THE PRIVACY TIDE FLOWS – AND THE OBLIGATIONS MUST FLOW DOWN
THE VIRGINIA CONSUMER DATA PROTECTION ACT AND ITS EFFECTS ON YOUR IT AGREEMENTS.
In early March, Governor Northam of Virginia signed into law the Virginia Consumer Data Protection Act (VCDPA). Effective January 1, 2023, this new Act will require businesses that do significant business in Virginia or produce products or services targeted to Virginia consumers to protect the data of those residents in various specified ways, unless they can claim an exemption under the Act. Virginia is the second state, after California, to enact comprehensive privacy legislation, though it’s likely to be far from the last. The VCDPA requires affected businesses to adopt specified privacy-protecting measures, give their customers certain rights, and provide specific notices to the public. It also expressly requires businesses’ agreements with IT providers who handle personal information to include specific obligations. Thus, over the next twenty months, it is critical for companies doing substantial business in Virginia to design, develop and implement or refine existing mechanisms required by the new law and to amend their affected supplier agreements even if they currently comply with the California Privacy Rights Act (CPRA), the California Consumer Protection Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).
1. IS YOUR COMPANY AFFECTED?
If your company does substantial business, it is imperative that you determine whether the VCDPA applies to you. With limited exceptions, the VCDPA will apply to any entity that:
- does business in Virginia or produces products or services “targeted to” Virginia consumers; AND
- during a calendar year, “controls” or “processes” the personal data of at least 100,000 Virginia consumers; OR
- controls or processes the personal data of at least 25,000 Virginia consumers and derives over 50% of its income from the sale of personal data.
These are fairly high thresholds, and are obviously meant to capture larger businesses, not Mom-and-Pop operations. To figure out whether this definition applies to your company, and to clarify the obligations we’ll outline in a minute, a few more definitions are relevant:
- “Consumer” — A Virginia resident “acting only in an individual or household context.” So, you don’t have to count Virginia residents whose personal data is shared with you only in a “commercial” or employment context. For example, if you employ a Virginia resident but control or process their personal data only in that context you don’t need to count them for purposes of the threshold (and you don’t need to protect the employment-related data under the Act). The same goes for personal data you control or process solely in a B2B context. Note that this is different from California, in which employment and B2B data are currently exempted, but the exemption is set to expire at the end of 2022. It’s also unlike GDPR, which broadly applies to individuals.
- “Personal data” – Any information that is linked or “reasonably linkable” to an identified or identifiable natural individual. It doesn’t include “de-identified” data (i.e., which can’t reasonably be linked to a particular person) or publicly available information. Certain other kinds of information are carved out as well, such as protected health information under HIPAA, financial information subject to Gramm-Leach-Bliley (GLB), credit reporting information in accordance with federal law, and other similar categories. Certain organizations, such as financial institutions regulated by GLB-covered entities and business associates regulated by HIPAA, institutions of higher education, and non-profits, are exempted from the Act even if the information they process doesn’t fall within an exception.
- “Sensitive data” – A subset of personal data which includes (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship/immigration status; (ii) processing of genetic or biometric data for the purpose of uniquely identify the individual; (iii) personal data collected from a known child; or (iv) precise geolocation data. This is narrower than sensitive data under the CPRA.
- “Control” and “controller” – You “control” personal data (and are a “controller”) if you determine the purpose and means of processing the personal data, alone or jointly with someone else. On the other hand, you “process” personal data (and are a “processor”) if you perform any operation(s) on the data, including collecting, using, storing, disclosing, analyzing, deleting or modifying the personal data. This covers just about anything that can be done with data. So, you can be a controller, processor, or both, depending on what you do with the personal data. These terms are consistent with GDPR.
2. IF THE ACT APPLIES TO YOU, WHAT ARE YOUR OBLIGATIONS?
So you’ve figured out that the Act applies to your company. What must you do to comply? That depends on whether you are a controller or a processor as we defined them above.
