CLIENT ALERT: Virginia Poised to Become Second State to Pass Comprehensive Consumer Privacy Legislation
Following the lead of California, Virginia is set to become the second U.S. state to enact comprehensive consumer privacy legislation. Virginia Governor Ralph Northam is expected to sign the Consumer Data Protection Act (“CDPA”) into law, which will go into effect on January 1, 2023. As it may take businesses some time to make sure they are in compliance by the January 1, 2023 effective date, it is recommended that businesses review their current privacy practices and make any necessary changes.
Among the similarities between the current California consumer privacy law, the California Consumer Privacy Act (“CCPA”), and the CDPA are the rights given to Virginia residents and the responsibility of businesses to respect those rights; namely, the right to access their personal data collected by the business, the right to amend or correct such personal data, the right to request deletion of the data, and the right to data portability.
Some of the key differences between the CCPA and CDPA are:
- There is no minimum revenue requirement to determine the applicability of the law. Under the CCPA, one criterion for determining if a business must comply with the CCPA is if the business earns gross revenues of $25 million a year or more. The CDPA contains no minimum income requirement.
- The CDPA will apply to any business that controls or processes: (a) data of at least 100,000 Virginia residents in a year; or (b) data of at least 25,000 Virginia residents and derives 50% or more of its gross revenue from the sale of personal data. Under the CCPA, the law applies to any business that: (a) controls or processes data of at last 50,000 California residents; or (b) earns 50% or more of its gross revenue from the sale of personal data.
- The definition of “consumer” under the CDPA means any natural person who is a resident of Virginia but is acting only in their capacity as an individual, excluding anyone who is acting in a commercial context. The CCPA contains no such exclusion.
- Personal information under the CDPA excludes “publicly available” information, and the CDPA takes a broader view of what constitutes “publicly available” than the CCPA. Under the CCPA, publicly available data means only data available from official public records. The definition of “publicly available” under the CDPA includes data available from public records but also includes “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”
- The CDPA will be enforced only by the Virginia Attorney General and does not provide any private right of action, unlike the CCPA which provides for a private right of action in the event of a data breach.
- The CDPA will allow consumers to opt-out of not only the “sale” of personal information but also from the use of their personal data for targeted advertising and profiling. The CCPA currently provides for such an opt-out only in relation to the “sale” of personal information.
Takeaway: Any business that collects data from Virginia residents should carefully review the new legislation to determine if compliance is mandated. If so, the business should start the compliance process as soon as possible to be able to meet the expected January 1, 2023 effective date. While a business already in compliance with the CCPA may have a head start on compliance with the CDPA, there are certain key differences between the laws that may need to be addressed.
Please contact either privacy law partner Mary Grieco or the Olshan attorney with whom you regularly work if you would like to discuss further, have questions, or need help with CCPA or CDPA compliance. Mary, who is certified as an Information Privacy Professional for Europe (CIPP/E) by the International Association of Privacy Professionals, has broad experience advising clients on compliance with consumer privacy laws and related issues.
Update: Virginia Governor Ralph Northam signed the bill on March 2, 2021. The law is slated to take effect on January 1, 2023.