The Matrix

In light of detailed requirements imposed on parties that control data, the CDPA will boost the importance of identifying and defining the roles and responsibilities of parties in data processing agreements.  The CDPA also will require companies to honor certain rights to Virginia consumers and conduct data protection assessments for some processing activities. 

The CDPA goes into effect on January 1, 2023.  Notably, the law provides the Virginia Attorney General with exclusive enforcement authority.  The Attorney General may seek an injunction and civil penalties of up to $7,500 for each violation.

Who Must Comply with the CDPA?

The CDPA applies to businesses that: (1) control or process personal data of more than 100,000 Virginia residents acting in individual and household context, as opposed to commercial or employment contexts, or (2) control or process personal data of at least 25,000 consumers and derive over 50% of revenue from the “sale” of personal data (as defined below).  The law excludes data collected in an employment or business-to-business context.  The law also does not apply to “financial institutions or data subject to” the Gramm-Leach-Bliley Act (“GLB”), or to “any covered entity or business associate governed by the privacy, security, and breach notification rule” of the Health Insurance Portability and Accountability Act (“HIPAA”), as well as non-profit entities and institutions of higher learning. The law further exempts a variety of information and data that is regulated by other federal laws, including the Fair Credit Reporting Act (“FCRA”) and the Federal Educational Rights and Privacy Act (“FERPA”).

Definition of Personal Data, De-Identified Data and Sensitive Data

Personal data under the CDPA means any information that is linked or reasonably associated to a natural person. Unlike the CCPA, the CDPA does not provide examples of categories of personal data. However, like the CCPA, the CDPA’s definition of personal data excludes de-identified data, which is defined similarly as data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such a person.  Similar to requirements contained in the CPRA updates to California law that go into effect in 2023, a party in control of de-identified data is required to:

• take reasonable measures to ensure that the data cannot be associated with a natural person;
• publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
• contractually obligate any recipients of the de-identified data to comply with the Virginia law.

The CDPA also defines “pseudonymous data” as personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

The CDPA contains separate requirements for “sensitive data,” which includes:

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• the personal data collected from a known child; or
• precise geolocation data, which is defined as information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy below 1,750 feet.

The Controller and the Processor

The CDPA is largely structured by assigning responsibilities to “controllers” versus “processors,” terminology found in the GDPR.  Controllers are defined as entities that, alone or jointly with others, determine the purpose and means of processing information.  Processors are defined as entities that process personal data on behalf of a controller.  The law recognizes that determining whether a person is acting as a controller or processor with respect to the specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. 

Contractual Requirements: 

The CDPA requires that there be a contract between controllers and processors setting forth the instructions for processing data, the nature and purpose of processing, type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  The contract should also include requirements that:

• the processor ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• at the controller’s discretion, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; and
• the processor shall allow, and contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor; alternatively the processor may arrange for a qualified and independent auditor to conduct an audit of the processor’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and audit procedure for such audits.

Controller Obligations:

The CDPA imposes a variety of requirements on controllers, including mandating that controllers:

• Minimize data: absent consent, limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
• Data security: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal data at issue;
• Sensitive data: not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of processing sensitive data concerning a known child, without processing such data in accordance with the Children’s Online Privacy Protection Act (“COPPA”);
• Privacy notice: provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • the categories of personal data processed by the controller,
  • the purpose for processing personal data,
  • how consumers may exercise their consumer rights, including how a consumer may appear a controller’s decision with regard to the consumer’s request,
  • the categories of personal data that the controller shares with third parties, if any,
  • the categories of third parties, if any, with whom the controller shares personal data,
  • clearly and conspicuously disclose personal data sold or processed for targeted advertising, as well as the manner in which a consumer may exercise the right to opt out of such processing, and
  • describe one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, taking into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making request;
• Data protection assessments: conduct and document data protection assessments of each of the following processing activities involving personal data:
  • the processing of personal data for purposes of targeted advertising,
  • the sale of personal data, which is defined as the exchange of personal data for monetary consideration to a third party and includes a number of exceptions,
  • the processing of personal data for purposes of profiling – which means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements – where such profiling presents a reasonable foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers,
  • the processing of sensitive data, and
  • any processing activities involving personal data that present a heightened risk of harm to consumers.

The data protection assessments need to identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.  Notably, the Virginia Attorney General may request that a controller disclose any data protection assessment that is relevant to an investigation, and the controller must make the data protection assessment available to the Attorney General.  Data protection assessments are treated as confidential and exempt from the public inspection and copying under the Virginia Freedom of Information Act.

• Personal data rights: Controllers need to comply with an authenticated consumer request to exercise the right to:
  • to confirm whether the controller is processing his personal data and to access such personal data,
  • to correct inaccuracies in his personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data,
  • to delete his personal data,
  • to obtain a copy of his personal data that he previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, and
  • to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The CDPA contains less proscriptive rules concerning personal data rights than the CCPA, and, unlike the CCPA, does not explicitly allow data rights to be submitted by an agent.  The law states that:

• a controller must verify through “reasonable means” that the consumer seeking to exercise consumer rights is the same consumer exercising such consumer rights with respect to the personal data at issue,
• controllers generally need to comply with a request by a consumer to exercise their consumer rights within 45 days of receiving a request, although the response period may be extended an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer’s request, so long as the controller informs the consumer of an such extension within the initial 45-day response period, together with the reasons for the extension,
• controllers generally cannot charge consumers for requests made up to twice annually, but can charge a reasonable fee to cover administrative costs if requests are manifestly unfounded, excessive and repetitive,
• an authenticated consumer rights request does not need to be complied with:
  • if the consumer’s data is de-identified, the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, and the controller does not sell the personal data to any third party; or
  • with respect to pseudonymous data where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information,
• if a controller is unable to fulfill the request using commercially reasonable efforts, the controller is not be required to comply with a request and may request that the consumer provide additional information reasonably necessary to authenticate the request,
• if a controller declines to take action regarding a consumer’s request, the controller must inform the consumer within 45 days of receipt of the request and provide instructions on how to appeal the decision, and
• a controller must establish a conspicuous process for a consumer to appeal the controller’s refusal to take action on a request, and is required to inform the consumer in writing of any action taken or not taken in response to the appeal within 60 days of an appeal, providing a written explanation of the reasons for the decisions, along with identifying an email address or other online mechanism through which the consumer may contact the Attorney General to submit a complaint.

Processor obligations:

The CDPA imposes less obligations on processors than controllers, but processors still must:

• Assist controllers with fulfilling controller’s obligations to respond to consumer rights requests, as discussed above;
• Securely process personal data and comply with security breach notification requirements in order to meet controller’s obligations;
• Allow, and contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor;
• Provide necessary information to enable the controller to conduct and document data protection assessments discussed above; and
• Enter into, and comply with, the contract with controller discussed above.

Exceptions:

The CDPA provides for a number of exceptions to the obligations imposed on controllers or processors, including for:

• conducting internal research to improve or repair products, services, or technology; and
• performing internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

The law provides that, if a controller processes personal data pursuant to an exemption, the controller bears the burden of demonstrating that such processing qualifies for the exemption and that the processing otherwise is reasonably necessary and proportionate and limited to what is necessary.

The CDPA also states that it does not restrict a controller’s or processor’s ability to:

• comply with federal, state, or local laws, rules or regulations;
• comply with civil, criminal or regulatory inquiries, subpoenas or other government authorities;
• investigate, prepare for, or defending legal claims;
• provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at a the request of the consumer prior to entering into a contract; and
• prevent, detect, or respond to security incidents, identity theft, fraud, or any illegal activity.