New Privacy Laws in Colorado, Virginia & CaliforniaAugust 3, 2021
Following California’s lead, two states recently enacted new privacy laws designed to protect consumers’ rights over their personal data. The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.
Virginia Consumer Data Protection Act
On March 2, 2021, Virginia’s legislature passed the Consumer Data Protection Act (CDPA, the Act), which goes into effect on January 1, 2023.
Organizations Subject to the CDPA
The Act generally applies to entities that conduct business in the state of Virginia or that produce products or services targeted to residents of the state and meet one or both of the following criteria: (1) control or process personal data of 100,000 Virginia consumers annually, (2) control or process personal data of at least 25,000 consumers (statute silent as to whether this is an annual requirement) and derive more than 50 percent of gross revenue from the sale of personal data. The processing of personal data includes the collection, use, storage, disclosure, analysis, deletion or modification of personal data.
Notably, certain organizations are exempt from compliance with the CDPA, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations and institutions of higher education.
Broad Definition of Personal Data
The CDPA broadly defines personal data to include any information that is linked to an identifiable individual, but does not include de-identified or publicly available information. The Act distinguishes personal sensitive data, which includes specific categories of data such as race, ethnicity, religion, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and geolocation data.
Consumers’ Data Protection Rights
The new Virginia privacy law recognizes certain data protection rights over consumers’ personal information, including the right to access their data, correct inaccuracies in their data, request deletion of their data, receive a copy of their data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of their data or profiling.
If a consumer exercises any of these rights under the CDPA, a company must respond within 45 days – subject to a one-time 45-day extension. If the company declines to take action in response to the consumer’s request, the company must notify the consumer within 45 days of receipt of the request. Any information provided in response to a consumer’s request shall be…