East Coast Meets West Coast: Enter the Virginia Consumer Data Protection Act

While an exegesis of the VCDPA is beyond the scope of today’s Sidley Update, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the update briefly summarizes the law’s key elements.

I. What Is the Scope of the VCDPA?

The VCDPA’s scope of application is similar to that of the CCPA but subtly different in potentially important ways. Like the CCPA, the VCDPA contains numerous exemptions for entities and data that otherwise would be within its scope.

A. Scope

The CCPA applies to entities that are “doing business” in California that meet one of three size thresholds:

• has annual gross revenue in excess of $25 million; or
• alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
• derives 50% or more of its annual revenues from selling consumers’ personal information.

The VCDPA expands on the CCPA’s approach to include not only entities that conduct business in Virginia but also entities that “produce products or services that are targeted to residents of the Commonwealth.” It remains to be seen how Virginia regulators will interpret this “targeting” test — which obviously echoes a similar approach in the GDPR.

The VCDPA also contains size thresholds like the CCPA although none based on annual revenue. Rather, to be covered by the VCDPA, an entity must either “(i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”

B. Exemptions

Much like the CCPA, the VCDPA contains a number of broad exemptions for entities and data that might otherwise be covered. These are grouped into several main themes.

Entity exemptions. Certain entities are fully exempt from the VCDPA. These are (i) government entities; (ii) entities subject to the Gramm-Leach-Bliley Act; (iii) entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act; (iv) nonprofits; and (v) institutions of higher education.

Information-type exemptions. There are also exceptions for information otherwise protected or addressed by a federal or state law, including (i) protected health information under HIPAA; (ii) personal data regulated by the federal Family Educational Rights and Privacy Act; (iii) personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act; and (iv) specific activity processing personal data regulated by and authorized under the federal Fair Credit Reporting Act.

Employment-related exemptions. Personal data related to the application or employment of personnel, emergency contact information, and information necessary to administer benefits are exempt from the VCDPA.

II. What Unique Obligations Might the VCDPA Place on Businesses?

As noted at the outset, the VCDPA mirrors the CCPA in many ways, such that businesses already compliant with the CCPA will be well on their way to complying with the VCDPA. That said, the VCDPA is different, and we highlight here the obligations that may be unique to business that are already CCPA-compliant.

• Right to Opt Out of Targeted Advertising and Profiling: Consumers have a broad array of rights under the VCDPA, including some not included in the CCPA. These include the right to opt out of the sale of personal data to create targeted advertising (though the definition of “targeted advertising” excludes ads “based on activities within a controller’s own websites or online applications”) and the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• New Limits on Collection and Required Appeals Process: Controllers have broad obligations, including the duty to limit personal data collection to what is “adequate, relevant, and reasonably necessary” to fulfill purposes disclosed to consumers and the obligation to enable consumers to appeal the controller’s decision to deny the consumer’s VCDPA rights request.
• Restrictions on Use of “Sensitive Data”: Controllers may not process “sensitive data” concerning a consumer without obtaining consent.
• Data Protection Assessments: Controllers must conduct data protection assessments for certain data processing activities involving personal data, including the processing of personal data for targeted advertising and the processing of personal data for purposes of profiling.

While these are the key innovations in the VCDPA, there may be other, more subtle distinctions between this law and the CCPA. Careful review of the law is thus necessary in particular cases, and a section-by-section guide is thus included below.

III. What Does the VCDPA Do?

While much of the VCDPA is broadly similar to the CCPA, the entire statute is worth reading, as there could be subtle differences not mentioned above that are important to your business. Below we summarize the key elements of the bill.

A. Controller Responsibilities (Sections 59.1-573, 574)

The vast majority of the VCDPA directly imposes obligations on “controllers,” which are defined as entities that, alone or jointly with others, determine the purpose and means of processing personal data. (As described below, certain obligations are placed on “processors,” defined as entities that process personal data on behalf of a controller.)

Beyond responding to consumer requests, controllers also are limited in how they treat and use personal data. Controllers must

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer
• except as otherwise provided, not process personal data for purposes not reasonably necessary to accomplish the disclosed purposes without consumer consent
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, appropriate to the volume and nature of the personal data at issue
• not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers and not discriminate against a consumer who exercises its rights under the law
• not process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.)

