- Virginia act establishes consumer privacy rights
- VCDPA incorporates lessons learned from CCPA
- CCPA compliance plan insufficient for Virginia
Virginia is expected to become the second U.S. state to pass a data protection act that grants consumers privacy rights. The act is considered to be more business friendly but less nuanced than its forerunner in California.
The Virginia Consumer Data Protection Act (VCDPA) establishes a series of consumer privacy rights, including the right to access the data businesses collect, request deletion of that information, and correct inaccuracies.
The act also allows Virginia residents to request a copy of their data in a portable way, transport that data to another business, and opt-out of sale, targeted advertising or, in some cases, consumer profiling.
The VCDPA gained strong bipartisan support from both chambers of the state. The House voted 89-9 to pass the bill, while the Senate passed a companion bill almost unanimously, with only one abstention.
Due to the very short legislative period, the bills could not be put up for a vote in the other chambers before the session ended on February 5. However, governor Ralph Northam has announced the opening of a special session until February 27, allowing lawmakers to complete the process.
The Virginia bill mirrors a Washington proposal, David Stauss, a partner at Husch Blackwell, told VIXIO.
The Washington Privacy Act was introduced by Senator Reuven Carlyle in the last two sessions of the state’s legislature but got stuck in the House-Senate conference committee over the issue of whether there should be a private right of action in the enforcement of the law.
Minnesota Representative Steve Elkins previously told VIXIO that he hopes the Washington bill can serve as a template for other states to adopt their own data protection laws.
The VCDPA, similarly to the new version of the Washington bill, does not establish a private right of action. Instead, it authorizes the state attorney general to litigate and seek damages as high as $7,500 on behalf of Virginia residents for “any violations” of the act.
Compared with the California Consumer Privacy Act (CCPA), the VCDPA represents a more business-friendly approach, Stauss said.
Many businesses are subject to the CCPA because they collect personal information of California residents and have annual gross revenues of more than $25m. The CCPA applies to them if they meet the monetary threshold regardless of whether the business stores the information of 1,000 or 100,000 consumers.
The Virginia act does not establish this monetary threshold, which makes the act more business-friendly, Stauss added.
The VCDPA applies to businesses that control the personal data of either 100,000 consumers, or 25,000 consumers and 50 percent of the business’ gross revenues come from the sale of that information.
The act establishes a set of exemptions for 14 categories of information, as well as for entities that are subject to certain federal acts.
The VCDPA diverges at this point from the California act, which generally sets out exemptions based on the type of data held. While the CCPA exempts the “information” that is subject to the Gramm-Leach-Bliley Act (GLBA), the Virginia act does not apply to “financial institutions” that are subject to the GLBA, Glenn Brown, of counsel at Squire Patton Boggs, noted.
As Virginia exempts financial institutions generally and not just the data protected by the GLBA, financial institutions may hold personal information that is regulated neither by the GLBA nor the Virginia act.
At the same time, Virginia provides greater clarity on certain grey areas of the CCPA, Brown noted.
“The drafting of the Virginia bill was certainly informed by businesses’ experience with the CCPA and the challenges with it,” the lawyer said.
The CCPA’s definition of “sale,” described as an exchange of personal information for monetary or “other valuable consideration,” raised many questions on how it affects online targeted advertising or digital advertising.
Virginia makes compliance easier by providing a clearer definition when describing “sale” as the exchange of personal data for monetary consideration only, Brown said.
Similarly, the VCDPA does not impose regulatory requirements on retailers that offer loyalty programs to consumers, such as emailed coupons or discounts, a provision that made compliance with the CCPA more challenging.
The acts are “different enough that a business’s CCPA compliance plan would not be enough to cover compliance with the Virginia bill,” Brown pointed out.
Although the Virginia act certainly incorporated lessons learned from the CCPA, it is also lacking in details, he added.
The CCPA, and the California Privacy Rights Act (CPRA) which amends it, require California to add further details to consumer rights by adopting a series of regulations. The Virginia act, on the other hand, does not provide details around consumer rights or set out rulemaking to follow.
For example, the VCDPA lacks practical details on the timeframe of the data that consumers can have access to, or whether there is any information that is exempt from a request for deletion, Brown said.
The CCPA and the CPRA had provisions that set out a rulemaking process aimed at clarifying details of these rights, as well as providing guidance to businesses.
A substantial divergence between the Virginia and the California acts is expected to come from this rulemaking authority, which requires the new California agency to adopt regulations on 22 topics to ensure compliance, Stauss added.
Delegate Cliff Hayes, the main sponsor of the VCDPA in the state’s House, told VIXIO that the act is intended to express “extreme support for consumers’ data privacy rights” as 70 percent of the world’s internet traffic flows through the state’s data centers.
It is not clear yet whether the act applies to those companies, as the VCDPA mainly regulates data controllers, the entity “who determines the purpose and means of processing personal data,” Lydia de la Torre, of counsel at Squire Patton Boggs, told VIXIO.
If signed into law, the VCDPA will come into effect on January 1, 2023, the same time as the CPRA.
In addition to California and Virginia, Nevada has provisions in place that enable consumers to opt out of the sale of their personally identifiable information by online websites.
Since the new legislative sessions started in January, 14 states have introduced comprehensive data protection bills that grant consumer privacy rights similar to those established by the CCPA and the VCDPA.