- Obligations of a Controller of Data
Data controller obligations fall into two categories. One is to respond to consumer requests to exercise certain rights under the Act. The other includes a set of requirements affecting your collection, handling, and disclosure of personal data.
i. Consumer Rights and Responses to Consumer Requests
The data controller must comply with authenticated consumer requests to exercise any of the following rights:
- Right to Access: To confirm whether the controller is processing that consumer’s personal data, and to access that personal data.
- Right to Correct: To correct inaccuracies in the consumer’s personal data.
- Right to Delete: To delete the consumer’s personal data.
- Right to Obtain Copy: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and usable format.
- Right to Opt Out: To opt out of the processing of that consumer’s personal data for the purposes of (i) targeted advertising; (ii) sale of the personal data; or (iii) profiling to make decisions that legally or otherwise significantly affect the consumer.
Unlike the CPRA (which applies to data collected after January 1, 2022), Virginia does not define how far back the consumer can go, creating uncertainties for your company’s data retention policies.
Some of these rights (especially the right to require the controller to delete personal data) are subject to certain exceptions. For example, the Act provides that nothing in it prevents the controller from complying with laws, subpoenas and the like, cooperating with law enforcement, protecting life and safety, and the like. It also expressly permits the retention of personal data for purposes of internal research, effectuating product recalls, identification and repair for technical errors or performance of internal operations that are reasonable given the consumer’s expectations or the relationship between the company and controller. This last one gives you considerable flexibility but must be handled with care.
If a consumer makes a request to exercise one of these rights, you must first determine whether the request is “authenticated” – which means to determine by reasonable means whether the consumer is who they say they are. California has detailed regulations on what this means, but Virginia gives the business more discretion.
If it is, you must respond within 45 days, though with notice to the consumer you can extend this period by another 45 days “when reasonably necessary” because of the complexity or number of the consumer’s requests. This is generally consistent with California requirements.
If you decline to respond you must so inform the consumer within the 45-day period and tell the consumer the reason for declining the request. You must also have in place, and inform the consumer of, a mechanism within your organization for the consumer to appeal the decision not to comply with the request, and if the request is denied on appeal, with a mechanism to complain to the Virginia Attorney General.
You must respond to two requests per year free of charge. For truly abusive requests you may charge a reasonable fee to cover your cost, but you have the burden of proving the request is “manifestly unfounded, excessive, or repetitive.”
ii. General controller requirements
In addition, if you are a controller, on top of your obligations to respond to consumer requests, you must also comply with certain ongoing duties.
- Minimize Data Collected: You must limit your collection of personal data to what is “adequate, relevant, and reasonably necessary” to meet the purposes for which it is processed, as disclosed to the consumer. This is consistent with the GDPR and CPRA.
- Restrictions on Use: Except for a handful of enumerated exceptions, you must not process data for purposes not reasonably necessary to or compatible with the purposes disclosed to the consumer.
- Reasonable Security: You must establish and maintain reasonable security administrative, technical, and physical security practices.
- No Discrimination: You must not process personal data in violation of federal or state antidiscrimination laws. You also must not discriminate against consumers for exercising their rights under the Act, though you may offer consumers certain incentives – such as price breaks, enhanced features, discounts, freebies, loyalty points and the like – for not exercising their rights to opt out of targeted advertising, sale, or profiling.
- Opt-In for Sensitive Data: You must obtain the express consent of the consumer to the processing of sensitive data. Consent must be “freely give, specific, informed, and unambiguous.”
You must also provide a clear, meaningful and accessible privacy notice that includes (i) the categories of personal data you process; (ii) the purposes for which the processing is done; (iii) the procedures for exercising the consumer rights we listed earlier; (iv) the categories of personal data you share with third parties; and (v) the categories of third parties with whom you share personal data.
If you sell personal data, or process it for targeted advertising, you must clearly and conspicuously disclose that you do so, and must also disclose how the customer can opt-out. Note that in Virginia, a “sale” only occurs if money changes hands, unlike California, where any valuable non-monetary consideration also suffices.
