Archived: Virginia - Data Protection Overview

This is a simplified archive of the page at https://www.dataguidance.com/notes/virginia-data-protection-overview

Use this page embed on your own site:

March 2021 1. Governing Texts On 2 March 2021, the Virginia State Governor signed into law the Consumer Data Protection Act ('CDPA'), which is due to enter into effect on 1 January 2023. In addition to this, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act, which restricts the sale of personal information of customers by merchants as well as the use of social security numbers.

ReadArchived

March 2021

1. Governing Texts

On 2 March 2021, the Virginia State Governor signed into law the Consumer Data Protection Act ('CDPA'), which is due to enter into effect on 1 January 2023.

In addition to this, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act, which restricts the sale of personal information of customers by merchants as well as the use of social security numbers. Moreover, Virginia's personal information breach notification law, under §18.2-186.6 of Article 5 of Chapter 6 of Title 18.2 of the Code of Virginia ('the Breach Notification Statute'), regulates breach notifications and provides for various requirements in this respect. Specific protections are applicable in relation to health, employment, and financial information, and the Virginia Telephone Privacy Protection Act outlines prohibitions for solicitation calls when a person has previously stated that they do not wish to receive the call.

1.1. Key acts, regulations, directives, bills

The CDPA regulates privacy and data protection matters in Virginia.

1.2. Guidelines

The Attorney General of Virginia ('AG') has not yet issued any guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that (§59.1-572(A) of the CDPA):

  • during a calendar year, control or process personal data of at least 100,000 consumers; or
  • control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The CDPA does not apply to any body, authority, board, bureau, commission, district, or agency of Virginia or of any political subdivision of Virginia (§59.1-572(B) of the CDPA).

Moreover, the CDPA does not apply to non-profit organisations or institution of higher education (§59.1-572(B) of the CDPA).

The CDPA also does not apply to (§59.1-572(B) of the CDPA):

2.2. Territorial scope

The CDPA applies to persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of Virginia (§59.1-572(A) of the CDPA).

2.3. Material scope

The CDPA applies to the personal data of individuals, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (§59.1-571).

The CDPA excludes certain data from its application, such as protected health information under HIPAA, certain health records, certain patient identifying information, as well as certain other data pertaining to a health context, financial context, or federal regulation, among others (§59.1-572(C) of the CDPA).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator within Virginia. 

In addition, the CDPA provides for the creation of working group to review the provisions of the CDPA and issues related to its implementation. The CDPA required that the working group's findings, best practices, and recommendations regarding the implementation of the CDPA must be submitted by the Chairman of the Joint Commission on Technology and Science to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation by 1 November 2021.

3.2. Main powers, duties and responsibilities

In accordance with §59.1-576(C) of the CDPA, the AG may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the AG, and may evaluate the assessment for compliance with the data controller responsibilities set forth in §59.1-574 of the CDPA.

In addition, §59.1-579 of the CDPA provides for investigative powers of the AG, whereby if the AG has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of the CDPA, the AG is empowered to issue a civil investigative demand. 

Under §59.1-580(A) of the CDPA, the AG also has exclusive authority to enforce the provisions of the CDPA.

4. Key Definitions

Data controller: The natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data (§59.1-571 of the CDPA).

Data processor: A natural or legal entity that processes personal data on behalf of a controller (§59.1-571 of the CDPA).

In relation to the concepts of data controller and data processor, the CDPA provides that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. In this regard, a processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor (§59.1-575(D) of the CDPA).

Personal data: Any information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (§59.1-571 of the CDPA).

Sensitive data: A category of personal data that includes (§59.1-571 of the CDPA):

  • personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 
  • the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 
  • the personal data collected from a known child; or 
  • precise geolocation data.

Health data: There is no express definition of 'health data', however, the CDPA refers to 'protected health information' which means the same as the term is established by HIPAA.

Under HIPAA, 'health information' means any information, whether oral or recorded in any form or medium, that (§1171(4) of HIPAA):

  • is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 
  • relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Biometric data: Data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. However, 'biometric data' does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA (§59.1-571 of the CDPA).

Pseudonymisation: 'Pseudonymous data' is defined as personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (§59.1-571 of the CDPA).

Data subject: A 'consumer' is defined as a natural person who is a resident of Virginia acting only in an individual or household context, but does not include a natural person acting in a commercial or employment context (§59.1-571 of the CDPA).

5. Legal Bases

5.1. Consent

Under §59.1-574(A)(2) of the CDPA, a data controller must not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.

