Virginia Enacts New Data Privacy Law

On March 2, 2021, Virginia Governor Ralph Northam signed the Commonwealth’s first comprehensive data privacy law, the Consumer Data Protection Act, making Virginia the second state, after California, to do so. California’s Consumer Privacy Act, (CCPA) amended by voter referendum in November 2020 as the California Privacy Rights Act (CPRA), represented the first such data privacy law in the United States. The law will go into effect January 1, 2023.

In general, data privacy in the United States is a patchwork quilt of federal, state and local laws and regulations that typically protect data based on the residence of the data subject, the type of data collected and the entity that has collected it, as well as whatever notices or consents the data subject may have agreed to. Thus, health information or financial information may – or may not – be protected from disclosure depending on who has collected it and for what purpose. In Europe and other foreign jurisdictions, however, the approach to data privacy is more comprehensive; assuming that consumers have a general human right to data privacy, and requiring entities that collect, store, process or use people’s personal information (and sensitive personal information like health care records, financial, religious or political information) generally to state the nature of the information being collected, and only permitting that data to be used for the purpose for which it has been collected – and only then if such collection is objectively reasonable. The approach adopted by California is generally in conformity with the European model, albeit significantly less restrictive in Europe.

Virginia’s new law requires companies collecting data about Virginia residents to advise them of what data is being collected, and to provide them with a meaningful opportunity to “opt out” of having their data collected and sold. The law, like that in California and Europe, limits the authority of those within its ambit to collecting consumer data which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” Once the data is collected, the company can only process the data for purposes that are “reasonably necessary” or “compatible with” the reasons that the entity told the consumer they were collecting the data – although other use or processing may be done with the consumer’s consent.

As with other general privacy laws, the law also gives Virginians the rights of transparency and data accuracy — to see what data has been collected and to have incorrect information deleted or corrected — much the same way people can access their credit reports and request correction of inaccurate information. The law also protects “data portability” — the right to download the data collected if this is reasonably technically feasible. Unlike the California law, the Virginia statute does not create a “private right of action,” but instead empowers the Virginia Attorney General to prosecute violations as consumer protection violations. If the AG initiates an enforcement action, they must notify the data controller who has 30 days to certify that the violation has been corrected or face fines of $7,500 per violation.

Unlike its California counterpart, the Virginia law only relates to companies that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that control or process the personal data of either (1) at least 100,000 consumers [during a calendar year]; or (2) at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data, which is twice the threshold for coverage than the law’s California counterpart and lacks California “catchall” provision for high-revenue companies that don’t meet those personal data thresholds. The Virginia law defines “consumer” to mean someone acting in their personal or “household” context, exempting employee or vendor data from privacy protection. Personal data is “sold” under the Virginia law when it is exchanged “for monetary compensation” and not, as in California, if it is exchanged for something other than money, and excludes from the definition of “sale” transfers to certain data processors, third-party servicers, affiliates, or entities necessary to fulfill the consumer’s demands or requests.

Not protected is information that the consumer has made available without restriction to the general public (via a mass media channel), or information that is lawfully available through federal, state, or local government records.

The Virginia law not only exempts “public” information, but also exempts personal data that is otherwise regulated by specific federal laws, including educational records under FERPA, financial records under GLBA, credit reports and related data under the Fair Credit Reporting Act, driver’s license information under the Driver’s Privacy Protection Act and data protected under the Farm Credit Act, as well as certain specific employee and job applicant data. The Virginia law also exempts from its coverage certain entities, such as Virginia government entities, financial institutions regulated by GLBA, health care providers under HIPAA/HITECH, colleges and universities covered by FERPA and nonprofit institutions. Significantly, the entity exemptions exempt the described entities and not just the data that is otherwise protected by law.

In addition to the “opt out” on sharing provisions, the Virginia law also requires consumers to affirmatively “opt in” to the collection of certain types of “sensitive personal information” such as location data, genetic data or certain ethnic data.

Like other data privacy laws, the Virginia law requires companies covered to have reasonable data privacy policies and data security programs, including a requirement that companies regularly conduct and effectively respond to “data protection assessments,” and that they ensure that they have agreements with third parties with which they share data that “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties” with certain statutorily required language in such agreements. Companies also are required to have readable and understandable consumer personal data privacy policies, although the statute does not state how these must be disseminated.

While other states have laws that require notification of breaches or certain personal information, and states like Nevada and Maine require the protection of certain personal information, there is no comprehensive federal data protection law. Other states, like Washington, New Jersey, Utah Minnesota, Illinois, Iowa, Maryland, New York, and South Carolina are all considering privacy legislation.

From a regulatory perspective, this means that companies that do business in Virginia, or with Virginia residents, will have to develop comprehensive data protection regimes, and engage in “data mapping” so they know exactly what data they have collected about consumers and where it is. They will also have to track how they are using it, with whom they are sharing it, how it is being protected and whether it is accurate. If they have obtained consent to collect the data through an online or other privacy policy, good practices dictate that they know precisely what they can — and cannot — do with the data. Finally, of course, if there is a stronger or more comprehensive data privacy law applicable to the data (including federal laws or international laws) a data collector will have to comply with the stronger law.

While the new law was welcomed by companies like Amazon, which is opening a second corporate headquarters in northern Virginia, the “state by state” approach to regulating online data collection presents challenges to companies which have customer relationship management (CRM) programs or which collect personal data. Ultimately, a reasonable, comprehensive federal data privacy law – and one which subsumes state laws – may prove less unwieldy for companies that do business across state lines. Until then, companies will have to keep abreast of various state privacy laws, and develop procedures for compliance with each.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark