Another One! Virginia’s New Data Privacy Law

Posted by

Virginia Governor Ralph Northam recently signed into law the Consumer Data Protection Act (“CDPA”) which will take effect on January 1, 2023. This makes Virginia the second state after California and their CCPA (California Consumer Privacy Act) to explicitly adopt enhanced protections passed into law. Though other states (like Washington) have come close to doing so and are likely to succeed in the near future, and yet others have included personal data protections in less explicit bills like the Nevada Revised Statutes Chapter 603A. As other nations adopt data protection regulation and the various states proliferate similar but subtly different protections it seems only a matter of time (and likely not too far off) until the USA has a national level individual data protection and privacy law. Now that Democrats control a majority of seats in Congress it seems likely a bill like the Consumer Online Privacy Rights Act that Democratic Sen. Maria Cantwell introduced last year will be re-introduced. Tim Wu’s appointment to the National Economic Council in the Biden Administration is widely considered a concerning sign for massive tech businesses.

The trouble is, as these laws are passed, massive tech companies like Facebook, Google, Microsoft, Apple and other household names can employ armies of developers, lawyers and consultants to delay enforcement and bolt on the minimally required compliance, while small and medium businesses and startups are often left in the terrible position of ignoring the problem or massively investing in high priced compliance programs.

Though many may think they can simply comply for one state or another – witness all the CCPA data subject access forms we found in our Privacy Hunt Database that state “only for residents of California.” Many don’t realize that, for instance, the GDPR doesn’t stop at Europe’s Borders. It protects a person or entity subject to EU laws a “Data Subject” from any corporation regardless of geographic location. So a small American Business that collects information on a German citizen who then submits a data access or deletion request that does not do the manual work to provide the information or delete it could find itself facing the notoriously stiff fine of up  to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher!

Finally, product teams and builders know the drag on team delivery and engagement building out compliance or performing manual requests. Having a delightful self-service data interface for their users like Rownd’s Personal Data Center helps to build trust between the company and their users, to speed delivery of features and experiences customers love and frees teams from working on things they’d rather not. You can get started and try building with Rownd for free today!

But if you’d rather peruse a little reference we’ve assembled on some of the different regulations you can peruse this table (this does not constitute legal advice or protection from Rownd!)

