Virginia’s Consumer Data Protection Act makes it the second state to pass a comprehensive data privacy act. Here’s what you need to know about the new law.
While the country waits patiently for a national privacy law, states are beginning to pass their own versions. Virginia became the latest state in March when it passed a comprehensive data privacy law.
It’s not a secret that Americans want a national privacy law. Our National Privacy Survey found that 74% of Americans agreed “it’s about time” that America passed a federal privacy law.
Illinois was the first back in 2008 when it passed the Biometric Information Privacy Act. California made waves when its legislature passed the California Consumer Privacy Act in 2018, which was the strongest privacy legislation to date. Since then, states have started to follow their lead.
Virginia’s privacy move was highly significant because it was only the second state to pass a “comprehensive” privacy law. That law is known as the Consumer Data Protection Act.
What does the Virginia privacy law do?
Virginia’s Consumer Data Protection Act was based in part on the California Consumer Privacy Act, the European Union’s General Data Protection Regulation (GDPR) and Washington Privacy Act. The Washington law has yet to come to vote.
The new law differs from the California data privacy act in one monumental way, it doesn’t allow citizens to sue companies that are making money selling or using their personal data.
California’s act does allow that.
Virginia’s law does empower the state’s citizens to take back control of their personal data by empowering them to force companies to delete their personal information and stop selling it. It also forces companies to ask for permission to use, collect or sell sensitive information.
In short, the law allows citizens to “access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for the purposes of targeted advertising.”
The law establishes five personal data rights.
- Right to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data
- Right to correct inaccuracies in the consumer’s personal data
- Right to delete personal data provided by or obtained about the consumer
- Right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and readily usable format
- Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The law also puts the burden on companies to protect user data and personal information from hackers and data breaches.
When does the Virginia Consumer Data Protection Act go into effect?
The CDPA goes into effect Jan. 1, 2023. This will give businesses roughly two years to straighten up their data privacy practices and get comfortable with the new law and responsibilities.
What do businesses need to know about Virginia’s data privacy law?
Businesses that receive an authenticated privacy request have 45 days to comply. They can extend that for an additional 45 days if it’s considered “reasonably necessary.”
Businesses also are required to be transparent and provide a “reasonably accessible, clear, and meaningful privacy notice” on their websites. Those notices must include information describing what data is being collected, why it’s being collected, who the business is sharing the data with and how consumers can exercise their opt out and deletion requests.
The law also dictates the scope of data businesses can collect.
Are all businesses and organizations affected?
In short, no. The Virginia privacy law completely exempts a number of organizations. Those include:
- Virginia state and local government organizations
- Financial institutions and data covered by the Gramm-Leach-Bliley Act (GLBA)
- Organizations subject to regulations under the Health Insurance Portability and Accountability Act (HIPAA)
- Institutions in higher education
What are the differences between the Virginia privacy law and California privacy law?
There is no doubt the general framework of the two privacy laws are similar. They aim to empower residents of their states by giving them more control over how companies can keep, use and sell their data.
There are a few differences between the two laws.
Under the CDPA, the law only applied to Virginia companies that fall under two criteria: The business or entity controls or processes the personal data of at least 100,000 consumers in a calendar year or the company controls or processes the persona data of at least 25,000 consumers while also earning at least 50% of its gross revenue from the sale of personal data.
Those restrictions are tight and are much less universal than California’s law, including thresholds on revenue. In California, if a business earns $25 million in revenue, it must follow the privacy law.
Another major difference is how they treat “sensitive” data.
In California, consumers have the right to opt-out of the use of their data in a broad sense. In Virginia, the law states that citizens must give their affirmative consent to companies to collect and use their data. Once they give that consent, there are no opt-out rights for sensitive data. It is treated like all other personal information.
The third biggest difference is how the two laws handle employment-related data. In California personal data from job applications is exempt from privacy requests. Although it is exempt, companies must state what they are collecting and why.
In Virginia, companies don’t have to comply with privacy requests related to employees or job applicants.
The bigger picture of privacy laws
The passage of the Consumer Data Protection Act in Virginia is a great step forward for data privacy in the United States. It adds to other laws, such as the CCPA, which give us more tools to help us prevent identity theft.
Many experts in the data privacy world see this as a sign the ball is starting to roll toward a future with a national data privacy law.
Other states that are currently working on their own versions of localized dat aprivacy laws include Washington, New York, Texas, Minnesota, Utah, North Dakota and Oklahoma.