Virginia Governor Signs Consumer Privacy Law

Gov. Ralph Northam recently signed the Virginia Consumer Data Protection Act (CDPA), which will give consumers certain rights to control how their personal data is used beginning Jan. 1, 2023.  

Virginia is the second state to pass a comprehensive data privacy law, following California. Notably, however, Virginia's legislation has a carve-out for information collected in the employment context, whereas California's law applies to some employment data.

We've rounded up resources and articles from SHRM Online and other trusted outlets on the news.

Covered Businesses and Personal Data

The CDPA will apply to entities that conduct business in Virginia or target products and services to Virginia residents and either:

• Control or process the personal data of at least 100,000 consumers.
• Process the personal data of at least 25,000 consumers and derive more than 50 percent of their gross revenue from selling personal data.

Personal data is broadly defined to include "any information that is linked or reasonably linkable to an identified or identifiable natural person." The CDPA excludes "de-identified data or publicly available information." A covered consumer means a Virginia resident "acting only in an individual or household context" and "does not include a natural person acting in a commercial or employment context."

(The National Law Review)

Additional Exemptions

The CDPA specifies that certain entities and data are exempt from coverage. The following entities are excluded from coverage:

• A body, authority, board, bureau, commission, district or Virginian agency or any Virginian political subdivision.
• Any financial institution or data covered by the Gramm-Leach-Bliley Act (GLBA).
• Entities that are subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
• Nonprofit organizations.
• Higher-education institutions.
  

In addition to specific employee and job-applicant data, 14 categories of data are exempt from the CDPA's coverage, including certain information regulated by the GLBA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act.

(International Association of Privacy Professionals)

Data Privacy Rights

Virginia's law was modeled after California's laws and the European Union General Data Protection Regulation. Virginia's law provides expansive consumer privacy rights, such as the right to access, right of rectification, right to delete, right to opt out, right of portability and right against automatic decision-making. The act includes a broad definition of "personal information," a "sensitive data" category, and data-protection assessment requirements for businesses that control the data.

Consumers don't have the right to bring a private lawsuit for violations of the act. Instead, the Virginia attorney general's office will enforce the law. Entities will have the opportunity to cure violations or face a fine of $7,500 per violation.

(Jackson Lewis)

California Compliance

While Virginia's new law doesn't apply to the employment context, the California Consumer Privacy Act (CCPA) covers data collected from job applicants and employees. Since Jan. 1, 2020, covered employers must provide notice to employees, job applicants and independent contractors when collecting their personal information for employment, recruitment and contracting purposes. The CCPA has been amended several times. Most recently, in November 2020, voters passed Proposition 24—the California Privacy Rights Act (CPRA)—which created the California Privacy Protection Agency to implement and enforce the law. Many requirements under the CPRA related to employee and job-applicant data will take effect on Jan. 1, 2023, but the act has a 12-month "look-back" provision.

(SHRM Online)

More States May Follow

New Jersey, Utah, Washington and other states are also considering privacy legislation, which could put pressure on federal lawmakers to pass a nationwide data privacy act. As more state laws are passed, businesses in the tech industry may push for a federal law so they don't have to comply with a patchwork of regulations.

(The Washington Post)