With respect to sensitive personal data, §59.1-574(A)(5) of the CDPA provides that a data controller must not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act of 1998 ('COPPA').

5.2. Contract with the data subject

Nothing in the CDPA can be construed to restrict a controller's or processor's ability to provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract (§59.1-578(A)(5) of the CDPA).

Similarly, §59.1-578(B)(4) of the CDPA provides that the obligations imposed on controllers or processors will not restrict their ability to collect, use, or retain data to perform internal operations that:

  • are reasonably aligned with the expectations of the consumer;
  • are reasonably anticipated based on the consumer's existing relationship with the controller; or 
  • are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

5.3. Legal obligations

Nothing in the CDPA must be construed to restrict a controller's or processor's ability to (§59.1-578(A)(1) to (3) of the CDPA):

  • comply with federal, state, or local laws, rules, or regulations; 
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; or
  • cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.

Moreover, §59.1-578(C) of the CDPA provides that the obligations imposed on controllers or processors will not apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of Virginia. Nothing in the CDPA must be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Virginia as part of a privileged communication.

5.4. Interests of the data subject

Nothing in the CDPA must be construed to restrict a controller's or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis (§59.1-578(A)(6) of the CDPA).

5.5. Public interest

Nothing in the CDPA must be construed to restrict a controller's or processor's ability to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine (§59.1-578(A)(8) of the CDPA):

  • if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • the expected benefits of the research outweigh the privacy risks; and
  • if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

5.6. Legitimate interests of the data controller

Nothing in the CDPA must be construed to restrict a controller's or processor's ability to investigate, establish, exercise, prepare for, or defend legal claims (§59.1-578(A)(4) of the CDPA).

In addition, the obligations imposed on controllers or processors must not restrict their ability to collect, use, or retain data to (§59.1-578(B)(1) to (3) of the CDPA): 

  • conduct internal research to develop, improve, or repair products, services, or technology;
  • effectuate a product recall; or 
  • identify and repair technical errors that impair existing or intended functionality.

Additionally, §59.1-578(B)(4) of the CDPA provides, among other things, that the obligations imposed on controllers or processors will not restrict their ability to collect, use, or retain data to perform internal operations that:

  • are reasonably aligned with the expectations of the consumer; or
  • are reasonably anticipated based on the consumer's existing relationship with the controller.

5.7. Legal bases in other instances

No further information.

6. Principles

The CDPA provides for various data protection principles through their incorporation into legal provisions and requirements for controllers.

In this respect, §59.1-574(A)(1) of the CDPA provides for the principle of data minimisation, noting that a controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

§59.1-574(A)(2) of the CDPA provides for the principles of purpose limitation, noting that a controller must not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.

Data controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data (§59.1-574(A)(3) of the CDPA). 

Furthermore, controllers must comply with transparency obligations through the requirement to provide consumers with a privacy notice which details, among other things, categories of personal data processed, purpose for processing, or how consumer rights can be exercised (§59.1-574(C) of the CDPA). 

7. Controller and Processor Obligations

7.1. Data processing notification

The CDPA does not expressly provide for data processing notification requirements.

7.2. Data transfers

The CDPA does not expressly provide for requirements around data transfers.

7.3. Data processing records

The CDPA does not expressly provide for record-keeping requirements.

7.4. Data protection impact assessment

In accordance with §59.1-576 of the CDPA, data controllers must conduct and document data protection assessments. Specifically, such assessments are required for processing activities which involve (§59.1-576(A) of the CDPA):

  • the processing of personal data for purposes of targeted advertising; 
  • the sale of personal data; 
  • the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of, or unlawful disparate impact on, consumers; 
    • financial, physical, or reputational injury to consumers;
    • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or 
    • other substantial injury to consumers; 
  • the processing of sensitive data; and 
  • any processing activities involving personal data that present a heightened risk of harm to consumers.

Moreover, data protection assessments must be confidential, and must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. Controllers must also consider and factor in the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed (§59.1-576(B) of the CDPA).

The CDPA also notes that a single data protection assessment may address a comparable set of processing operations that include similar activities (§59.1-576(D) of the CDPA). In addition, data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under §59.1-576 of the CDPA if the assessments have a reasonably comparable scope and effect (§59.1-576(E) of the CDPA). 

Notably, data protection assessment requirements will apply to processing activities created or generated after 1 January 2023, when the CDPA will enter into effect, and are not retroactive (§59.1-576(F) of the CDPA).

7.5. Data protection officer appointment

The CDPA does not expressly provide for requirements regarding the appointment of a data protection officer.

