After over a year of studying California’s Consumer Privacy Act and its impact, Virginia is poised to be the second state to pass its own version – to be known as the Consumer Data Protection Act (CDPA),[1] with an expected effective date of January 1, 2023. A handful of other states have similar bills pending at this time. Virginia’s law, like California’s, authorizes the Commonwealth of Virginia’s Attorney General to be its enforcer. Unlike California’s CCPA, Virginia’s law expressly prohibits lawsuits by private individuals.
The bill’s sponsor, State Senator David Marsden, explained, “Virginia’s goal was to stop the misuse of personal data and not … creat[e] opportunities for lots of lawsuits.”[2] Virginia’s CDPA creates a “Consumer Privacy Fund” to create resources for, among other things, the Attorney General to enforce this law.
Virginians already have a confirmed legal right to sue for damages or losses caused by data breaches.[3] In September 2020, a federal district court in Virginia held that consumers whose confidential personal information was compromised in a data security breach could bring a claim against the breached financial institution under a variety of legal theories such as negligence or Virginia’s Data Breach Notification Law.
Virginia’s CDPA would apply to any persons conducting business in Virginia that either (i) control or process personal data of at least 100,000 consumers, or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
Like California’s CCPA, the Virginia CDPA vests consumers with rights to access, delete, correct, obtain copies of personal data, and opt-out of the processing of their personal data for the purposes of targeted advertising. Virginia’s law reflects concepts from a host of other privacy and data security laws – for example, it makes numerous references to terminology from the Health Insurance Portability and Accountability Act of 1996 (and its amendments and regulations – collectively, “HIPAA”) and includes slightly circuitous concepts of a “processor” who is processing personal data on behalf of a “controller” which is defined as an entity that “determines the purpose and means of processing personal data.” The data or information the CDPA covers is scoped broadly to include biometric data and geolocation data. The activities that fall within the definition of “process” or “processing” are wide-ranging and include “analysis” and “modification of personal data” – or even “storage” of personal data.
Like California’s CCPA the Virginia law is designed to exempt health care data already protected under HIPAA or information collected for purposes of assessing consumers’ creditworthiness. Some experts feel Virginia’s law could put more pressure on Congress to pass a federal data privacy law[4] – however former FTC Commissioner and expected CFPB Director Rohit Chopra has written statements strongly advocating for both state and federal regulation of privacy and data security to protect Americans.
Two of the significant ways in which Virginia’s law differs from California’s include these:
- No annual gross revenue threshold for companies to whom this law would apply;
- No private right of action.
Although many states considered similar bills in 2020, none passed. It will be interesting to see if state legislatures in 2021 are more likely to enact these laws. Sticking points in the past have included issues such as what types of exemptions or exceptions to apply, how to harmonize these new data protection laws with state data protection or data breach laws already on the books, whether or not to allow private litigation, and how to keep pace with evolving technology and robust forms of personal data that are in need of protection. Other states to keep an eye on that are considering similar legislation this year include:
- New York's “Right to Know Act” Senate Bill 1349
- Oklahoma’s House Bill 1130
- Vermont’s House Bill 75
- Washington’s Senate Bill 5062
- Nebraska’s “Personal Privacy Protection Act” Legislative Bill 370
- Connecticut’s Proposed Bill 156
-------
[1] See, Senate Bill 1392, passed Virginia’s Senate and expected to pass its House and be signed into law by Governor Ralph Northam as quickly as April. https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB1392 See also, https://www.rollcall.com/2021/02/16/virginia-set-to-become-second-state-to-pass-data-privacy-law/
[2] Ibid.
[3] See, In Re: Capital One Consumer Data Security Breach Litigation, United States District Court, E.D. Virginia, Alexandria Division, September 18, 2020, 2020 WL 5629790
[4] See fn 1, ibid.