New State Privacy Law Passes in VA – Here We Go Again!

by Justine Young Gottshall & Brian C. Schaller

The Virginia ("VA") House and Senate both just passed new privacy bills to enact a Consumer Data Protection Act ("VCDPA"), which is slated to be signed into law by the VA governor. The bills still need to go through the reconciliation process, but are nearly identical. So, the process will probably result in little to no changes to the bills that are currently publicly available (see House Bill No. 2307 and Senate Bill No. 1392). We anticipate that, like the California Privacy Rights Act ("CPRA"), this law will take effect January 1, 2023. But preparing for it is not identical to preparing for the CPRA (nor any existing California Consumer Privacy Act ("CCPA") or General Data Protection Regulation ("GDPR") compliance).

Below is our initial take on the legislation and what we think is critical for businesses to know at this point.

WHAT IS IT AND WILL WE NEED TO COMPLY?

It Isn't the CCPA, Isn't the CPRA, and Not the GDPR – But It’s a Bit Like All of Them

Instead of just copying California ("CA") or the European Union ("EU"), the VA legislature created its own unique privacy legislation with elements of and concepts from the CCPA, the second comprehensive CA privacy law: the CPRA, and Europe's GDPR. It also created its own unique take on privacy issues. For example, the VA legislature includes a right to opt-out of the "sale" of information, which is a CCPA concept; but, and as discussed further below, placed its own spin on it. The VCDPA also includes a right for consumers to opt out of information used to profile, which is similar to (but not the same as) the CPRA's opt out right of automated decision making.

Like the CPRA, the VCDPA includes the concept of data minimization, and specific requirements for the collection/use of "sensitive data" (which was originally a concept under the GDPR). From the GDPR, it included the concept and obligations for "controllers" and "processors" of information, which is not part of California's laws. The VCDPA also requires data protection assessments, which, as discussed below, seems similar to the data protection impact assessments under the GDPR, and which is a concept also included in the CPRA (as a cybersecurity audit and a risk assessment).

Companies Required to Comply with CA Privacy Laws May or May Not be Covered Under the VCDPA

Just because you're not covered by the CCPA or CPRA, doesn't mean you'll get out of having to comply with the VCDPA. The threshold requirements under the VA bills are "(i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data." (A consumer under the VCDPA definition is a resident of VA.) The VCDPA threshold requirements are different from the CCPA, which are generally restricted to businesses that have (A) annual gross revenues in excess of $25,000,000 (B) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, or (C) derives 50 percent or more of its annual revenues from selling consumers’ personal information. The CPRA placed a higher threshold in some respects by requiring at least 100,000 consumers or households (but removed "devices" from the equation).

In some respects, the VCDPA may be broader than the CCPA/CPRA as the VCDPA merely requires that the business "control or process" personal data, whereas the CCPA/CPRA requires that the information is actually used (e.g. buying, receiving, selling, or sharing). One possible interpretation that will need to be considered is whether just having information of a consumer in a database would qualify towards the threshold. On the other hand, for those businesses that met the CCPA/CPRA threshold merely because they have revenues of above $25,000,000 the VCDPA's thresholds are narrower. There are other important nuances in the different threshold requirements, so it is imperative that businesses carefully analyze the VCDPA before making any assumptions. If it looks like the VCDPA may apply to your business it is best to start preparing to comply (e.g. data mapping and review of current information governance policies). With what we see as the inevitable passing of more state privacy laws (which could spark the U.S. Congress to pass overarching federal privacy legislation), it's a very good idea for all businesses to get their ducks in a row now.

NEW CONSUMER RIGHTS AND BUSINESS OBLIGATIONS ARE COMING

It appears that the VCDPA will usher in new rights for the consumer that we haven't exactly seen before in the U.S., including the right to correct information, the explicit right to opt out of targeted advertising, the right to opt out of profiling, and an obligation for covered businesses to conduct data protection assessments.

Right to Correct: The VCDPA gives the consumers the right "[t]o correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data." This right to correct (or, in other words, right to rectify, or right to update) is a new right here in the U.S. (it's also included in the CPRA); although Europeans have had this right for several years under the GDPR. The right to correct creates a significant technological process that covered businesses will need to implement, which will keep their tech teams busy (at a sizable cost to businesses).