Sec. 59.1-574(A).

Finally, controllers must provide a privacy notice that includes

• the purpose for processing personal data
• how consumers may exercise their individual rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
• the categories of personal data that the controller shares with third parties, if any
• the categories of third parties, if any, with which the controller shares personal data
• a clear disclosure and information on how to opt out if the controller sells personal data to third parties or processes personal data for targeted advertising
• at least one secure and reliable means by which consumers can make consumer requests (and cannot require the creation of an account to do so)

Secs. 59.1-574(C)-(E).

B. Processor Obligations and Data Protection Agreement Requirements (Section 59.1-575)

Under the VCDPA, a processor must follow the instructions of a controller and assist the controller in meeting its legal obligations. This includes

• assisting the controller in fulfilling its obligations to respond to consumer rights requests
• assisting the controller in meeting its obligations in relation to the security of processing the personal data and in relation to the notification of a security breach of the processor’s system
• providing necessary information to enable the controller to conduct and document data protection assessments

Sec. 59.1-575(A).

With respect to a contract between a controller and processor (“data protection agreement” or DPA), the VCDPA sets forth terms that must be included. Specifically, a DPA must include requirements that the processor shall

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data
• at the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services unless retention of the personal data is required by law
• upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter
• allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments (the processor shall provide a report of such assessment to the controller upon request)
• engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data

Sec. 59.1-575(B).

This requirement will mean drafting even more extensive contractual provisions because these contractual terms do not directly align with those in the CCPA — although they do more closely resemble data processing agreements provisions required under the GDPR.

C. Consumer Rights (Section 59.1-573)

As with the CCPA, controllers must permit Virginians

• to confirm whether a controller is processing the consumer’s personal data and to access such personal data
• to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data
• to delete personal data concerning the consumer
• to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means
• to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

Sec. 59.1-573(1)-(5).

As the International Association of Privacy Professionals has noted, this language provides the “law’s entire discussion of consumer rights.” In this — and in many other respects — the VCDPA is thus much more straightforward than the CCPA, and it remains to be seen how Virginia regulators will apply the law.

The first four of these rights do not apply to pseudonymous data if the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing (and thus fully reidentifying) such information. However, the right to opt out of processing for certain targeted advertising, sales of such data, or profiling that produces legal effect does still apply to pseudonymous data.

What specifically qualifies as a sale of personal data under the CCPA has been hotly debated. The VCDPA attempts to avoid this concern by following the approach of Nevada’s CCPA-inspired law in defining a sale to mean “the exchange of personal data for monetary consideration by the controller to a third party” (emphasis added). The definition of a sale also explicitly excludes a transfer to affiliates of the controller.

The VCDPA’s right to opt out of profiling is a key difference from the CCPA. The VCDPA defines “profiling” as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Although this definition will undoubtedly raise questions, this provision draws heavily from the GDPR, and thus interpretations of the GDPR may be instructive. For example, under the GDPR, if a human is involved in profiling, such as by performing a final check on the findings of an automated report, that would be sufficient to not be an automated process. However, this result is by no means certain, and companies should carefully review particular terms when analyzing compliance with the VCDPA.

Similar to the CCPA, the VCDPA requires controllers to respond to a consumer request within 45 days, with an optional 45-day extension as long as the consumer is notified of the extension within the first 45 days. A controller must comply with an authenticated consumer request to exercise a right. The controller “authenticates” a consumer by verifying through reasonable means that the consumer exercising a right is the same consumer with respect to the personal data at issue. If the controller is unable to authenticate the request using reasonable efforts, the request does not need to be carried out. However, businesses that may fall into the description of “controller” should note that information provided in response to an authenticated consumer request must be provided free of charge, up to twice annually, per consumer. Moreover, a controller must establish an appeals process, whereby the consumer can appeal a controller’s refusal to act on a request.

D. Consent to Process Sensitive Personal Data (Section 59.1-574(A)(5))

One of the VCDPA’s provisions that will require changes to data collection and use practices is that controllers must obtain clear, affirmative consent to process sensitive personal data. Sensitive personal data includes

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• the personal data collected from a known child (anyone under the age of 13); or
• precise geolocation data.

Sec. 59.1-571.

