Virginia passes nation’s second comprehensive privacy law

Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act (H 2307) into law. The CDPA will take effect Jan. 1, 2023.

The state data privacy movement started in California, which put the nation’s first comprehensive data privacy law, the California Consumer Privacy Act (CCPA), into effect in January 2020. In November, California voters passed the California Privacy Rights Act (CPRA), which builds on the CCPA. Like the Virginia law, the CPRA takes effect in January 2023.

“Businesses will have to adopt different approaches in different states while we have this patchwork of state laws.”

Gregory Parks, Partner, Morgan Lewis

“This is a huge step forward,” said bill sponsor and Virginia State Sen. David Marsden (D) in a statement. “By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”

Nevada and Maine have also passed data privacy laws, but they are much more limited in scope compared to the CCPA/CPRA and CDPA. In 2021, nearly a dozen other state legislatures have active data privacy legislation in the works that follows the example set by California—and now Virginia.

The Virginia law applies to companies that conduct business in Virginia, or target their products and services to Virginia residents, and control or process data of at least 100,000 Virginia residents. The law also applies to companies that control or process the data of 25,000 Virginia residents if more than half of that company’s revenue is generated by the sale of personal data. There are some exceptions, notably on healthcare and credit worthiness data covered by other federal laws.

Like the CPRA, the CDPA mandates companies publish privacy policy notices that describe how they use, collect, and share personal data. The CDPA requires consumers to give affirmative consent—by agreeing to an opt-in provision—in order for companies to collect and process their personal data.

Virginia consumers will have the right to ask whether a company is storing and processing their personal information and can request the deletion and correction of personal data. They can also opt out of the sale of personal data or to the use of personal data by companies to create targeted advertising.

Penalties for noncompliance with the Virginia law will be up to $7,500 per violation, and the law will be enforced by the state attorney general.

The Virginia law mirrors the CPRA in many ways but adds in several new requirements, said Kristen Mathews, partner in Morrison & Foerster’s Global Privacy and Data Security Group.

For one, businesses have to create an appeals process if they deny a consumer’s request for information about their personal data, she said. If the business denies the appeal, the business must refer the consumer to the AG’s office complaint line—something businesses would be loath to do.

“Businesses might honor requests (for information) even if the law doesn’t require them to,” Mathews said.

There are other key differences between the California data privacy laws and the CDPA. The CCPA and CPRA provide consumers with a private right of action, meaning they can sue companies in court for losing their data in a breach. The Virginia law does not have a private right of action, leaving all regulation and enforcement of the law with the AG’s office.

The CDPA “is intended to operate on its own, without the need for regulation,” Mathews said.

By contrast, California’s CPRA creates a state-funded data privacy agency to issue regulations, investigate consumer complaints, and issue enforcement actions. The agency is set to launch later this year and will regulate the CCPA until the CPRA takes effect.

The Virginia data privacy law also requires businesses to conduct data protection assessments, where they list out steps taken to keep customers’ personal information safe. Businesses should be prepared to share these assessments with the AG’s office upon request, Mathews said.

Big year for state-level data privacy laws

Nearly a dozen state legislatures are currently considering data privacy bills, including Alabama, Arizona, Connecticut, Florida, Kentucky, Minnesota, New York, Oklahoma, Utah, and Washington state, according to the International Association of Privacy Professionals (IAPP).

Vivek Mohan, partner at Mayer Brown and a former senior attorney at Apple, said it appears unlikely to him that Congress will pass a federal data privacy law within the next two years. That places the spotlight squarely on laws passed by states.

One factor he is watching closely as states consider their own data privacy legislation is what entity is enforcing the law. Will they adopt the California model under the CPRA and establish an independent state agency to publish guidelines, investigate complaints, and issue enforcement actions? Or will they leave it to the state attorney general, like the CCPA and the new Virginia law?

“I think a lot of states are asking, ‘Is AG enforcement sufficient?’” Mohan said.

Gregory Parks, partner at Morgan Lewis and co-leader of the firm’s privacy and cyber-security practice, said the passage of more state data privacy laws might mirror the slow-but-steady pace of data breach notification laws. The first data breach law took effect in 2003 in California; the 50th state to pass such a law, Alabama, did so in 2018.

“I think data privacy laws will be enacted along the same trajectory,” he said.

Congress has never passed a federal data breach notification law, and it is unclear whether the slim Democratic majorities in the House and Senate will prioritize a federal data privacy law.

“The need for federal unifying legislation is greater” in data privacy than data breach notification, Parks said. “Otherwise, you’re going to have 50 different states doing 50 different things.”

One size does not fit all

Should a business adjust its U.S. policies on how it collects, stores, and shares consumer personal data to comply with the strictest state law? Or will it need to adjust its data privacy practices, particularly how it responds to consumer requests for information, based on which state the consumer lives in?

Mathews said even if a business complied with every facet of the CPRA, it would still need to make room for exceptions and other provisions in the Virginia law.

“There always seems to be a need for some jurisdictional-specific supplements,” she said.

Parks agreed.

“Businesses will have to adopt different approaches in different states while we have this patchwork of state laws,” he said.

If a business has already set up an internal system to comply with personal data requests for the EU’s General Data Protection Regulation (GDPR) or either California law, then complying with the Virginia law is simply adjusting the system to include Virginia customers.

But if the Virginia law is prompting your firm to examine its personal data collection compliance for the first time, your employer will have to create a process to handle requests from consumers, said Rehan Jalil, CEO of SECURITI.ai, a vendor that provides data privacy and security solutions powered by artificial intelligence. Businesses also must have a process in place to verify the identities of consumers making the requests.

Then, businesses must be able to access all data on that consumer within their system and generate a report on that data that can be shared with the consumer. Doing that efficiently and accurately requires an automated process, Jalil said.

Although the law gives businesses 45 days to respond to requests, automation allows such requests to be fulfilled in minutes or hours, he said. As more and more states pass data privacy laws, more consumers will be seeking information on how their personal data is handled and making requests to opt out, correct their data, or delete it, among others.

SECURITI.ai’s PrivacyOps solution builds a people data graph, which allows a business to answer the question, “Where is one consumer’s data across all my data systems in the company?” The platform then generates a report that lists all the places that personal data is stored. The platform also places a framework on how your business collects and stores personal data, applies the data privacy law or laws that relate to that data, and makes recommendations.

“It helps you keep your data secure, puts security and privacy controls around it, then helps meet the regulatory requirements at the point of collection, processing, and return,” Jalil said.