Will Virginia Be the Next Domino to Fall in State Privacy Law?
Will Virginia Be the Next Domino to Fall in State Privacy Law?
As the Virginia Consumer Data Protection Act (H.B. 2307) heads to Governor Northam’s desk, it appears increasingly likely that Virginia will become the second state to enact a comprehensive consumer privacy law.
After overwhelmingly passing slightly different versions of the bill in late January and early February 2021, Virginia’s House of Delegates and Senate reconciled and passed a substitute, H.B. 2307, on February 19, 2021. This comes just three months after California voters dramatically changed the California privacy law landscape by approving the California Privacy Rights Act (CPRA), a set of numerous amendments to the California Consumer Privacy Act (CCPA) that will become operative on January 1, 2023. If enacted, H.B. 2307 will impose additional compliance obligations beyond the CCPA, even as amended by the CPRA. Moreover, Virginia’s passage of comprehensive privacy legislation may encourage other state legislatures to follow suit—all likely renewing the call for a federal consumer privacy law.
This alert provides an overview of the Virginia bill, with a focus on the areas in which it departs from the CCPA and/or CPRA. Like the CPRA’s substantive obligations, H.B. 2307, if enacted, would become operative on January 1, 2023.
Covered Businesses. H.B. 2307 would apply to any entity that conducts business in Virginia or produces products or services that are targeted to Virginia residents and that:
Unlike the CCPA and CPRA, H.B. 2307 does not include a standalone revenue threshold, whereby the law would apply to a business based solely on its annual revenue, regardless of the number of consumers whose PI it processes.
More importantly—and similar to, for example, the EU GDPR—H.B. 2307 would distinguish between controllers (i.e., businesses that determine the purpose and means of processing personal data) and processors (i.e., businesses that process personal data on behalf of a controller), imposing distinct obligations on each. This is one area where the CCPA, even as amended by the CPRA, can be confusing and oddly structured.
Consumers. H.B. 2307 would define a “consumer” as a Virginia resident, but only to the extent that the individual is acting in an “individual or household context,” as distinct from acting in a “commercial or employment context.” This is a critical distinction because the definition of “consumer” functions as a complete exception for personal data collected in an employment or business-to-business context. By contrast, the CCPA provides only partial and temporary exceptions for data obtained in an employment or business-to-business context, both of which, as amended by the CPRA, will expire on January 1, 2023.
Personal Data. H.B. 2307 would define “personal data” simply as information linked or reasonably linkable to an identified or identifiable individual. Unlike the CCPA and CPRA, the definition does not include a delineated list of categories of personal data, nor does it cover information that is linkable to a household or device.
Sensitive Data. Similar to the CPRA, H.B. 2307 would define “sensitive data” to include, for example, personal data that reveal racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data used for unique identification purposes and precise geolocation data. As discussed below, H.B. 2307 would impose distinct obligations on the processing of sensitive data, including, for example, requiring that a controller obtain consent.
Sale. In a similar yet narrower fashion than the CCPA and CPRA, H.B. 2307 would define a “sale” as the disclosure of personal data for monetary consideration. In particular, H.B. 2307 does not include the CCPA/CPRA concept of disclosures for valuable, but non-monetary, consideration in the definition of a “sale.” In addition, H.B. 2307 would specifically clarify that certain disclosures of personal data are not “sales,” including the disclosure of personal data to processors and affiliates and the disclosure of personal data to third parties for purposes of providing a product or service that the consumer requested.
Similar to the CCPA, as amended by the CPRA, H.B. 2307 would give a Virginia resident the right to request that a controller:
In addition, H.B. 2307 would give a consumer the right to “opt out” not only from a controller’s “sale” of personal data, but also from the controller’s processing of personal data for targeted advertising or “profiling in furtherance of decisions that produce legal or similarly significant effects.”
Unlike the CCPA and CPRA, H.B. 2307 would provide Virginia residents with the right to appeal a controller’s denial of an individual rights request. In this regard, the Act would impose a corresponding obligation on controllers to establish a process for such appeals and make the process conspicuously available to consumers. In particular, a controller would be required to inform the individual in writing and within 60 days of receipt of an appeal of any action taken or not taken in response to the appeal. Of note, a controller that denies a consumer’s appeal would be required to provide the individual with an online mechanism or other method by which to contact the Virginia attorney general (AG) to submit a complaint.
In addition to privacy notice obligations that are similar to the CCPA and CPRA,[3] H.B. 2307 would impose a number of obligations on controllers that reflect a hybrid GDPR/California approach.
Like the CCPA and CPRA, H.B. 2307 would require that a processor assist a controller in meeting its obligations under the Act. In this regard, H.B. 2307 would require that there be a written contract between a controller and processor that governs the processing of personal data. In this regard, H.B. 2307 would require that such contracts include instructions for processing, the nature and purpose of processing, the type of data to be processed, and the duration of processing, as wells as requirements that a processor:
General Exemptions. H.B. 2307 would exempt non-profit organizations and institutions of higher education (a sticking point that contributed to the failure of the Washington Privacy Act in 2020), as well as financial institutions “subject to” Title V of the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates “governed by” HIPAA.
H.B. 2307 also broadly exempts personal data created or maintained for purposes of certain federal laws, including HIPAA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the Driver’s Privacy Protection Act, among others.
Permitted Processing. H.B. 2307 would also clarify that it does not restrict a controller or processor’s ability to, among other things:
H.B. 2307 would provide the Virginia AG with exclusive authority to enforce the bill. This is similar to the enforcement structure for the CCPA and CPRA privacy provisions. Nonetheless, H.B. 2307 would not provide a private right of action for its data security obligations, whereas the CCPA and CPRA permit California residents to sue following certain data security incidents.
H.B. 2307 would provide businesses with a 30-day period by which to cure alleged violations, upon receipt of notice of such violations from the AG. The CPRA, by contrast, will remove the CCPA’s 30-day cure period for AG actions. Ultimately, the AG would be authorized to seek civil penalties of up to $7,500 for each violation and injunctive relief to enforce the Act.
Governor Northam will have 30 days from the date that the Virginia legislature’s special session adjourns to sign or veto H.B. 2307.[4] If the governor takes no action, H.B. 2307 will become law without his signature.
We anticipate that H.B. 2307 will ultimately be enacted and become Virginia law. Moreover, upward of a dozen of other states, including, of note, New York and Washington, are actively considering privacy bills. Although it remains to be seen how much traction the issue of privacy will have in the states in 2021, it seems likely that other states will follow California’s (and likely Virginia’s) lead. This would amplify the call for a federal privacy law that creates a national standard for privacy and avoids the development of a multistate patchwork of business obligations and consumer rights.
Please visit our CCPA Resource Center for more information on the evolving state consumer privacy landscape.
[1] H.B. 2307’s deletion right is broader than the corresponding right under the CCPA/CPRA in that it is not limited to personal data collected “from” the consumer and because the Act does not include exceptions to the deletion right specifically.
[2] Unlike the deletion right, H.B. 2307’s “access” right is narrower than the corresponding right under the CCPA/CPRA in that it is limited to personal data previously “provided” by the consumer, as opposed to personal data relating to the consumer.
[3] Unlike the CCPA and CPRA, however, H.B. 2307 does not require that a controller provide a notice at or before collecting personal data from a consumer.
[4] As a theoretical matter, in Virginia, the governor may also recommend one or more specific and severable amendments to a bill by returning it with his recommendation to the house in which it originated during the legislature’s “reconvened session,” scheduled to begin on March 17, 2021.