Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), namely the California Privacy Rights Act). Although this new Virginia law has been compared by many to California’s current CCPA and the EU’s GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.

  • Virginia’s law applies more narrowly than CCPA and GDPR. The law covers information about “consumers,” which are people acting in their personal capacity, not employees (thus unlike CCPA and GDPR). It applies to companies that conduct business in Virginia and meet one of the following: (1) control or process personal data of 100,000 Virginian consumers during a calendar year, or (2) control or process personal data of 25,000 Virginian consumers and get 50% of gross revenue from the sale of personal data. Virginia also exempts financial institutions (subject to GLBA) and health care covered entities and business associates (subject to HIPAA). This is unlike CCPA, where the exemptions largely apply to types of information subject to other regulated laws, but not the entities subject to those other laws altogether. That said, Virginia also exempts several types of information. Nonprofits are also exempt.
  • Virginia, like California, has no private right of action. The AG has exclusive enforcement authority over CDPA. Moreover, the AG is required to provide a 30-day written notice to companies it believes are in violation of the law and an opportunity to cure prior to initiating any action. If after time the violation remains, the AG may initiate an action and seek $7,500 in damages for each violation.
  • Virginia provides for individual rights similar to those found under CCPA, and also adds some found in GDPR. The process for responding to rights requests appears simpler than CCPA and GDPR, however unlike those two laws, in Virginia there are fewer exceptions to honoring rights requests. Virginia also goes beyond CCPA and includes GDPR’s “rectification” right, and GDPR’s right to object to automated decision making and profiling. Like CCPA, there is a right to opt out of selling information, but Virginia adds a right to opt out of targeted advertising. While the latter is not contained in CCPA, this concept is already addressed by those who follow the DAA and FTC self-regulatory schemes. This addition appears to be designed to help clarify some of the different interpretations under CCPA about whether targeted advertising is a “sale.” Although the CDPA rights process is generally more straightforward than CCPA, Virginia does add an appeals process. At the conclusion of that process, companies must direct consumers to the AG for any unresolved issues. The Virginia law also includes some of GDPR’s “sensitive information” concepts, requiring opt-in consent to process any such information.
  • Virginia goes beyond CCPA by mirroring GDPR’s collection and use limitations; contains data security obligations similar to many jurisdictions. Like certain concepts in GDPR, under the new Virginia law companies should only collect information needed for the purposes of the processing. Further, information should only be used for the purposes reasonably necessary and compatible with a company’s stated disclosures. This is unlike CCPA, and one area where companies may need to focus their efforts. A related concept under CDPA is to protect what information a company does maintain. This is similar to that which exists in many other US states as well as GDPR, and requires companies to implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These practices should be appropriate to the volume and nature of the personal data at issue.
  • Virginia’s law goes beyond CCPA in including certain GDPR-like accountability and governance requirements. CDPA calls for the documentation of data protection assessments, similar to GDPR, but unlike CCPA. These assessments are to be conducted for specific types of processing activities listed in the statute including targeting advertising and the sale of personal data. The Attorney General may request copies of these as part of a civil investigative demand. The assessments are to apply to processing activities created or generated after January 1, 2023, and are not retroactive. CDPA also, like GDPR, requires agreements between controllers and processors (i.e., service providers) with specific language in those contracts.

Putting it Into Practice. Companies will have some time before this law becomes effective, and may take comfort that its scope is more narrow than the general privacy laws of Europe and California. Indeed, for those already adhering to both GDPR and CCPA, the additional requirements may not be excessively burdensome. There will be some review and potential modifications needed nevertheless. Areas to examine include vendor contracts and privacy policy disclosures. For others, the lift may be heavier, especially if a company is currently not subject to the GDPR-like items listed above. This new law also serves as a reminder for companies to evaluate whether their current privacy program is sufficiently flexible and adaptive. Developing a principle-based program that can grow can be particularly helpful as other states look at passing similar types of broader privacy laws.