Keypoint: Virginia moves closer to enacting consumer privacy legislation.
On January 29, 2021, the Virginia House of Delegates passed HB2307, the Virginia Consumer Data Protection Act (Act) in an 89 to 9 vote. The Act now sits with the Senate Committee on General Laws and Technology. A companion bill, SB 1392, already passed the Senate Committee on General Laws and Technology on January 27, 2021.
According to the Virginia General Assembly Session Calendar, Friday, February 5 is the deadline for each house to complete work on its own legislation, except for the budget bill. The Assembly will adjourn on February 11.
Below is a brief overview of the Act. In addition, on February 17, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register, click here.
Many thanks to Amy Miller, Senior Reporter, Privacy and Data Security at MLEX Market Insight for alerting us to this development.
The following analysis is based on the version of HB2307 that the House passed, which is available here. In general, the Act is based on the version of the Washington Privacy Act that was proposed earlier this year in the Washington Senate. However, it has been modified in many ways to make it more business friendly.
As currently drafted, the Act would apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” The absence of a revenue threshold, such as the $25,000,000 annual gross revenue threshold in the California Consumer Privacy Act (CCPA), combined with the 100,000-consumer threshold, means that the Act would likely apply to far fewer businesses than the CCPA.
The Act defines “consumer” to be “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.”
The Act contains numerous exemptions, including exemptions for HIPAA covered entities and business associates, nonprofits, higher education institutions, and “financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.)”. GLBA financial institutions will note that the Act would provide an entity-level exemption, which is broader than the CCPA’s data-specific exemption.
The Act also exempts certain data sets such as HIPAA personal health information, personal data regulated by FERPA, employment-related data, and certain types of data regulated by the FCRA. In total, the Act lists 14 types of data sets that are exempt from its provisions.
The Act defines “personal data” broadly to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person.” However, it excludes de-identified and publicly available information under the definition.
The Act would provide Virginia residents with the rights to:
- confirm whether or not a controller is processing the consumer’s personal data and to access such personal data;
- correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
- delete personal data provided by or obtained about the consumer;
- obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
- opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers would have 45 days to respond to a consumer request.
In another contrast with the CCPA, “sale of personal data” is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” The definition does not include the phrase “other monetary consideration” as does the CCPA’s definition of “sale.” The Act also excludes the following disclosures from its definition of sale:
- The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- The disclosure or transfer of personal data to an affiliate of the controller;
- The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
The Act provides that controllers must limit their data collection to data that is relevant and reasonably necessary, not process data for incompatible purposes without consent, implement reasonable security practices to protect the data, not discriminate against a consumer for exercising their privacy rights, and not process sensitive data without consent.
Sensitive data is defined as “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; . . . [t]he processing of genetic or biometric data for the purpose of uniquely identifying a natural person; . . . [t]he personal data collected from a known child; or . . . [p]recise geolocation data.”
Controllers also would be required to provide consumers with privacy notices that disclose basic information such as the categories of personal data collected, the purpose for the collection and how consumers can exercise their rights.
Data Processing Agreements
The Act requires controllers to enter into data processing agreements with data processors that: (1) set forth instructions for processing personal data, including the nature and purpose of processing; (2) identify the type of data subject to processing, the duration of processing, and the rights and obligations of both parties; and (3) ensures that each person processing personal data is subject to a duty of confidentiality with respect to the data. The agreements also would need to make data processors delete or return personal data at the conclusion of the service, cooperate with assessments, and contractually pass down these obligations to subcontractors.
Data Protection Assessments
In addition, the Act requires controllers to conduct data protection assessments for processing that involves targeted advertising, the sale of data, certain profiling activities, sensitive data, and any processing that presents a heightened risk of harm to consumers.
The Act contains over a page of exemptions, including that it would not limit a controller or processor’s ability to comply with federal or state law, cooperate with law enforcement, defend legal claims, provide a product or service requested by the consumer, perform a contract with the consumer, and prevent or detect security incidents. It also would not prohibit controllers and processors from performing “internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.”
The Virginia Attorney General’s office would enforce the law exclusively. The office would need to provide 30 days’ notice of any violation and allow the controller or processor to cure it. If the violation remains uncured, the office could file an action seeking $7,500 per violation.
If passed, the Act would become effective January 1, 2023.