With the passing of the California Consumer Privacy Act (“CCPA”)[1], California has been center stage of data privacy compliance. However, this past month, Virginia now shares the stage. On March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (“VCDPA”).[2]
The VCDPA is heavily influenced by both the CCPA and General Data Protection Regulation (“GDPR”). Influences aside, the VCDPA additionally contains unique features. These unique features do not necessarily suggest increased complexities. To the contrary, Virginia leveraged the significant commentary on both the CCPA and GDPR and its ambiguities regarding business implementations to the benefit of entities subject to the statute. However, while the VCDPA clarifies sources of contention identified within the CCPA, the statute is not without ambiguities and foreseeable uncertainty as detailed below.
While both the CCPA and the VCDPA contain business size thresholds, the VCDPA utilizes business size thresholds without strict revenue requirements. As noted in the VCDPA, an entity must either “(i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” This demonstration of the VCDPA’s applicability provides growing businesses clarity regarding the continuously asked question: “Does this apply to me”?
Accordingly, this post will briefly summarize key elements of the VCDPA. Such elements that will be discussed will include the following:
- Scope of the VCDPA;
- Business Obligations;
- Exemptions; and
- Enforcement.
While the above list is by no means exhaustive, future postings will continue to expand the detail found herein. The bright minds at many of our country’s own small and medium-sized businesses can surely reinforce America’s cybersecurity.
To incentivize the research and development of cyber solutions in America, the U.S. government has implemented permanent provisions within the U.S. Tax Code that provide lucrative funding to companies in this category that revolutionize the way we fight cyber threats. The most lucrative opportunity available to cyber leaders today is the Section 41 Research and Development (R&D) Tax Credit.
While the VCDPA applies to entities conducting business in Virginia, the VCDPA utilizes a “targeting approach” similar to that of the GDPR. More specifically, the VCDPA will retain its applicability to entities that “produce products or services that are targeted to residents of the Commonwealth.” If upon reading this you are unclear what this exactly means, rest assured, you are not alone. One suspects this language will be a source of contention for both State Regulators and businesses alike. Fortunately, however, GDPR will likely offer a source of guiding light as VCDPA’s statutory obligations continue to take hold.
In addition to the above, the VCDPA requires “Controllers” and “Processors” to act in accordance with specific obligations. Under the statute, a Controller is an entity, jointly or with another, that determines the purpose and means by which personal data is processed. Moreover, a Processor is an entity that processes data on behalf of the controller. Whether one is a Controller or a Processor imposes specific obligations under the statute. Indeed, who is deemed a “Controller” and a “Processor” can become rather fact specific. As such, please consult a specialist should questions arise. First, let us start with the good news. If you are CCPA compliant, you are nearly compliant with the VCDPA. However, some nuances specific to the VCDPA are further detailed below.
- Assessment of Data Protections: Routine data protection assessments must be executed for specific data processing activities. For example, personal data utilized for profiling or for targeted advertisements requires regular security assessments.
- User Opt Out: Under the VCDPA, users are afforded the right to opt out personal data collection related to targeting advertising and profiling.
- “Sensitive Data” Restrictions: Controllers may not process “sensitive data” regarding a consumer without first obtaining consent.
- Data Collection Limits: Under the VCDPA, data collection must be limited to what is “adequate, relevant, and reasonably necessary” to warrant a denial of a consumer’s rights request under the VCDPA.
While the above detail provides a brief overview, please note that one should examine the statute thoroughly to discern the applicability to you and your business operations. Under the VCDPA, exemptions for various categorical entities are detailed further. For example, exempt entities include but are not limited to the following:
- Entities subject to Health Insurance portability and Accountability Act of 1996 (“HIPAA”);
- Entities subject to the Gramm-Leach-Bliley Act;
- Government entities;
- Nonprofits; and
- Personal data regulated under the Federal Fair Credit Reporting Act.
Please note that the above list is by no means exhaustive. Additional exemptions exist related to information-type and employment-related exemptions and is detailed further in the statute. Enforcement of the VCDPA grants exclusive authority to the Virginia Attorney General’s office. In other words, no private rights of actions are identifiable or actualized under the VCDPA. Fortunately, much like the CCPA, the Attorney General must provide a 30-day notice of any violation of the statute. In doing so, entities are afforded the ability to remediate and cure such a violation. Once cured, an “express written statement” must be provided detailing that adequate curing measures have been undertaken. In the event the violation remains improperly cured, entities may be subject to $7,500 per violation under the statute. In sum, the VCDPA does not formally come into effect until January 1, 2023. As such, one expects amendments to take form over the coming years, requiring vigilance and dedicated resources to ensure your business remains compliant with VCDPA. Accordingly, businesses should begin formally planning compliance strategies now due to the obligations imposed under the statute. As the legal landscape of data privacy, consumer rights, and cybersecurity continues to rapidly evolve, one expects increasingly mounting State-specific compliance requirements.
At Alliant Cybersecurity, our team is focused on providing solutions to the ever-growing digital threats and regulatory compliance challenges that American businesses face. Please reach out to our experienced team of professionals should you have any questions.