For any processing activity related to sensitive data, targeted advertising, sale of personal data, or profiling that creates a significant reasonably foreseeable risk of harm or a heightened risk of harm to consumers that you create or generate on or after January 1, 2023, you must conduct and document a data protection assessment that satisfies specified requirements. The Virginia Attorney General has the power to require companies to turn over these assessments, though they are protected from public disclosure under the state’s FOIA.
Finally, you must follow certain requirements regarding de-identified data, including taking reasonable measures to ensure that it cannot be identified with a specific person, not attempting to so identify it, and contractually requiring anyone with whom you share it to comply with the Act regarding such data. Of course, if data is de-identified, you aren’t required to re-identify it for purposes of complying with consumer requests.
iii. Controller obligations regarding processor contract
If you retain a third party to process personal data for you, you will remain the controller of the personal data, but the third party will be the processor. In this scenario, you MUST enter into a written contract with the processor that does the following:
- Clearly sets forth instructions for processing the personal data, as well as the nature and purpose of the processing, the type of data to be processed, the duration of processing, and the rights and obligations of both parties;
- Requires the processor to ensure that each person processing personal data is subject to a duty of confidentiality;
- Requires the processor to delete or return all personal data to the controller when the processor stops providing services, except where the processor is required by law to retain the personal data;
- Requires the processor to make available to the controller upon request all information in its possession to necessary to demonstrate the processor’s compliance with the Act;
- Cooperate with reasonable assessments by the controller or its assessor. Here, the processor may instead obtain its own third party assessment using industry standard controls and standards (g., SOC reports) and provide the third party report to the controller; and
- Engage any subcontractor pursuant to a written contract the requires the subcontractor to meet the processor’s obligations.
b. Obligations of a Processor of Data
In addition to its obligations under its contract with the controller, a processor must:
- Comply with the instructions of the controller; and
- Assist the controller in complying with the controller’s obligations under the Act, such assistance to include:
- fulfillment of consumer requests to exercise their rights by appropriate technical and organizational measures;
- meeting the controller’s obligations with regard to the security of personal data and its legal obligations under state law to notify consumers of security breaches; and
- providing necessary information to enable the controller to carry out its own data protection assessments.
3. ENFORCEMENT AND PENALTIES
Unlike the California Act and like the GDPR, the VCDPA doesn’t give private parties the right to sue for non-compliance (in certain circumstances). Instead, enforcement powers are given only to the Virginia Attorney General. Any such enforcement action must commence with a notice to the affected controller or processor of the alleged violations. If, within 30 days, the controller or processor cures the noticed violation and provides the Attorney General with an express written statement that the violations have been cured and will not recur, the action will not proceed. Failing such notice, or if the controller or processor continues to violate the Act despite such notice, the Attorney General may institute a court action to recover a penalty of up to $7500 per violation, as well as an injunction against further violations. The Attorney General may also recover its expenses incurred in investigating and preparing the case, including attorney’s fees.
4. YOUR ACTION ITEMS
So, what should you do next?
First, determine whether you meet the threshold to be covered by the Act as we discussed earlier. If so, by the end of 2022 you’ll need to set up internal procedures for dealing with consumer requests and complying with the Act’s other requirements, as well as assuring that your security procedures are adequate to meet the Act’s requirements. You’ll also need to draft and post on your website consumer disclosures as required by the Act.
In addition, you’ll need to examine all your contracts with entities which handle or collect personal data on your behalf – and most likely amend them to satisfy the requirements the Act imposes on processor contracts, as well as to assure the processor’s other obligations to you are met.
Please stay tuned. We’ve focused on the VCDPA as it now stands. But it is likely to be tweaked, and perhaps changed, in the January 2022 session of the Virginia General Assembly. The VCDPA created a working group including the Attorney General, Secretary of Commerce, representatives of businesses subject to the Act and consumer rights advocates to consider the implications of implementing the Act and to submit recommendations on implementation and best practices by November 1, 2021.