7.6. Data breach notification

The CDPA does not provide for data breach notification requirements. §59.1-575(A)(2) of the CDPA notes that a data processor must assist the controller, which includes meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor pursuant to the Breach Notification Statute (see the introduction section above).

7.7. Data retention

The CDPA does not expressly provide for data retention requirements. However, §59.1-575(B)(2) of the CDPA notes that within the context of controller and processor contracts, and at the controller's direction, a processor must delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

7.8. Children's data

Overarchingly, the CDPA notes that controllers and processors who comply with the verifiable parental consent requirements under COPPA will be deemed compliant with any obligation to obtain parental consent under the CDPA (§59.1-572(D) of the CDPA).

With respect to invoking consumer rights with respect to children, a known child's parent or legal guardian may invoke such consumer rights on behalf of the child (§59.1-573(A) of the CDPA).

With respect to the processing of sensitive data, §59.1-574(A)(5) of the CDPA provides that a controller must not process children's sensitive data without processing such data in accordance with COPPA.

A child is defined as any natural person younger than 13 years of age (§59.1-571 of the CDPA).

7.9. Special categories of personal data

The CDPA refers to 'sensitive data' and provides that controllers must not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA (§59.1-574(A)(5) of the CDPA).

7.10. Controller and processor contracts

In accordance with §59.1-575(A) of the CDPA, data processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the CDPA, where such assistance includes:

  • responding to consumer rights requests;
  • assisting the controller in meeting obligations in relation to the security of processing personal data and in relation to the notification of a breach of security of the system of the processor; and
  • providing necessary information to enable the controller to conduct and document data protection assessments.

To facilitate this, §59.1-575(B) of the CDPA provides that a contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller. Such a contract will be binding, and must clearly set forth:

  • instructions for processing data;
  • the nature and purpose of processing;
  • the type of data subject to processing;
  • the duration of processing; and 
  • the rights and obligations of both parties. 

The contract must also include requirements that the processor must (§59.1-575(B) of the CDPA): 

  • ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; 
  • at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; 
  • upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the CDPA; 
  • allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organisational measures in support of the obligations under the CDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments;
  • provide a report of such assessment to the controller upon request; and 
  • engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

8. Data Subject Rights

8.1. Right to be informed

In accordance with §59.1-574(C) of the CDPA, consumers must be informed through the provision of a privacy notice that includes:

  • the categories of personal data processed by the controller; 
  • the purpose for processing personal data; 
  • how consumers may exercise their consumer rights pursuant §59.1-573 of the CDPA, including how a consumer may appeal a controller's decision with regard to the consumer's request; 
  • the categories of personal data that the controller shares with third parties, if any; and 
  • the categories of third parties, if any, with whom the controller shares personal data.

In addition, if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing (§59.1-574(D) of the CDPA).

8.2. Right to access

In accordance with §59.1-573(A)(1) of the CDPA, consumers have the right to confirm whether or not a controller is processing their personal data and to access such personal data.

8.3. Right to rectification

In accordance with §59.1-573(A)(2) of the CDPA, consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

8.4. Right to erasure

In accordance with §59.1-573(A)(3) of the CDPA, consumers have the right to delete personal data provided by or obtained about the consumer.

8.5. Right to object/opt-out

In accordance with §59.1-573(A)(5) of the CDPA, consumers have the right to opt out of the processing of their personal data for purposes of:

  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The CDPA does not explicitly refer to the possibility of withdrawing consent.

8.6. Right to data portability

In accordance with §59.1-573(A)(4) of the CDPA, consumers have the right to obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

In accordance with §59.1-573(A)(5) of the CDPA, consumers have the right to opt out of the processing of their personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

8.8. Other rights

In addition to the data subject rights outlined above, the CDPA also provides consumers with the right to appeal a controller's refusal to take action following a consumer's request to exercise their rights. As detailed in §59.1-573(C) of the CDPA, a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of such a decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action. Within 60 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the AG to submit a complaint.

Furthermore, and more generally, under §59.1-574(A)(4) controllers must not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Specifically, a controller must not discriminate against a consumer for exercising any of the consumer rights contained in the CDPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. 

9. Penalties

The AG has exclusive authority to enforce the provisions of the CDPA. If a data controller or processor continues to violate the CDPA following the prescribed 30-day cure period, or breaches an express written statement provided to the AG, the AG may initiate an action in the name of Virginia and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation (§§59.1-580(B) to (C) of the CDPA).

In addition, the AG may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any action initiated under the CDPA (§59.1-580(D) of the CDPA).

9.1 Enforcement decisions

Not applicable.