California, to enact a comprehensive consumer privacy legislation. Inspired by the GDPR and the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (VCDPA)¹ introduces certain rights previously unavailable to the U.S. consumers outside of California, as well as novel obligations on controllers and processors of personal data. The VCDPA will become effective on January 1, 2023.

Jurisdictional Scope and Applicability

Like the GDPR, the VCDPA will have extra-territorial applicability. The Act will apply to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and (a) during a calendar year control or process personal data of 100,000 or more consumers (i.e. Virginia residents); or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.  

The VCDPA, however, exempts a number of organizations and categories of data from its scope. For example, the Act will not apply to state government and its subdivisions, financial institutions subject federal regulations, organizations regulated by the federal standards protecting sensitive patient health information, nonprofit organizations, and institutions of higher education. Employee personal data is also outside the scope of the VCDPA.

Consumer Rights

Under the VCDPA, consumers will have the following rights with respect to their personal data: (1) right of access, including a right to confirm that an organization is processing consumer’s personal data and the right to access that information; (2) right to rectification; (3) right to deletion; (4) right to data portability; and (5) right to opt-out of processing for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 

Controllers will be required to act on the consumer requests within 45 days and allow consumers to file an appeal with the controller if it refuses to act on the consumer’s request.

Responsibilities of Controllers

Under the VCDPA, controllers’ responsibilities will include:

• Transparency. Controllers will be required to provide reasonably accessible, clear, and meaningful privacy notices which disclose categories of personal data processed, purposes for which data is processed, how and where consumers may exercise their rights, categories of data shared with third parties, and the categories of third parties with whom data is shared.

• Data minimization. Controller’s collection of personal data will need to be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purpose for which such data is processed, as disclosed to the consumers.

• Avoidance of secondary use.  Absent consumer’s consent, controllers will not be permitted to process personal data for purposes that are not reasonably necessary to, or compatible with, the specified and express purposes for which personal data is processed, as disclosed to the consumers.

• Data security. Controllers will be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and accessibility of personal data.

• Sensitive data. Controllers will not be permitted to process sensitive data without consumer’s consent.  The concept of “sensitive data” is similar to the GDPR’s special categories of personal data, and includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a natural person; personal data from a known child; or specific geolocation data.

• No discrimination. Controllers will not be permitted to process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers or to discriminate against consumers for exercising their personal data rights.

Responsibilities of Processors

The VCDPA will require that processing of personal data be governed by a written contract between a controller and a processor which includes processing instructions and specifies the type of personal data subject to processing, the nature, purpose, and duration of processing, as well as rights and obligations of both parties.  At the direction of the controller, the processor will be required to delete or return all personal data to the controller at the conclusion of its services. The processor will be required to make available to the controller all information necessary to demonstrate its compliance with the Act, as well as to allow for audits and inspections.

Processors will be required to contractually obligate their subcontractors to comply with the obligations imposed on the processors with respect to personal data.  Processors will also have to assist controllers in conducting data protection assessments and meeting their obligations under the Act.

Data Protection Assessments

The VCDPA will require controllers to conduct data protection assessments with respect to each of the following activities: (1) processing of personal data for purposes of targeted advertising; (2) sale of personal data; (3) processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of a substantial injury to consumers; (4) processing of sensitive data; and (5) any processing activities involving personal data that present a heightened risk of harm to the consumers. The Act provides a safe harbor provision for organizations which already conduct GDPR-required data protection impact assessments with respect to these activities.

Liability and Enforcement

The Virginia Attorney General will be authorized to bring civil actions against controllers, subject to a 30-day cure notice, and seek fines up to $7,500 for each violation of the Act. The VCDPA does not provide for a private right of action.

What Do Emerging U.S. State Privacy Laws Mean for the European Companies?

In the absence of a comprehensive federal privacy law, the emerging U.S. state privacy legislations like the CCPA and the VCDPA will govern compliance obligations of the European companies conducting busines in the United States.

In addition to Virginia, at least 10 other states² are considering privacy bills right now, and some are likely to pass in the coming months. As most of these proposals incorporate the elements of the GDPR and the CCPA, multi-national European companies will be well positioned to scale their privacy programs to these new regulations. However, the proposed state laws all differ somewhat in their scope, application, and enforcement mechanisms, and will require careful and calibrated compliance approach, particularly given the risk of private litigation. Furthermore, some of these proposals, like the Florida privacy bill³, contemplate fairly short ramp-up to compliance period.

The European companies doing business in the United States should continue to closely monitor the developments in the U.S. state privacy legislation, assess their privacy programs in relation to the new legal requirements, and develop and implement compliance strategies as necessary.

By Michael Shapiro, Senior Counsel and Director of Data Privacy at Clarip, Inc.