The nation’s second comprehensive consumer privacy law – the Virginia Consumer Data Protection Act (“VCDPA”) – was signed into law on March 2, 2021. While VCDPA incorporates familiar concepts emanating from the EU’s landmark privacy legislation, the General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act (“CCPA”), the introduction of this new privacy law may still produce complications for CSOs and CISOs.
For CSOs and CISOs looking for a silver lining, VCDPA is, generally speaking, a hybrid of GDPR, CCPA, and the new California Privacy Rights Act (“CPRA”), which was passed by referendum vote in November 2020 and significantly amends CCPA. The good news is that CPRA and VCDPA, while not twins, are closely related and have the same effective date: January 1, 2023.[1] As a result, companies that must comply with both CPRA and VCDPA will be working on an identical time frame to achieve very similar compliance goals.
That said, the majority of concerns will relate to reconciling the new Virginia requirements with those of CCPA and GDPR. Having to segregate data, and the use of that data, based on competing privacy laws will complicate a company’s business activities and may make certain types of information processing less appealing. CSOs and CISOs are understandably worried about the logistics of complying with differing privacy standards at granular levels. For instance, GDPR, CPRA, and VCDPA (unlike CCPA) each create a category of “sensitive information”[2] and establish additional consumer rights and business obligations in connection with its use. The extra level of categorization and obligation will require companies to fragment data into general categories of sensitive information and non-sensitive information. This will necessarily be accompanied by a breakdown of sensitive information for which the company has received consent to collect and process under VCDPA, sensitive information for which the company has not received consent and thus cannot collect or process under VCDPA, and sensitive information that does not require consent to process under CCPA or CPRA, but may be subject to a consumer-imposed restriction under CPRA. To further complicate matters, each law has differing requirements on additional uses of information that are compatible or incompatible with (or, for CCPA, materially different from) the disclosed purposes for processing that information.
How VCDPA Stacks Up
Scope. Unlike GDPR, but similar to CCPA, VCDPA requires a company to “do business” in, or target citizens of, the state and utilizes certain quantitative thresholds to identify which entities may be subject to the law. In particular, the VCDPA applies to persons or entities (referred to as “controllers”) that do business in Virginia or produce products or services that are targeted to Virginia residents, and either:
a. control or process Personal Data of at least 100,000 “consumers”; or
b. (i) derive over 50% of gross revenue from the sale of personal data and (ii) control or process personal data of at least 25,000 consumers
When comparing VCDPA’s jurisdictional analysis to that of CCPA, an annual company revenue threshold (except to the extent tied specifically to the sale of information) is notably absent, simultaneously bringing “smaller” companies with large amounts of data under the statute while potentially allowing “larger” companies to escape its reach. While GDPR, CCPA, and VCDPA share in a broad definition of personal data, VCDPA diverges from its cousins in the treatment of employees and individuals acting in a business capacity. Unlike GDPR and CCPA, the latter of which has a temporary partial carve-out for employees and B2B information, the VCDPA expressly excludes persons acting in a commercial or employment context from the definition of “consumers.”
Similarities. VCDPA and the California privacy statutes are similar in some respects, such as granting consumers a right to know and access their personal data, a limited right to delete data, and a right to opt-out of certain uses of data. In addition, both sets of laws have obligations that the collection, use, and disclosure of personal data be disclosed to consumers and require written contracts with vendors. Further, both sets of laws have carve-outs for personal information collected and used in a commercial or employment context, although California’s exceptions are more limited in scope and are only temporary.
Differences. Virginia’s terminology and overall approach resemble GDPR more than CCPA/CPRA. For instance, the Virginia law designates some personal information as “sensitive” and requires specific, informed, and freely given consent for processing. Additionally, Virginia grants consumers the right to correct information and to appeal denials of consumer requests. In a unique departure from its predecessor laws, VCDPA also requires that controllers provide a direct pathway for consumers to contact the Commonwealth’s Attorney General if their consumer rights appeal is denied.
Unlike CCPA, Virginia’s right to opt-out of the sale of information is limited to monetary exchanges. However, it does establish a separate right to opt-out of targeted advertising and certain profiling. The Virginia law also imposes obligations on controllers to perform data protection assessments – known as data protection impact assessments under the GDPR – and borrows the GDPR’s principle of “privacy by default” to restrict the collection and use of information to that which is “adequate, relevant and reasonably necessary” for a disclosed purpose. Though these gaps are significant, the CPRA does modify the CCPA enough to bring the California and Virginia compliance frameworks more closely in line with one another. Still, California’s framework is much more disjointed and onerous from a compliance perspective.
