On February 5, 2021, the state Senate of Virginia passed the Consumer Data Protection Act (CDPA), which identically mirrors a bill earlier approved by Virginia’s House of Delegates. Legislators have until March 1 to amend and finalize the details of the legislation, but it is not expected that any material modifications will be made. The bill is anticipated to be signed by Virginia’s governor later in March.
Virginia would become the second U.S. state to enact a comprehensive data privacy law. California became the first when the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Currently, if enacted, the bill would become effective January 1, 2023; the same date that California’s new California Privacy Rights Act (CPRA) goes into effect.
Virginia’s proposed CDPA establishes a comprehensive framework for controlling and processing personal data, including providing Virginia residents with certain rights with respect to their data. CDPA proposes to impose restrictions relating to data minimization, data security, processing limitations, and third party contracting. CDPA would also impose requirements directly on processors of data who process on behalf of a data controller.
The CDPA would apply to “persons” that conduct business in Virginia (or produce products or services that are targeted to residents of Virginia) that control or process the personal data of (1) at least 100,000 Virginia residents in any calendar year, or (2) at least 25,000 Virginia residents in any calendar year and derive over half of their annual gross revenue from the sale of personal data. The application of the definition of “persons” essentially covers big data brokers and companies with major online presence.
“Persons” subject to the CDPA would be required to provide consumers with a privacy notice containing specific information.
While the proposed CDPA sounds very similar in description to CCPA and Europe’s General Data Protection Regulation (GDPR), in context, CDPA does not mirror either CCPA or GDPR, but creates a framework unique to itself.
Key Differences from CCPA and GDPR
- CDPA creates entity-level exemptions, including for financial institutions subject to Gramm-Leach-Bliley Act; a controversial point under CCPA where such full exemption was not granted.
- CDPA would not create a private right of action for consumers and the Virginia Attorney General would have full enforcement authority.
- “Consumer” as defined under CPDA does not include individuals acting in a commercial or employment context, including exempting these individuals from the CDPA’s consumer rights provisions; differing from both CCPA and GDPR.
- Following CCPA, but differing from the GDPR, the CDPA fully exempts non-profits.
With the CDPA not lining up 100% with either CCPA/CPRA or GDPR, what does this mean for privacy expansion in the US going forward? How will organizations design a privacy compliance program that meets the requirements of each differing piece of privacy legislation? These are key considerations every organization needs to put front of mind today.
Reach out to McGrath North’s Privacy and Cybersecurity Team to talk through what steps your organization can take today to prepare for the future of the U.S. privacy landscape.