Privacy, Technology and Perspective
Virginia Consumer Data Protection Act: Virginia is on the verge of passing a new, expansive data privacy act, “establish[ing] a framework for controlling and processing personal data” – the Virginia Consumer Data Protection Act (“VCDPA”). The VCDPA has some of the language and concepts of the GDPR and some of the concepts of the California Consumer Privacy Act (“CCPA”) and California Consumer Privacy Rights Act (“CPRA”). Here is a brief summary of the particulars:
Status: The House version passed the Virginia House late in January by a vote of 89-9, and the Senate version on Friday, February 19 by a vote of 32-7. On the same day the House agreed to the Senate substitute. So the VCDPA now appears headed to the Governor, who is expected to sign it shortly.
Text: You can see the text of the House and Senate versions by clicking the links below:
Effective Date: January 1, 2023 (same as the CPRA).
Scope and Exemptions: The Act will apply to persons doing business in Virginia or producing goods or services targeted to Virginians that (i) control or process personal data of 100,000 or more Virginians or (ii) of 25,000 or more Virginians and derive 50%+ of their gross revenue from sale of personal data.
Importantly, it will not apply to (i) Commonwealth bodies or political subdivisions; (ii) any financial institution or data subject to the Gramm-Leach-Bliley Act (note that this is a broader exemption than just data subject to GLBA); (iii) covered entities or business associates subject to HIPAA; (iv) nonprofits; or (v) higher education.
It also exempts Protected Health Information (“PHI”) regulated under the HIPAA Privacy Rule and much other specific health-related information, as well as information regulated and authorized by the Fair Credit Reporting Act (“FCRA”), the federal Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act (“FERPA”), the federal Farm Credit Act, and certain other specific situations.
Be aware that a “consumer” means a natural person “acting only in an individual or household context.” Under the VCDPA, a person acting in a commercial or employment context is not a “consumer” whose personal data is covered by the Act.
Consumer Rights in Personal Data: The Act empowers consumers to:
· Confirm whether a controller is processing their personal data, and to access it;
· To correct inaccuracies;
· To delete it;
· To obtain a portable copy of it; and
· To opt out of processing for purposes of targeted advertising, the sale of personal data, or profiling that produces legal “or similarly significant effects.”
Controllers must respond without undue delay and within 45 days, provided they may have another 45 days when reasonably necessary. The Act provides for authentication, appeal and so forth.
Transparency and other Controller responsibilities:
· Limitations on collection: Controllers may not collect more than is adequate, relevant, and reasonably necessary for the disclosed purpose, without the consumer’s consent;
· Security: “Reasonable” administrative, technical, and physical security practices are required. (“Reasonableness” is not closely defined, except that the practices “shall be appropriate to the volume and nature of the personal data at issue.”);
· Not discriminate, provided that familiar exceptions apply;
· Special provisions for Sensitive Data: Without consent, Controllers may not process “sensitive data” (meaning (i) personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data used for identification; (iii) data collected from a known child; or (iv) geolocation data that can place a person within 1,750 feet);
· Privacy Notices: must be reasonably accessible, clear, and meaningful, with specific requirements as to content and disclosure.
Processor Responsibilities: Processors must follow Controllers’ instructions, and assist their Controller in:
· meeting its obligations to respond to Consumer requests,
· provide security and data protection assessments, and
· notify regarding breach.
Contracts between Controllers and Processors: Though the VCDPA does not expressly say the agreements must be in writing, it is hard to see how its specific requirements can be met without it. The VCDPA requires this relationship to provide clearly for statements of responsibilities, confidentiality, return of data, cooperation in demonstrating compliance and in conducting data protection assessments, and more.
Data Protection Assessments: Controllers must “conduct and document” data protection assessments of processing personal data involving “each” of the following:
· Targeted advertising;
· Sale of personal data;
· Profiling, where it presents a reasonably foreseeable risk of harm;
· Processing “sensitive data;” and
· Anything else that presents a heightened risk of harm.
Such assessments “shall identify and weight the benefits…against the potential risks to the rights of [consumers], as mitigated by safeguards…”
Detailed Exceptions and Limitations: Significantly, he VCDPA contains many, detailed exceptions that allow controllers and processors to act reasonably without fear of violation.
No Private Right of Action: The Virginia Attorney General has sole enforcement authority. A thirty-day notice-and-cure provision is included. After that, injunctions, up to $7,500 per violation, and awards of attorneys’ fees may be available.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.