The Virginia Consumer Data Protection Act (HB 2307 / SB 1392), introduced in the House of Delegates on January 20, passed both houses of Virginia’s state legislature on February 5 with large bipartisan majorities. This comprehensive privacy bill, which would take effect on January 1, 2023, follows a similar framework as the current version of the Washington Privacy Act (“WPA”), though it differs from the WPA in important respects. We have included a high level summary of some of the bill’s provisions below.
The passage of nearly identical legislation by both chambers of the Virginia legislature positions the Virginia Consumer Data Protection Act to become the nation’s next comprehensive state privacy law. Lawmakers must reconcile the two bills before the end of the session on February 27, and, assuming a reconciled bill passes in both houses, it will be sent to Gov. Ralph Northam to sign into law or veto. If Gov. Northam takes no action, the reconciled bill would become law within seven days or, if there are fewer than seven days remaining in the General Assembly session, or if the General Assembly has adjourned, within thirty days.
Scope of Covered Entities
- The bill applies to “persons” that conduct business in Virginia (or produce products or services that are targeted to residents of Virginia) that “control or process” the personal data of (1) at least 100,000 Virginia residents or (2) for an entity that derives over half of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents. 59.1-572(A).
- There are several important carve-outs from this definition. Like the WPA, “consumers” do not include individuals acting in a commercial or employment context, and these individuals are also exempt from the bill’s consumer rights provisions described below.
- Similar to the WPA, the bill exempts a range of regulated financial services, health care, human research, consumer credit reporting, educational, and employment data from its provisions. 59.1-572(C).
- The Virginia bill fully exempts nonprofit organizations and institution of higher education from its requirements. Id.
Scope of Covered Data
- The bill defines “personal data” broadly as any information that is “linked or reasonably linkable to an identified or identifiable natural person.” Publicly available information is not considered “personal data” under the bill. 59.1-571.
- “Personal data” would not include de-identified data, which is defined as data that “cannot reasonably be linked to an identified or identifiable natural person [or] a device linked to such person.” Id. De-identified data also would need to be subject to certain safeguards to limit the risk of re-identification, including a public commitment by the relevant data controller not to attempt to re-identify the data for the data. Note that controllers disclosing de-identified or pseudonymized data would be required to exercise reasonable oversight to monitor recipients’ compliance with required contractual commitments and take appropriate steps to address any breaches. 59.1-577(E).
- The Virginia bill would not limit a controller’s or processor’s ability to “conduct internal research to develop, improve, or repair products, services, or technology.” 59.1-578(B).
Sensitive Personal Data and Consent
- When processing sensitive data, controllers must seek “consent” from consumers. The bill defines consent, consistent with the WPA, as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement. 59.1-571, 574(A)(5).
- The Virginia bill’s definition of sensitive data is broadly consistent with the WPA, though it uses a slightly more narrow definition of “precise geo-location data.” Sec. 59.1-571.
- The bill’s definition of biometric data is consistent with Washington’s separate biometric privacy law; both definitions expressly exclude a “physical or digital photograph, a video or audio recording or data generated therefrom.” Id.
- Entities compliant with COPPA’s verifiable parental consent requirements will be deemed compliant with the bill’s obligations to obtain parental consent for “known children,” defined as any person younger than 13 years of age. 59.1-572(D).
- The bill would grant individuals the rights of access, correction, deletion, and portability. It would also allow consumers to opt-out of targeted advertising, sale of data, and profiling in furtherance of decisions that produce significant effects. § 59.1-573.
- The bill’s definition of targeted advertising explicitly scopes out processing “solely for measuring or reporting advertising performance, reach, or frequency.” 59.1-571.
- “Sale of personal data” is limited to the exchange of personal data for monetary consideration. Id.
- The bill allows for a 45-day response period to consumer rights requests, with one 45 day extension when reasonably necessary. 59.1-573(B)(1).
- Note that the bill includes several carve outs for complying with consumer rights requests, including in certain cases when complying with the request would be unreasonably burdensome and when personal data has been pseudonymized, subject to enumerated safeguards. 59.1-577(C), (D).
Controller and Processor Responsibilities
- Drawing from the GDPR and WPA, the Virginia bill assigns obligations to “controllers” and “processors,” including transparency, purpose limitation, retention, data minimization, and data security requirements.
- Controllers must provide consumers with a privacy notice containing specific information. 59.1-574(C). Controllers are subject to data minimization requirements keyed to the disclosures in these notices. Sec. 59.1-574(A)(1).
- Without securing new consent from a consumer, a controller’s secondary uses of personal data must be either reasonably necessary for, or compatible with, these disclosed uses. 59.1-574(A)(2).
- Controllers are generally prohibited from discriminating against consumers for exercising their consumer rights under the bill. However, the bill allows flexibility for controllers if consumers have exercised their opted-out rights when a product or service “requires” their personal data, as well as in connection with a controller’s loyalty programs, discounts, and premium features. 59.1-574(A)(4).
- Processors must “adhere to the instructions of a controller” and assist them in complying with their obligations under the bill subject to a written contract. 59.1-575.
Data Protection Assessments
- Before engaging in processing activities that involve sensitive data, targeted advertising, the sale of personal data, certain cases of profiling, and any other activities that “present a heightened risk of harm to consumers,” controllers must conduct data protection assessments. These assessments must weigh the overall benefits of the processing activity against the potential risks to the rights of the consumer, as mitigated by applicable safeguards. 59.1-576.
- The Attorney General may compel production of these assessments without court approval, but the bill requires that assessments remain confidential, exempt from Virginia’s Freedom of Information Act, and that any attorney-client privilege or work product protection with respect to an assessment or its contents not be considered waived. 59.1-576(C).
- The bill grants the Attorney General exclusive authority to enforce its provisions, subject to a 30 day cure period for any alleged violations. The Attorney General may seek injunctive relief and damages for up to $7,500 for each violation, as well as “reasonable expenses incurred in investigating and preparing the case, including attorney fees.” 9.1-579, 580.
Despite the disruptions of COVID-19, state legislatures across the country have been actively considering privacy legislation over the past month. Virginia, drawing from these efforts, has leapfrogged other states’ efforts to pass a comprehensive privacy bill.