Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) into law on March 2nd, 2021, making Virginia the second state to enact a data protection law — only preceded by California's CCPA. The law will go into effect on January 1st, 2023.

The CDPA affirms consumers' rights to access and control their personal data. Any entity controlling and processing personal data must follow the responsibilities outlined in the law.

This article provides a brief and summarized overview of the law. You can read the full text of the Consumer Data Protection Act here.

Who must comply with the CDPA?

The law applies to anyone that conducts business in Virginia or produces products or services that are targeted to residents of Virginia AND satisfy one of the following:

  1. Control or process personal data of at least 100,000 consumers
  2. Control or process personal data of at least 25,000 consumers AND derive 50% of gross revenue from the sale of personal data.

What are the requirements of the CDPA?

The law provides consumers with data rights and defines the responsibilities of both controllers and processors of data. It is imperative to understand the definition of each entity:

Consumer: An individual resident of Virginia

Controller: A company that determines the purpose and means of processing personal data

Processor: A company that processes personal data on behalf of a controller

Consumer personal data rights

Consumers have the right to submit a request to a controller at any time specifying which of the rights below they want to invoke. A consumer can request for a controller to:

  1. Confirm whether the controller is processing their personal data
  2. Correct inaccuracies in their personal data
  3. Delete personal data provided by the consumer
  4. Provide a copy of the consumer's personal data that the consumer previously provided
  5. Opt the consumer out of processing personal data for targeted advertising, the sale of personal data, or profiling in any way.

Controllers need to establish and describe in a privacy notice a mechanism for consumers to submit a request to exercise their data rights. Controllers must respond to a consumer request within 45 days. Any information provided to a consumer must be free of charge up to twice annually.

Data controller responsibilities

The controller has many responsibilities under CDPA. Controllers need to:

  1. Limit the collection of personal data to only what is reasonably necessary for the purpose it is needed as disclosed to the consumer
  2. Not process personal data for any other purpose than what is disclosed to the consumer unless the controller obtains the consumer's consent
  3. Implement and maintain physical data security practices that protect personal data
  4. Not discriminate against consumers for exercising their data rights by denying goods or services, charging different prices, or providing a lower level of quality of goods or services.
  5. Not process sensitive data without obtaining consumer's consent. Sensitive data could include information about race, religion, health, etc.

Privacy Notice

Controllers must provide an accessible and clear privacy notice that includes:

  1. The categories of personal data processed by the controller
  2. The purpose for processing personal data
  3. How the consumer can exercise their data rights, including submitting requests or appealing a request decision
  4. The categories of personal data shared with third parties
  5. The categories of third parties with whom the controller shares data

Additionally, if the controller sells personal data to third parties or processes personal data for targeted advertising, the controller must inform the consumer and provide a way to opt-out.

Processor Responsibilities

Processors have specific responsibilities that they must abide by. They must adhere to the instructions of the controller and assist the controller in meeting their obligations under the CDPA which may include:

  1. Helping the controller respond to consumer data rights requests
  2. Notifying consumers of data breaches
  3. Providing necessary information for the controller to conduct and document data protection assessments

Processors are required to enter a contract with a controller that clearly defines:

  1. Instructions for processing the data
  2. The purpose of processing
  3. Type of data subject processing
  4. The duration of processing
  5. The rights and obligations of both the controller and processor

The processor must also delete or return all personal data to the controller when the service provided ends.

Data Protection Assessments

Controllers must conduct and document a "data protection assessment" for each of the following:

  1. The processing of personal data used for targeted advertising
  2. The sale of personal data
  3. The processing of personal data for purposes of profiling if that profiling presents a risk to the consumer.
  4. Sensitive data (race, health, religion, etc)
  5. Any processing of personal data that presents a risk of harm to consumers

The data protection assessments must weigh the benefits of processing the data against potential risks to the consumer. Controllers must consider any additional safeguards the controller can implement and whether using de-identified (non-personal) data could be used instead.

The controller must also consider consumer expectations, the context of processing, and their relationship with the consumer in the assessment. The Attorney General can request these data protection assessments for any relevant investigations.

What are the penalties?

The CDPA doesn't provide a private right of action for any violations, meaning the Attorney General is the only one who can enforce the law.

If the Attorney General discovers any violations, they will provide a controller or processor 30 days written notice.

If the controller or processor resolves the violations within 30 days, the Attorney General will not initiate any damages against the controller or processor.

If a controller or processor continues to violate the CDPA, the Attorney General may seek damages up to $7,500 per violation, including reasonable expenses related to the case and attorney fees.

All penalties collected will funnel into a "Consumer Privacy Fund" created in the state treasury. The Office of the Attorney General will use the fund to support the work of enforcing the CDPA.

Disclaimer: The above is an abbreviated summary of the CDPA and is not a suitable replacement for reviewing the full text of the law before making any legal decisions for your business.

Photo by Tingey Injury Law Firm on Unsplash