European Union General Data Protection Regulation (GDPR)Nevada Revised Statutes Chapter 603A California Consumer Privacy Act (CCPA)Virginia Consumer Data Protection Act (CDPA)
Effective/Enforceable DateMay 25, 2018Originally went into effect in 2017; was further amended effective October 1, 2019January 1, 2020 (further amended by the California Privacy Rights Act, most of which becomes effective January 1, 2023)January 1, 2023
Who is subject to it?Any business that targets data subjects residing in the European Economic Area (EEA)Any person or entity who:Owns and operates a website for business purposes; andCollects and maintains the personal information from consumers who reside in Nevada and use or visit the website; and Purposefully directs its activities towards Nevada or consummates a transaction with the State of Nevada or a resident of NevadaBusinesses that: Collect personal information; andDo business in the State of California; andSatisfy one or more of the following:Have annual gross revenues greater than $25,000,000;Buy, collect, sell, or share the personal information of 50,000 or more consumers, households, or devices; orDerive 50% or more of its annual revenues from selling personal information.Companies that:Conduct business in Virginia or market their goods and services to Virginia residents; and Either:control or process personal data of at least 100,000 Virginia residents orcontrol or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Who is exempt from it?Very few exemptions; no explicit carveouts like with US privacy laws Does not apply if:You are located in Nevada; andYour revenue is derived primarily from a source other than selling goods, services or credit on your website; and Your website has less than 20,000 unique visitors per year.Other exclusions: companies regulated by Gramm-Leach-Bliley Act, HIPAA, and a few other smaller exceptionsDoes not apply to companies regulated by the Gramm-Leach-Bliley Act or HIPAA, and a few other smaller exceptions (some of which expire on January 1, 2023)Does not apply to: nonprofits, institutions of higher education and entities governed by HIPAA or the Gramm-Leach-Bliley Act, commercial or employment data, and a few other smaller exceptions  
Privacy Policy RequirementsBusiness must be clear as to what information is being collected, for what purposes, the legal basis for collecting such information, and how that information will be used (including whether it will be sold/shared with third parties) 
The company must also provide information regarding how data subjects can exercise their rights under GDPR  
Privacy policy must include: (1) The categories of PII collected; (2) The categories of third parties with whom that PII is shared; (3) A description of the process (if such process exists) for the user to review and request changes to his or her PII; (4) Whether or not the company sells the PII of Nevada consumers; (5) A designated request address at which Nevada consumers can submit a request asking the company not to sell their PII; (6) A description of the process by which you will let users to know of any changes to the Company’s Privacy Policy; (7) If a third party collects information about the user throughout different websites (cookies); and (8) The effective date of the Privacy Policy. Privacy policy must include: (1)The categories of personal information collected; (2) the categories of sources from which the personal information is collected; (3) purposes for which the data is collected;  (4) the categories of third parties with whom the business shares personal information; (5) the specific pieces of personal information it has collected about that consumer; and (6) whether data is sold to third parties, and if so, to whom and what categories of data.  Privacy policy must be clear and conspicuous and must include: (1) a description of how the company collects, uses, and shares personal data; (2) whether the company sells personal data; and (3) whether they provide personal data for targeted advertising purposes. 
Additionally, businesses must inform consumers of their rights under the CDPA, and the Privacy Policy is a good place to do so. 
Consumer RightsRights include the right to:Be informedAccessRectificationRestrict processing Data portabilityObject to use of data  for direct marketing use or individual decision-making and other grounds for objectionErasure (AKA “the right to be forgotten”)Gives consumers a limited right to opt-out of the sale of their personal information (subject to certain exceptions)Rights include the right to:Know and access personal dataDelete personal dataOpt out of the sale of personal dataData portabilityNondiscrimination 
Rights added January 1, 2023 include the right to:correct/rectify inaccuracies Opt out of sharing for behavior advertisingLimit use and disclosure of sensitive informationOpt out of the use of data for automated decision-making 
Rights include the right to:Know, access, and confirm personal dataDelete personal dataCorrect inaccuracies in the personal dataData portabilityOpt out of the processing of personal data for targeted advertising purposesOpt out of the sale of personal dataOpt out of profilingNondiscrimination for exercising these rights 
Other Business ObligationsData minimization (only data required for stated purpose is collected)
Purpose limitation (purpose of collecting data must be clear and recorded and can be changed only with consent)
Storage limitation (data cannot be kept longer than necessary)
Must have a legal basis for processing, which can be:Clear, affirmative, freely given, specific, and informed consent (with record and easily withdrawable at any time) Processing is necessary to satisfy a contract to which the data subject is a partyData is needed to comply with a  legal obligationData is needed to save  somebody’s lifeProcessing is necessary for the public interest or to carry out an official functionA legitimate interest to process such data 
Before processing certain types of data, a data processing impact assessment must take place
Reasonable security measures must be in place to protect personal data 
Depending on the size of the company and the nature of its data processing activity, GDPR may  require the company to maintain a Data Protection Officer (DPO)
Must implement and maintain reasonable data security measures to protect data from unauthorised access, acquisition, destruction, use or modification or disclosureMandatory contracting for “service providers” and “third parties” to whom the company does not sell personal dataUnder CPRA, mandatory contracting requirement extends to “contractors” who have access to personal data The CPRA also requires data minimization Must obtain consent prior to collecting and processing certain categories of data including (protected characteristics, genetic or biometric data, data collected about children, and precise geolocation data)
Data minimization and purpose limitation principles 
Implement and maintain reasonable data security  practices to protect the confidentiality, integrity and accessibility of personal data
Mandatory contracting with any entity that processes data on the company’s behalf that implements the requirements of the Act 
Conduct and document a data protection assessment when processing sensitive data or conducting activities related to targeted advertising, selling data, or profiling
Cost of non-complianceUp to $23 million or 4% of their annual global turnover (whichever is higher) Up to $5,000 per violationUp to $2,500 per violation and $7,500 per intentional violationUp to $7,500 per violation