Virginia’s New Data Privacy Law

by Victoria Tollossa

  • Cybersecurity

How does the new data privacy law complicate privacy compliance?


On March 2, 2020, Virginia’s governor signed into law the Consumer Data Protection Act, which goes into effect on January 1, 2023.  This makes Virginia the second state to pass its own comprehensive data privacy law.  Several other states are working on their own privacy laws, including states with primarily Democratic governments (e.g., Washington), and Republican (e.g., Florida).

Unlike data breach notification laws, which passed state-by-state over 20 years, the state-level privacy laws differ significantly, making compliance for companies that operate nationwide much more difficult.

Who Does This Law Apply To?

The law’s reach is limited for now. The current version of the law applies to organizations that either (1) “control or process personal data” of at least 100,000 Virginia residents or (2) “control or process personal data” of at least 25,000 Virginia residents and derive more than 50 percent of gross revenue from the sale of personal data.

The law provides several exceptions from these two broad categories.  First, Virginia residents only count towards the thresholds if they are operating in “an individual or household context”; individuals operating in a commercial or employment context do not count.  Additional exceptions include, Virginia agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities, or business associates subject to the HIPAA, non-profits, and institutions of higher learning. Finally, some data is exempted as well, even if it is controlled or processed by organizations that do not qualify for the institution-level exemptions.

Privacy advocates are already calling this law the first step and are lobbying to increase its reach, similar to what happened in California.  This could include lowering the thresholds, eliminating institution-based exceptions, or including employees in the definition of “Consumer.”

The definition of “personal data” is much broader than the definition used in data breach notification statutes, going so far as to include website cookies.  So, companies that use ad-tracking cookies, allow consumers to log-in, or conduct similar operations are likely subject to the law.

What Does This Mean For Consumers?

The first operative section of the law provides consumers with a host of new rights.  Companies subject to the law that “determine the purpose of means of processing personal data”—“controllers” — must comply with authenticated requests from consumers seeking to exercise these rights.  How to authenticate such requests is not defined in the statute and will be subject to much discussion.

Consumers may seek to confirm if a controller is processing the consumer’s data, to which the consumer may also request access.  Consumers may seek to correct inaccuracies, “taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”  They may also request deletion of data and a portable version of the data to take elsewhere.

Controllers may opt to decline a consumer’s request, but the controller must provide an appeals process that includes a mechanism for the consumer to submit a complaint on the process to the Attorney General, who holds sole enforcement authority.

The mechanisms to implement these rights will be difficult for many controllers to implement, especially if the controller has significant amounts of unstructured data.  Organizations subject to California’s various privacy laws are currently dealing with similar issues.

What Else Must Controllers Do?

Controllers have obligations beyond meeting consumer requests.  These obligations include minimizing data collection, limiting data processing to “purposes that are compatible with the disclosed purposes”, implementing reasonable security practices, not discriminating based on the exercise of rights in the law (except for certain exceptions such as loyalty clubs), and obtaining opt-in consent for processing sensitive data.

Controllers must also provide an accessible, clear, and meaningful privacy notice that includes information on the types of information processed, the purpose for processing, how consumers may exercise their rights, categories of data shared with third parties, and the categories of third parties the controller shares data with.  The privacy notice must also include one or more secure means for consumers to submit the requests the law authorizes them to make.

Processors, defined under this law as any entity that processes personal data on behalf of a controller, have their own set of obligations, although the statute makes clear that controllers should include appropriate clauses in their contracts with processors to ensure compliance with the law.  Should an existing contract not contemplate these obligations, then the law will still compel performance.

Finally, controllers must conduct and document data protection assessments for certain processing activities.  These assessments must weigh the benefits from the processing against the potential risks to the rights of the consumer.  To add some weight to this requirement, the Attorney General may use a civil investigative demand to request any data protection assessment relevant to an investigation.  Versions of these assessments are required either explicitly or implicitly in other consumer privacy regimes, and although they seem similar to risk assessments, they do differ somewhat.

The Path Forward

Many companies will be subject to several privacy regimes, especially as other states pass their own privacy laws.  For many companies, it will be easier to build a compliance program that creates a greatest common denominator for all the privacy laws than validating the state of residence for any consumer and providing only the rights applicable for that state, especially for states that have differing privacy policy requirements.

Compliance programs for these laws require both process changes and technical solutions, which is why there is such a long time between passage and effective date.  Organizations subject to the processing thresholds, or ones that expect to grow to the thresholds in the next couple of years, should begin developing the processes now to ensure they can comply.  Some companies will wait to see if a federal law pre-empts the state laws, but this does not make a great deal of sense.  Much of the work done to comply with Virginia’s law will likely be applicable to any federal law.  Also, some companies waited for California’s privacy law to be pre-empted, and instead a more intrusive law was passed by ballot initiative, putting companies that waited in an even worse position.