Right to Opt Out of Targeted Advertising: When the CCPA passed with language giving the right to opt out of the "sale" of information, without a clear definition of sales, the industry was left to its own devices to interpret whether just sharing information for targeted advertising would constitute a "sale" under the CCPA. The CCPA didn't address targeted advertising directly, the CA Attorney General in writing the rules for the CCPA didn't entirely clarify matters either. Then the CPRA later clarified what constitutes a "sale" a bit by adding an opt-out right for "sharing" and including the following in the definition: "cross-context behavioral advertising, whether or not for monetary or other valuable consideration." Now, under the VCDPA, in order to be defined as a sale it must be "monetary compensation," which will make it easier to interpret what isn't a sale under the bills. However, the VCDPA includes an opt-out right that is not in the CCPA/CPRA; a right to opt out of "targeted advertising." This new opt-out right could cause confusion in and of itself, including whether the opt-out system put in place to comply with the CA rights could also be used for VA consumers to opt out of targeted advertising.

Right to Opt-out of Profiling: Similar to the CPRA, which requires businesses to grant consumers an opt-out right of automated decision-making technology (including profiling), the VCDPA includes an opt out from "profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer." At first glance, this seems narrower than the CPRA, as the VCDPA is tied to legal effects; but we'll need some time to understand how these laws are interpreted by state authorities and the industry before we'll have an idea about how to proceed with compliance.

Conducting Data Protection Assessments: The VCDPA requires controllers to conduct and document a data protection assessment of: targeted advertising; the sale of personal data; profiling (where there are enumerated risks); processing of sensitive data; and, a catch all of "any processing activities involving personal data that present a heightened risk of harm to consumers." Under certain circumstances a business must disclose the data protection assessment to the Attorney General. This type of obligation has been in effect for years in the EU under the GDPR, but with the VCDPA (and a similar concept included in the CPRA) many U.S. companies will need to conduct these assessments for the first time when the VCDPA and the CPRA are fully operative.

NOW, THE GOOD NEWS

There are some bright spots in the VCDPA that will bring a smile to those who have been critical of California's legislature (and voters) for enacting the some-call overreaching and confusing laws, mainly that employment, B2B and loyalty programs don't seem to be effected by the VCDPA. Plus, there doesn't appear to be a private right of action. We discuss each of these further below.

Does Not Cover Employment or B2B: Unlike in California, where provisions related to employment data and business to business ("B2B") data exist within CCPA and more are to come into effect under CPRA, the VCDPA language seems quite clear that it doesn't apply to situations where employee or B2B information is collected. The definition of "consumer" under the VCDPA only includes individuals or household context and "does not include a natural person acting in a commercial or employment context." It also explicitly exempts data that is "processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as the emergency contact information of an individual under this chapter used for emergency contact purposes; or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits."

Impact on Loyalty Programs: The CCPA caused an uproar and a lot of confusion with respect to whether a loyalty program, which theoretically treats consumers differently depending on the personal information they provide, would violate the CCPA's non-discrimination provisions. The industry was hoping that the CA legislature would clear this up with amendments to the law. However, one amendment that would have really clarified the issue failed, while another amendment that left a lot to be divined did pass. The VCDPA addresses this issue right out of the gate by including a proviso in its non-discrimination clause stating that nothing in the clause prohibits a business "from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to § 59.1-573 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program."

No Private Right of Action: As currently written, the VCDPA would not grant a private right of action. The bills include the following language: "Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action to violations of this chapter or under any other law." The VCDPA provides for the Attorney General (who has the "exclusive authority to enforce violations") to give notice of alleged violations, with a 30 day cure period. If the violation continues, then damages can be up to $7,500 for each violation. However, note that the VCDPA does not seem to effect Virginia's current data breach law which allows for a civil penalty not to exceed $150,000 per breach/series of similar breaches, and expressly states that nothing in the section will "limit an individual from recovering direct economic damages."

KEY TAKEAWAYS

The VCDPA is a mish mosh of the CCPA/CPRA and the GDPR, with its own Virginia twist on how to handle consumer's rights to privacy. Those businesses that are already in compliance with the CCPA and the GDPR (and working to comply with the CPRA) are probably in good shape to tackle without too much extra effort the new compliance obligations that the VCDPA will bring. However, for various reasons (e.g. territorial, threshold) many businesses don't have experience complying with the both California and European privacy laws and will have a lot of work to do to prepare for the VCDPA.

We recommend that the compliance preparation for the VCDPA is done as there are enough similarities in the CA and VA laws that a violation of one would likely be a violation of the other, which could spell double trouble.

The clock is ticking, but there is still some time, as the VCDPA bills currently have language that the effective date is delayed until January 1, 2023 (which is the same date at the CPRA will be fully operative). This will give the VA Attorney General time to weigh in on their interpretation, and for all of us to flush out how to comply with this latest (but we don't think last) comprehensive privacy legislation here in the U.S.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.