Written by: Sarah Johnson | February 22, 2022

This month we're looking at two significant pieces of internet privacy legislation from 2021. First, the Virginia Consumer Data Protection Act, and second the Colorado Privacy Act. The Virginia Consumer Data Protection Act made Virginia the second state (after California with CCPA in 2018) to enact comprehensive privacy legislation. For additional blogs on privacy legislation, you can checkout the Oklahoma Computer Data Privacy Act which we looked into last month, Examining the American Data Dissemination (ADD) ACT and NV SB260 – The Latest in Internet Privacy Legislation.

What is the Virginia Consumer Data Protection Act?

VA HB2307, or the Virginia Consumer Data Protection Act (VCDPA), was introduced end of January 2021, crossed over (89-9) February 19, was passed in the Senate February 24 (32-7), and then after an extension into the 2021 special session, was signed into law March 2, 2021 by Governor Ralph Northam. The act should go into effect January 1, 2023.

At a high level, all companies doing business in Virginia or utilizing data to market to Virginians will have to audit their collection processes and the use of consumer personal information to ensure their practices comply with the new protections afforded to consumers. Under the VCDPA, Virginia residents have the right to access, correct, delete, move, and opt-out of the sale and processing of their personal information within certain circumstances.

Scope

The most import question for organizations operating within Virginia is whether or not the VCDPA applies to them. Under the bill, the new regulations will be imposed on entities that conduct business in Virginia or produce products or services targeted to Virginia residents and that either:

  • Control or process the personal data of at least 100,000 consumers during a calendar year
  • Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data

Unlike other privacy legislation (think the CCPA or Oklahoma Data Privacy Act) there are no revenue thresholds outlined as criteria in the VCDPA. This means any company, even large ones, will not be subject to the law's regulations as long as they do not control or process personal data of more than 100,000 consumers or derive at least 50% of their gross revenue from the sale of personal data while controlling or processing the personal data of more than 25,000 consumers.

Key definitions outlined

The VCDPA also outlines a few key definitions which change the bill's scope compared to similar bills.
"Consumer" is defined as "a natural person who is a resident of the Commonwealth acting only in an individual or household context." This is important because it explicitly omits a person who is "acting in a commercial or employment context," meaning, businesses do not need to consider the employee personal data they collect and process when evaluating if they are subject to the bill's regulations.

The "sale of personal information" is defined as "the exchange of personal data for monetary consideration by the controller to a third party." This definition means that money has to change hands in order for a "sale" to take place. Conversely, the CCPA defines "sale" of data as "monetary or other valuable consideration", meaning just value has to be derived, not only money. This definition also states that the "sale of personal data" does not include:

  1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller
  2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  3. The disclosure or transfer of personal data to an affiliate of the controller
  4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience
  5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

"Publicly available information" is defined as "information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience."

Entity-Level Exemptions

There are five different types of exempted entities in the VCDPA:

  1. A body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth
  2. A financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act
  3. A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act
  4. Nonprofit organization
  5. Institution of higher education

Data-Level Exemptions

The legislation also outlines 14 specific types of information and data sets that are exempted from the act. Many are HIPAA specific like protected health information under HIPAA, health records for purposes of Title 32.1, patient identifying information, and information and documents created for purposes of the federal Health Care Quality Improvement Act.

Other data includes specific information regulated by the GLBA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act.

Finally, information collected for employment purposes is exempted. This is defined as "data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as the emergency contact information of an individual under this chapter used for emergency contact purposes; or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits."

Limits on Data Collection and Use

The bill also outlines limits on data collection allowed by companies (similar to GDPR and CCPA).
Limits on collection. Like the GDPR and CCPA, the VCDPA states that companies must "limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer"

Limits on use. The bill states that "Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent"

Rights and obligations provided to Virginia consumers

Like the CCPA, GDPR, or Oklahoma Data Privacy Act, the VCDPA affords consumers certain rights to how their personal data is used. The VCDPA outlines six rights and states a controller shall comply with an authenticated consumer request to exercise the:

  1. Right to Access: To confirm whether or not a controller is processing the consumer's personal data and to access such personal data
  2. Right to Correct: To correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data
  3. Right to Delete: To delete personal data provided by or obtained about the consumer
  4. Right to Data "Portability": To obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means
  5. Right to Opt Out: To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
  6. Right to Appeal: To appeal a controller's refusal to take action on a request within a reasonable period of time. The appeal process must be conspicuously available and similar to the process for submitting requests related to the other rights. Within 60 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.

There are no exceptions outlined in the legislation to these rights. The law states that "a controller shall comply with a request by a consumer to exercise the consumer rights" within 45 days of the request if they have authenticated the request. The bill also states that the information needed to respond to a consumer request "shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request."

Privacy Policy

Like other data privacy/protection legislation, the VCDPA outlines a provision requiring controllers to provide consumers with a privacy policy. The bill states that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice including:

  1. The categories of personal data processed by the controller
  2. The purpose for processing personal data
  3. How consumers may exercise their consumer rights. Including how a consumer may appeal a controller's decision with regard to the consumer's request
  4. The categories of personal data that the controller shares with third parties, if any
  5. The categories of third parties, if any, with whom the controller shares personal data

Controllers who sell personal data to third parties or who process personal data for targeted advertising must clearly clearly and conspicuously disclose this processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

Controllers are also required to describe within their privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights (outlined above). The means the controller puts in place must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.

Enforcement

Once the VCDPA is in effect, enforcement of the bill is the responsibility of the attorney general. If the attorney general decides to take action, their office must notify the controller of their decision. Upon notification, the controller then has 30 days to address the violation and provide the attorney general with an "express written statement that the alleged violations have been cured and that no further violations shall occur." The attorney general may fine a controller up to $7,500 per violation if they fail to "cure" the violation.

Cover Photo Concept of data Privacy And Policy Illustration by Delesign Graphics

About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.