Additionally, VCPDA requires greater detail in vendor agreements than is required for CCPA Service Provider Agreements. Under VCDPA, controllers must enter into agreements with data “processors” that are much closer to the requirements of Data Processing Agreements/Addenda under GDPR: (a) clearly set forth instructions for processing personal data; (b) identify the type of personal data subject to processing, the duration of processing, and the rights and obligations of both parties; and (c) ensure that individuals processing personal data are subject to a duty of confidentiality. These agreements must also provide for the deletion or return of data at the request of the controller or termination of the relationship. Any subcontractors that are engaged must meet the statutory obligations for processors.
Lessons Learned
1. Be aware that VCDPA, GDPR, or CCPA/CPRA compliance are not equal substitutes. While certain obligations and concepts may overlap, there are some critical areas of distinction (see above).
2. Be conscious of jurisdictional reach. Many companies voluntarily undertook CCPA compliance out of fear of consequences rather than as a result of a careful and thorough legal and risk analysis. While a calculated analysis may lead to a conclusion that compliance is required, it may also plausibly produce a conclusion that compliance is not required.
3. Be flexible and anticipate potential changes. CCPA regulations were revised several times before they were finalized, and many of the changes were significant. The VCDPA does not expressly call for the development of regulations by the Virginia Attorney General, unlike CCPA, but does establish a “work group” of state officials, business representatives, and consumer rights advocates to review the law and submit recommendations by November 1, 2021. This group may ultimately drive the creation of regulations or statutory amendments.
4. Be proactive but don’t panic. New comprehensive privacy laws generally give some lead-time to institute compliance measures before becoming effective. That said, a last-minute rush to attempt compliance could lead to difficulties, especially where vendors are involved. Start early by evaluating what data you have (including whether it falls into a sensitive category), map the source and how you use or disclose it, and decide whether you really need or want it in light of the accompanying obligations. If application of the law seems likely, begin gathering vendor contracts that may need to be amended.
5. Be mindful of “sensitive” data. Sensitive personal data is generally treated differently than other data, with more scrutiny concerning its collection and use, and greater consumer protections than other forms of personal information.
Recommendations
The first step is to make sure that compliance is truly necessary before committing to undertake compliance. If a company is – or will be – subject to multiple consumer privacy laws, now is the time to strategize the best and most efficient approach to attaining compliance. Laying the groundwork for future compliance will require significant preparation similar to that undertaken for GDPR and CCPA, including inter-departmental collaboration, careful forethought, and an end-of-the-day evaluation of whether certain collection or processing activities are worth the compliance efforts.
Citations:
[1] Note that CPRA has a lookback period to 2022 for certain activities and obligations.
[2] Similar to GDPR and CPRA, VCDPA includes the following as “sensitive information”:
(i) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
(ii) Genetic or biometric data processed for the purpose of uniquely identifying a natural person;
(iii) Personal data collected from a “known child” (undefined); or
(iv) Precise geolocation data.
About the Authors:
Stephenie G. Anderson Scialabba is a Pittsburgh-based attorney at the law firm of Eckert Seamans Cherin & Mellott, LLC. Stephenie focuses her practice on global and domestic cybersecurity and data privacy matters. She regularly advises clients in the health, hospitality, gaming and tech industries as to their legal obligations — proactive and reactive — in the evolving compliance landscape. Stephenie has represented clients in numerous facets of domestic and multi-national data breach response, including breach notification and investigations from the Office of Civil Rights, state Attorneys General, and other governmental regulators. Her practice also consists of working with clients to develop privacy practices and policies that are appropriate for their business models. She is familiar with the European Union’s General Data Privacy Regulation (GDPR), Health Insurance Portability & Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), Payment Card Industry – Data Security Standards (PCI-DSS), and various other privacy and security laws.
Sandy Garfinkel is a business litigator who serves as the chair of Eckert Seamans Cherin & Mellot, LLC's Data Security & Privacy Group. As a nationally regarded authority on data security and privacy matters, Sandy is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. In addition to his data breach response practice, Sandy works closely with the firm’s business clients concerning all aspects of General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance and enforcement. He works with clients on data security and privacy matters across a variety of industries and sectors, including hospitality, consumer products, insurance, education, health care, manufacturing, and telecommunications.
