Editor’s note: Steve Britt, Sarah Hutchins and Tiffany Burba are attorneys at Parker Poe.
Earlier this month, Virginia became only the second state in the nation to enact a comprehensive data privacy law. The Virginia Consumer Data Protection Act’s net – like that of the California Consumer Privacy Act – may ensnare a number of companies who do not have physical locations or employees in Virginia, but rather, only sell products or services there.
Many companies in the Carolinas likely fall into this category. In addition, it may be the first time that data collection and management practices come under strict legal requirements if they have not been subject to the California Consumer Privacy Act’s expansive regulations or the European Union’s General Data Protection Regulation. Below are some of the key provisions of the VCDPA those companies will need to consider.
Who Is Subject to Virginia’s Consumer Data Protection Act?
The VCDPA applies to companies that conduct business in Virginia or produce products or services targeted to Virginia residents (defined as “consumers”) and who meet at least one of the following criteria: (a) during a calendar year, control or process personal data of at least 100,000 consumers, or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
VCDPA does exempt several categories of businesses, even if they otherwise meet the criteria described above: Virginia state and local government bodies, financial institutions subject to the Gramm-Leach-Bliley Act, institutions subject to HIPAA or HITECH, nonprofit organizations, and institutions of higher education.
VCDPA contrasts in two significant ways with the California Consumer Privacy Act. It excludes coverage of employees and business contacts, and it provides a narrower definition of the “sale” of data by limiting it to the exchange of data for monetary consideration.
What Does the Virginia Data Privacy Law Generally Require?
Although this list is not comprehensive, some of the key obligations are:
1. Grant of broad consumer data rights. Virginia consumers have the right to request that a company:
- Confirm whether the company is processing the consumer’s personal data and allow the consumer to access such data.
- Correct inaccuracies in the consumer’s personal data.
- Delete the consumer’s personal data.
- Provide a copy of the consumer’s personal data in a usable and portable format.
- Cease processing the consumer’s personal data for certain limited purposes.
A company must be able to respond to verified consumer requests related to these rights without undue delay, subject to some statutory limitations. The company must also provide a mechanism for appealing any initial denials of such consumer requests.
2. Implementing Security Practices. VCDPA requires companies to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
3. Providing a Clear Privacy Notice. A company must provide consumers with a reasonably “accessible, clear, and meaningful privacy notice” that describes, at a minimum:
- The categories of personal data processed by the company.
- The purpose for processing such data.
- The categories of personal data shared with third parties.
- The categories of third parties that receive personal data.
- A consumer’s rights under Virginia’s law and how to exercise such rights.
If the company sells personal data to third parties or processes personal data for targeted advertising, the company must also clearly and conspicuously disclose such processing and provide consumers the right to opt out of it.
4. Establishing Contracts with Processors. If the company discloses personal data to third parties to process on its behalf, the company must enter into a contract with such third parties to limit their use of such data. The data privacy law sets forth specific, additional contract provisions, which may require companies to update their existing vendor agreements.
5. Conducting Data Protection Assessments. A company must conduct and document a “data protection assessment” that meets a variety of requirements if the company fits any of these criteria:
- Processes personal data for targeted advertising.
- Sells personal data.
- Processes sensitive personal data.
- Processes personal data for certain types of profiling.
- Engages in data processing activities that present a heightened risk of harm to consumers.
Even if a company does not satisfy these criteria, it may be beneficial to conduct a similar assessment to establish a baseline of how the company collects, manages, and stores data more generally. The Virginia attorney general has the right to request access to these reports.
6. Safeguarding De-Identified or Pseudonymous Data. Although many of the data privacy law’s provisions do not apply to data or information that cannot reasonably be linked to a natural person, a company handling de-identified or pseudonymous data must at least:
- Take reasonable measures to ensure that the data cannot be associated with a natural person.
- Publicly commit to maintaining and using de-identified data without attempting to re-identify the data.
- Contractually obligate any recipients of the de-identified data to comply with all provisions of VCDPA.
- Exercise reasonable oversight to monitor compliance with contractual commitments related to de-identified data and address any breaches, as appropriate.
When Do Businesses Have to Comply?
VCDPA becomes effective on January 1, 2023. Additionally, it requires the attorney general to provide any business with a 30-day notice and cure period prior to initiating an enforcement action. Importantly, Virginia’s law does not provide consumers with a private right of action – only the attorney general may bring a claim under the statute.
Why Should Companies Prioritize Compliance?
Virginia’s attorney general may initiate a lawsuit and seek damages for up to $7,500 for each violation of the data privacy law. Those penalties can quickly add up for companies that control data of tens of thousands of consumers.
Additionally, adopting best practices now may help streamline future compliance efforts as more states pass similar data privacy legislation. Companies subject to Virginia’s should assess their data management practices, evaluate their online privacy policies, and review third-party vendor contracts to determine whether updates are warranted in light of the new statute.