Virginia’s new Consumer Data Protection Act will take effect on January 1, 2023, adding new consumer privacy rights, a broader interpretation of “personal information,” a separate “sensitive data” category, and data protection assessment obligations into the mix with the commonwealth’s three major pre-existing privacy and data protection laws as Virginia joins the growing ranks of states with comprehensive consumer data privacy acts.
Last year, Virginia became the second state after California to pass a comprehensive consumer privacy law — the Consumer Data Protection Act (CDPA or the Act). Modeled in part on California’s law and the EU’s General Data Protection Regulation, the CDPA will give Virginians several new consumer privacy rights over their “personal information,” including the right to access, the right of rectification, the right to delete, the right to opt out, the right of portability, and the right against automatic decision making. Notably, unlike California’s privacy law, the CDPA does not provide for rulemaking by the attorney general; therefore, compliance is determined based upon the Act itself, not by rules passed by a government office or agency.
The CDPA broadly defines “personal information” as “any information that is linked or reasonably linked to an identified or identifiable natural person” and adds a more protected sub-category of personal data called “sensitive data,” which includes all data revealing demographic information, religious beliefs, health diagnoses, sexual orientation, immigration status, genetic/biometric information, any data collected from a child, or precise geolocation. Entities will be required to “conduct and document a data protection assessment” if they process any sensitive data, sell personal data, or process personal data for targeted advertising or profiling purposes.
But the CDPA should be viewed in addition to — not in isolation from — the commonwealth’s existing network of privacy-related laws. For example, the Personal Information Privacy Act (PIPA) already strictly limits merchants’ ability to use their customers’ personal information and the general use of social security numbers. The Insurance Data Security Act (IDSA), which has been in effect for more than two years, and its implementing regulations, require those licensed to practice in Virginia’s insurance industry to conduct risk assessments, maintain security information systems, investigate cybersecurity events, and report such events to the insurance commissioner. And for almost a decade and a half, under the Data Breach Notification Law (DBNL), the commonwealth has required state agencies and entities doing business in Virginia to notify state residents of any breach that the entity reasonably believes has or will cause identity theft or fraud.
Additionally, companies that do not solely collect personal information from Virginia residents should also consider the growing list of other states that have enacted comprehensive consumer data privacy laws. California, Colorado, Connecticut, and Utah already have such laws, and legislators in several other states have introduced similar bills. While these laws and proposed bills share some common provisions — such as the right to access, delete, and opt out of the sale of personal information — they also have important distinctions, particularly in their definitions and scope, such that a company that collects consumer data across state boundaries should individually assess each law to determine its applicability.
Companies that process, collect, or sell Virginians’ personal information should carefully read the CDPA to determine if they are subject to the Act’s new obligations. Fortunately for Commonwealth businesses, due to the lack of rulemaking authority under the CDPA, entities should be able to confidently rely on the plain meaning of the Act’s text rather than await a future interpretation from regulators. However, entities should remain mindful of any applicable requirements under Virginia’s pre-existing network of related laws, such as the PIPA, IDSA, and DBNL, which the CDPA will add to — not replace. Those companies collecting personal data across state boundaries should assess the current list of other states with comprehensive consumer data privacy laws to determine their applicability and consider creating a program that — in addition to complying with any relevant obligations under those laws — allows for some flexibility as new laws and regulations are likely to continue to be passed in the consumer privacy sphere.