Virginia Expected to Sign Consumer Data Protection ActFebruary 23, 2021
Virginia’s Consumer Data Protection Act (CDPA) is expected to be signed into law by Governor Ralph Northam and will be the second comprehensive state data privacy law in the United States after the California Consumer Privacy Act of 2018 (CCPA). The CDPA comes into effect on January 1, 2023—the same date that the California Privacy Rights Act (CPRA) amendments take effect—and will require entities subject to the law to coordinate their efforts to ensure compliance with their growing obligations under these dynamic state privacy law developments. We explore the CDPA in more detail below.
OVERVIEW OF THE CDPA
The CDPA will apply to companies that conduct business in Virginia, or that target their products and services to Virginia residents, and that either: (i) control or process personal data of at least 100,000 Virginia residents or (ii) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
As with the CCPA, the CDPA has several broad entity-type and data-type exemptions. The CDPA will not apply to nonprofits, institutions of higher education and entities governed by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). The CDPA also exempts personal data belonging to individuals acting in commercial or employment contexts, protected health information governed by HIPAA and health records governed by other healthcare-related state and federal laws, and data regulated by the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act and Farm Credit Act.
CDPA uses the term “controller” to describe the entity that determines the purpose and means of processing data. Controllers have a number of responsibilities under the CDPA that are reminiscent of the obligations that apply to “businesses” under the CCPA/CPRA and “controllers” under the General Data Protection Regulation (GDPR). Controllers must:
Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geolocation data)
Comply with data processing principles that ensure purpose limitation of personal data and data minimization
Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data
Enter into a written contract with third-party “processors”…