Second State Passes Consumer Data Privacy Act

The Scope of the CDPA

The statute applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth” who also meet one of the two following requirements during a calendar year: (1) control and process the personal data of at least 100,000 consumers, or (2) control and process the personal data of at least 25,000 consumers and derive at least 50 percent of their gross revenue from the sale of personal data. “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes it any “de-identified data or publicly available information.”

Certain entities and types of data are exempt, though. Exempt entities include (1) Virginia public agencies, (2) financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA), (3) entities covered under the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH Act), (4) nonprofit organizations, and (5) higher education institutions. The statute also exempts certain categories of data, including employee and job applicant data, as well as information covered by other laws such as the GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act.

Significantly, the CDPA does not define “persons who conduct business” or what it means to “target” products or services to Virginia residents. To determine whether they are “conducting business” in Virginia or targeting “products or services” to Virginia residents, Litigation Section leaders advise businesses to err on the side of caution and presume a broad definition. “If you are selling products or services to people in Virginia, if you have brick-and-mortar operations in Virginia, and if you know you are collecting information about Virginians, you are likely conducting business or targeting products or services in Virginia,” according to A. Sandy Bilus, Philadelphia, PA, cochair of the Section’s Privacy & Data Security Committee. “Even if you are not physically present in Virginia, if you are doing business there and you are subject to personal jurisdiction there, you are likely subject to the statutory requirements of the CDPA,” Bilus adds.

Complying with the CDPA

Once businesses determine they are subject to the CDPA, Section leaders suggest that it may take some time to build and implement appropriate compliance management systems in accordance with the CDPA’s provisions. “The CDPA is only a few pages long and does not go into effect until 2023, but its requirements are comprehensive, and businesses should immediately start devoting resources to complying with the law,” Bilus observes. “Businesses need to really dig in and figure out what data they’re collecting, what they’re doing with that data, and who they’re sharing the data with,” he counsels.

Figuring out what data a business collects, and from where and from whom, may be harder than it sounds, according to Section leaders. “Sometimes it’s a challenge to know where your product is, especially if your product is direct to consumer,” notes Steven M. Blickensderfer, Miami, FL, chair of the Website Subcommittee of the Section’s Privacy & Data Security Committee. “It can also be tricky for businesses to figure out whose data they have and where it is located,” he explains. “If businesses are unable to fully figure this out, the conservative approach is to assume that you’re collecting data from people in Virginia so that you can incorporate the unique requirements of the CDPA into your compliance program,” advises Blickensderfer.

Private Right of Action Loophole?

The Virginia attorney general has the sole right to enforce the CDPA should a regulated business fail to comply with its terms. The law expressly states that none of its provisions should “be construed as providing the basis for” a “private right of action to violations of this chapter.” However, before the attorney general can bring an enforcement action, non-compliant businesses have 30 days to cure the violations. Otherwise, each violation can carry statutory damages of up to $7,500.

Section leaders also anticipate litigators will test the CDPA’s limitation on private rights of action. “Right or wrong, to get around the private right of action limitation, I expect to see arguments that there is a common law duty to keep personal data safe by virtue of the CDPA, among other things, and that a violation of the CDPA constitutes evidence that duty was breached,” predicts Blickensderfer. “We could also see claims that a violation of the CDPA constitutes an unfair trade practice or unfair competition. The boundary of that limitation is expected to be an area ripe for litigation, as is happening in class actions in California under the California Consumer Privacy Act,” Blickensderfer adds.

Consumer Data Privacy Across the Country

California and Virginia are the first two states to pass consumer personal data protections. A key difference is that consumers in California have a private right of action against businesses that violate its data privacy law. This reflects divergent attitudes towards enforcement, and it sets up two different frameworks for other states to choose from.

More than 20 states, including Washington and Florida, are in the process of drafting their own data privacy legislation, and each of those states will likely have unique provisions. The resulting patchwork of state laws will make legal compliance more difficult for businesses that operate in multiple states.

Federal Legislation Likely on the Horizon

Section leaders predict that a federal data privacy law may be forthcoming to avoid the difficulties with state-by-state compliance. “A growing number of practitioners are hoping for a federal approach because there are now a number of states that are looking to comprehensively regulate data. To create uniformity, a federal law with a data privacy standard that preempts state laws may be appropriate,” states Blickensderfer. The main benefit to a federal law is that it would simplify data compliance processes for businesses and their legal teams, according to Section leaders. “As more and more states pass their own laws with slightly different requirements, the burden and cost of compliance goes up. To minimize this burden, one consistent federal law that applies across the board is preferred,” concludes Bilus.

Hashtags: #consumers, #privacy, #dataprotection

Resources

• Virginia Consumer Data Privacy Act, S. 1392 (Feb. 4, 2021).
• Glenn A. Brown, “Virginia Set to Become the Second State to Enact Holistic Data Privacy Law,” Privacy & Data Sec. (Feb. 23, 2021).
• Christina M. Jordan, “As Demand for Consumer Data Increases, So Does the Need for Data Privacy Laws,” Litigation News (June 29, 2020).
• California Consumer Privacy Act of 2018.

_{Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).}