- Virginia law has steep statutory damages but no private right of action.
- The new privacy legislation gives consumers more control over the personal data that companies collect.
A second state has enacted sweeping privacy legislation that gives consumers more control over the personal data that companies collect. Though Virginia’s new Consumer Data Privacy Act (CDPA) does not provide consumers with a private right of action, failure to comply with its provisions may result in state enforcement actions and hefty fines. ABA Litigation Section leaders predict that litigators may be able to use the CDPA to consumers’ advantage in common law privacy actions and advise businesses to immediately begin assessing how they will comply with the new law before it goes into effect on January 1, 2023.
The CDPA provides consumers with the following rights with respect to their personal data: (1) confirm whether a business is processing it or has access to it; (2) correct inaccuracies; (3) ask the business to delete it; (4) opt out of the data being sold or used for targeted advertising; and (5) request a copy of the data. Businesses have 45 days to respond to those consumer requests and, if reasonably necessary, may extend that time period by an additional 45 days.
The statute applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth” who also meet one of the two following requirements during a calendar year: (1) control and process the personal data of at least 100,000 consumers, or (2) control and process the personal data of at least 25,000 consumers and derive at least 50 percent of their gross revenue from the sale of personal data. “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes it any “de-identified data or publicly available information.”
Certain entities and types of data are exempt, though. Exempt entities include (1) Virginia public agencies, (2) financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA), (3) entities covered under the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH Act), (4) nonprofit organizations, and (5) higher education institutions. The statute also exempts certain categories of data, including employee and job applicant data, as well as information covered by other laws such as the GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act.
Significantly, the CDPA does not define “persons who conduct business” or what it means to “target” products or services to Virginia residents. To determine whether they are “conducting business” in Virginia or targeting “products or services” to Virginia residents, Litigation Section leaders advise businesses to err on the side of caution and presume a broad definition. “If you are selling products or services to people in Virginia, if you have brick-and-mortar operations in Virginia, and if you know you are collecting information about Virginians, you are likely conducting business or targeting products or services in Virginia,” according to A. Sandy Bilus, Philadelphia, PA, cochair of the Section’s Privacy & Data Security Committee. “Even if you are not physically present in Virginia, if you are doing business there and you are subject to personal jurisdiction there, you are likely subject to the statutory requirements of the CDPA,” Bilus adds.
Once businesses determine they are subject to the CDPA, Section leaders suggest that it may take some time to build and implement appropriate compliance management systems in accordance with the CDPA’s provisions. “The CDPA is only a few pages long and does not go into effect until 2023, but its requirements are comprehensive, and businesses should immediately start devoting resources to complying with the law,” Bilus observes. “Businesses need to really dig in and figure out what data they’re collecting, what they’re doing with that data, and who they’re sharing the data with,” he counsels.
Figuring out what data a business collects, and from where and from whom, may be harder than it sounds, according to Section leaders. “Sometimes it’s a challenge to know where your product is, especially if your product is direct to consumer,” notes Steven M. Blickensderfer, Miami, FL, chair of the Website Subcommittee of the Section’s Privacy & Data Security Committee. “It can also be tricky for businesses to figure out whose data they have and where it is located,” he explains. “If businesses are unable to fully figure this out, the conservative approach is to assume that you’re collecting data from people in Virginia so that you can incorporate the unique requirements of the CDPA into your compliance program,” advises Blickensderfer.
The Virginia attorney general has the sole right to enforce the CDPA should a regulated business fail to comply with its terms. The law expressly states that none of its provisions should “be construed as providing the basis for” a “private right of action to violations of this chapter.” However, before the attorney general can bring an enforcement action, non-compliant businesses have 30 days to cure the violations. Otherwise, each violation can carry statutory damages of up to $7,500.
Section leaders also anticipate litigators will test the CDPA’s limitation on private rights of action. “Right or wrong, to get around the private right of action limitation, I expect to see arguments that there is a common law duty to keep personal data safe by virtue of the CDPA, among other things, and that a violation of the CDPA constitutes evidence that duty was breached,” predicts Blickensderfer. “We could also see claims that a violation of the CDPA constitutes an unfair trade practice or unfair competition. The boundary of that limitation is expected to be an area ripe for litigation, as is happening in class actions in California under the California Consumer Privacy Act,” Blickensderfer adds.
California and Virginia are the first two states to pass consumer personal data protections. A key difference is that consumers in California have a private right of action against businesses that violate its data privacy law. This reflects divergent attitudes towards enforcement, and it sets up two different frameworks for other states to choose from.
More than 20 states, including Washington and Florida, are in the process of drafting their own data privacy legislation, and each of those states will likely have unique provisions. The resulting patchwork of state laws will make legal compliance more difficult for businesses that operate in multiple states.
Section leaders predict that a federal data privacy law may be forthcoming to avoid the difficulties with state-by-state compliance. “A growing number of practitioners are hoping for a federal approach because there are now a number of states that are looking to comprehensively regulate data. To create uniformity, a federal law with a data privacy standard that preempts state laws may be appropriate,” states Blickensderfer. The main benefit to a federal law is that it would simplify data compliance processes for businesses and their legal teams, according to Section leaders. “As more and more states pass their own laws with slightly different requirements, the burden and cost of compliance goes up. To minimize this burden, one consistent federal law that applies across the board is preferred,” concludes Bilus.