Virginia Joins California and Nevada in Passing its Consumer Privacy Act
California tends to be on the forefront in consumer privacy laws within the United States. However, there is a growing momentum for other states to join California in legislating consumer privacy rights, as well as pushes for federal legislation. The latest state to join in and pass consumer privacy legislation is Virginia, with its Virginia Consumer Data Protection Act (VCDPA). With Virginia joining the fray, several questions arise, such as how closely does the VCDPA follow California's legislation? How, if at all, does it differ from already-existing legislation? What do businesses need to comply with the VCDPA, if at all?
WHAT IS THE VIRGINIA CONSUMER DATA PROTECTION ACT?
The VCDPA largely mimics elements from its Californian cousins, the California Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA). The main features of the law include: (a) issuing the right to request what information is collected; (b) the right to correct information provided; (c) the right to deletion; (d) providing notice to consumers regarding the collection of their data; and (e) protecting consumer data. Further, the consumer requests, akin to the CCPA, do require verification, and similarly phrased data security practices that rely on how "reasonable" they are, depending on the volume and type of information at issue. Though, the VCDPA does expand on this slightly, requiring "data protection assessments" to determine the security of protected information, how it is shared and used, the benefits in sharing the information and harm resulting from any breaches.
Unlike the CCPA, the VCDPA does not extend to nearly as many entities as the CCPA does, limiting the businesses subject to the VCDPA to entities that collect the information of 100,000 consumers, though entities that collect the information of 25,000 consumers may be subject to the VCDPA if they derive half or more of their gross revenue from the sale of personal information. Furthermore, the number of consumers explicitly excludes individuals engaging in business to business transactions, or those seeking employment. For comparison's sake, this means that unlike the CCPA, (a) the gross revenues of the business do not matter, but rather, the collection of consumers matters; (b) even if 50% or more of the business's income is due to the sale of personal information it may not be subject to the VCDPA if the business does not collect from over 25,000 consumers; and (c) the amount of consumers counted is lower, as the VCDPA explicitly does not count those acting in context of employment or commercial contexts, and only those acting in the context of being an individual or a household.
If you do business in Virginia, you need to familiarize yourself with the new law, and what it means for your business. However, for those who are already subject to and in compliance with the CCPA, minimal action is needed to abide by the VCDPA. Preparation and education truly are the best remedy, especially as these laws seem to be taking inspiration from one another. Further, even those requirements like "data protection assessments," which were not formally required under the CCPA, may have been done informally as part of data mapping and other preparation actions in order to issue timely responses to consumer requests, meaning such measures and actions can be used to comply with the VCDPA. Failure to comply with the VCDPA does carry a penalty up to $7,500 per violation, as well as "reasonable expenses" incurred by the Virginia Attorney General to enforce the law, which could exponentially increase costs to any violation.
HOW NEWMEYER DILLION CAN HELP
Newmeyer Dillion can provide advice on existing CCPA compliance policies, help revise CCPA compliance policies to conform to the CPRA, help regarding VCDPA compliance, help implement new cybersecurity policies to comply with the CPRA, and provide updates to CPRA-required notices and privacy policies. California has a history of being at the forefront of policy developments that expand internally and spread to other states, therefore, the CPRA may serve as a template for similar laws in other states.
Our Data Privacy & Security Task Force attorneys are available for consultation by contacting our office at 949-854-7000.