The Virginia Consumer Data Protection Act, what would be the country's second comprehensive privacy law If passed, is poised to become law, possibly by the end of the month.
Like the California Privacy Rights Act (CPRA) - the follow up to the country’s first major state-specific privacy law, the California Consumer Privacy Act - the Virginia law would go into on January 1, 2023.
Legislation like Virginia's is seemingly commonplace these days, showing signs the increasingly complex patchwork of privacy laws in place from state to state isn't going away anytime soon.
As is to be expected, given there’s only so many wide-reaching consumer privacy laws on the books in the US, Virginia’s CDPA has some similarities to the CCPA.
For one, it has a similar threshold requirement to determine whether or not an organization needs to comply. If signed into law, the CDPA will apply to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents. Organizations also need to control or process data belonging to 100,000 Virginians or control or process data of 25,000 Virginians and receive over 50 percent of its gross revenue from the sale of that data. It's possible CDPA may apply to fewer companies than the CCPA does as the former applies organizations make more than $25,000,000 a year.
Not all sensitive data will need to comply with the law. Like the California laws, the CDPA has several exemptions carved into it, including data subject to the Gramm-Leach-Bliley Act (GLBA), protected health information under the Health Information Portability and Accountability Act (HIPAA), along with the Family Education and Privacy Act, the Fair Credit Reporting Act, the Farm Credit Act, the Children’s Online Privacy Protection Act (COPPA), and the Driver’s Privacy Protection Act.
Like the CCPA, the CDPA is also set to be enforceable via civil actions by the commonwealth's attorney general; it also includes a 30-day cure provision. That essentially allows the organization time - 30 days after its received notice from the Attorney General - to cure whatever issue has arisen before any administrative enforcement is carried out. For what it's worth, the CPRA is set to eliminate that cure period for violations in 2023.
Like the GDPR - the European Union's privacy law - the CDPA outlines the differences and requirements of data controllers and processors. It also requires organizations to carry out data protection assessments when processing data for targeted advertising, selling data, processing data for profiling, and anything that may result in harm to consumers.
While the CDPA isn’t a law yet it sounds as if it could be by the end of the month, if not by the end of the week.
Last Friday was the deadline for each house to complete work on its legislation; the Virginia General Assembly adjourns on February, meaning in theory the bill could be reconciled and passed along to the state's governor to sign off on it soon.
Legislation around the act has seen strong support in both the Senate and the House there. SB 1392 passed its first and second readings in the Senate unanimously 39-0 last week; HB2307 passed 89-9 in the House last month.
A similar law, the Virginia Privacy Act, which would amend and reenact the Code of Virginia by adding sections on the management and oversight of personal data was introduced in January 2020 but was ultimately deferred.
While the CDPA isn't a law - not yet technically at least - it wouldn't hurt for businesses to at least be aware of its obligations and if there are any cybersecurity programs that can be implemented to better map out and visualize sensitive data that the CDPA may apply to.
While controllers will have to limit the data they collect to data that's relevant and reasonably necessary under CDPA, they'll also be expected to implement "reasonable security practices" to protect that data. Solutions that can prevent data from being improperly accessed, acquired, or disclosed should be able to satisfy data security mandates like those laid out in the CDPA.