E. Data Protection Assessments (Section 59.1-576)

The VCDPA requires a controller to conduct and document a data protection assessment if the following processing activities are involved:

• the processing of personal data for purposes of targeted advertising
• the sale of personal data
• the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate effect on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon consumers’ solitude or seclusion, or private affairs or concerns, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
• the processing of sensitive data
• any processing activities involving personal data that present a heightened risk of harm to consumers

Sec. 59.1-576(A).

Echoing the Federal Trade Act (FTC) Act’s test for “unfairness,” the assessment must “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.”

The VCDPA is silent about what qualifies as a “reasonably foreseeable risk” and an “unfair or deceptive treatment of, or unlawful disparate impact on, consumers.” As this language strongly aligns with both the FTC Act and state unfair and deceptive practices laws, FTC and Attorney General enforcement actions in these areas may serve as a guide. However, much as with enforcement actions on other laws, what counts as performing an adequate assessment may depend on particular risks and perceptions applicable to particular contexts. Therefore, companies will need to be vigilant in considering these requirements on an ongoing basis.

The Virginia Attorney General has the right to require production of documents associated with these assessments through an investigative civil demand. Finally, these assessments will apply to processing activities “created or generated after January 1, 2023, and are not retroactive.”

F. Pseudonymous and Deidentified Data (Section 59.1-577)

Again pulling from the GDPR, the VCDPA recognizes and regulates action addressing both pseudonymous and deidentified personal data.

“Deidentified data” means data that cannot reasonably be linked to an identified or identifiable natural person or a device linked to such person.

“Pseudonymous data” means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

There are several specific requirements of controllers who process deidentified data.

They must

• take reasonable measures to ensure that the data cannot be associated with a natural person
• publicly commit to maintaining and using deidentified data without attempting to reidentify the data
• contractually obligate any recipients of the deidentified data to comply with all provisions of this chapter.

Sec. 59.1-577(C).

Controllers must monitor for, and take appropriate steps to address breaches of, compliance with contractual commitments when disclosing pseudonymous data and deidentified data. What qualifies as monitoring is not specified, but practices such as audits for privacy purposes may continue to be prudent and more commonly used in the U.S. due to requirements such as this one.

G. Limitations (Section 59.1-578)

Much like the CCPA, the VCDPA has an extensive list of saving clauses and limitations, such as provisions not requiring compliance when doing so would violate any other laws or the rights and freedoms of persons.

While businesses should look at the full list of limitations, key provisions state that neither controllers nor processors will be restricted in their ability to

• conduct internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall;
• identify and repair technical errors that impair existing or intended functionality; or
• perform internal operations reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Sec. 59.1-578(B).

Furthermore, the VCDPA clarifies that nothing in the law will serve to violate evidentiary privileges or otherwise restrict sharing data with a person covered by evidentiary privilege as part of a privileged communication. The VCDPA also provides an interesting shield from upstream or downstream liability in circumstances where a controller or processor discloses or receives information from a third party and that third parties violates or is in violation of the VCDPA so long as the disclosing or receiving party did not have actual knowledge that the third party intended to commit a violation.

H. Enforcement (Section 59.1-579, 580)

The Virginia Attorney General’s office has the exclusive ability to enforce the law (i.e., there is no private right of action). As with the CCPA, the Attorney General must provide 30 days’ notice of any violation and an opportunity to cure the violation. To avail itself of the ability to cure, a controller or processor must remediate the issue within 30 days of receiving notice and then provide an “express written statement” to the Attorney General that the violation is cured and that no further violations shall occur. In the event a violation remains uncured, the Attorney General may initiate an action seeking $7,500 per violation.

IV. Next Steps

In contrast to the CCPA, the VCDPA does not call for the creation of implementing regulations. Therefore, businesses can begin planning their compliance strategies now, with a higher degree of confidence that the law’s requirements are materially set, barring any potential amendments in advance of the January 1, 2023, effective date. Businesses must also consider the possibility that Virginia and California will not be a spotlight duet for long, because many other states also have proposed their own versions of comprehensive privacy laws.

The Sidley Data Privacy and Cybersecurity Team is prepared to help you and your company understand and implement compliance with the VCDPA and reconcile its obligations with those of CCPA and other potentially applicable federal and state privacy laws. Please reach out to us with any questions.