Privacy Protection Patchwork, Part I: New Comprehensive State Privacy Laws and How They Could Impact Your Business
The number of states enacting comprehensive privacy laws is growing, adding to the existing patchwork of privacy, security, and data breach notification laws that keep legal and compliance personnel busy. Businesses should start preparing for the 2023 effective dates for many of these laws. This five-part series will highlight key provisions in a few of the new comprehensive privacy laws and regulations. Each week we will examine laws in a new state – Virginia, Utah, Colorado, Connecticut, and California – and provide recommendations on what steps businesses should consider taking now as they dust off their privacy and security policies. This first post will focus on the Virginia Consumer Data Protection Act.
Stay tuned every week as we highlight key takeaways from these new laws. We anticipate that this series will continue to grow as states enact or revise consumer privacy laws.
The Virginia Consumer Data Protection Act
On March 2, 2021, the Virginia Legislature passed the Virginia Consumer Data Protection Act (VCDPA), will become on January 1, 2023. The law incorporates elements from the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) from the European Union, and other proposed state laws. Here, we provide a summary of key provisions and recommendations on what steps businesses should consider taking now as they dust off their privacy and security policies.
1. Applicability Threshold
Unlike the CCPA, the VCDPA does not include a revenue threshold for applicability. Instead, businesses that conduct business in Virginia or provide products or services that are targeted to Virginia residents are subject to the VCDPA if the business either:
- Controls or processes the personal data of at least 100,000 consumers during a calendar year; or
- Controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenue from the sale of personal data.
The law carves out a number of industries and data types from the law, even if the entity meets the thresholds above. These carveouts include government agencies, financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to HIPAA, non-profit organizations, higher education institutions, and employee/job applicant data.
2. Summary of Consumer Rights
The VCDPA grants certain rights to Virginia residents, including:
- The right to know whether an entity is processing the consumer’s data;
- The right to access any personal data on the consumer that are held by the entity;
- The right to correct personal data held by the entity;
- The right to delete personal data held by the entity;
- The right to data portability;
- The right to opt out of processing of personal data for targeted advertising;
- The right to opt out of sale of personal data;
- The right to opt out of profiling using personal data to advance decisions that produce legal or similarly significant effects; and
- The right to appeal a business' denial to act on a consumer request under the VCDPA within a reasonable time.
These rights are significant because businesses need to have internal policies and procedures on how to search for relevant data, how/when to respond to consumer requests, and a means to submit requests. Importantly, consumers have the right to appeal a decision regarding a consumer’s request, and the VCDPA mandates that this appeal process be “conspicuously available and similar to the process for submitting requests to initiate action.” Businesses must also actively instruct consumers about how to escalate concerns to the Virginia Attorney General.
3. Data Use and Retention
The VCDPA places new limits on data collection to that which is "adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” This means that businesses should document the purpose of data collection and retention. Businesses should also dust off their record destruction and retention policies.
Importantly, certain types of data processing trigger obligations to conduct a data protection assessment, including:
- Processing personal data for targeted advertising;
- Sale of personal data;
- Processing personal data for profiling purposes where the profiling presents certain risks to the consumer (e.g., profiling that presents a reasonably foreseeable risk of unfair treatment, disparate impact, injury to consumers, or other impact on an individual’s privacy);
- Processing sensitive data for any purpose; and
- Processing of personal data that poses a heightened risk of harm to consumers.
This means that businesses should determine whether they are engaged in any of these processing activities and if so, develop policies and procedures for conducting and documenting the required assessments.
The VCDPA also requires companies to execute data processing agreements with vendors, which should address issues such as data processing instructions, limitations on the nature and purposes of processing, and the rights and obligations of the parties.
4. Data Security
The VCDPA requires companies to implement reasonable technical, physical, and administrative safeguards to protect personal data. Businesses should establish, implement, and maintain data security policies and procedures that take into account the type, format, and volume of personal data collected and maintained by the business.
The VCDPA requires businesses to provide a privacy notice that is accessible, clear, and provides meaningful information, including the information processed by the business, the purposes for processing, a description of the process by which consumers may exercise their rights as described above, the personal data shared with third parties, and the types of third parties with which personal information is shared. Businesses should take a hard look at their privacy notices and revise as necessary to meet the requirements of the law.
For more information about the VCDPA, or for assistance with your privacy compliance program, please contact the authors of this post or reach out to the entire Compliance Advisory team at PrivacyCompliance@lewisbrisbois.com. You can also subscribe to this blog to receive email alerts when new posts in this series are published.