Financial Institutions Exempt from New Virginia Privacy Law

While 2021 has been off to a hot start with many states considering privacy legislation similar to the California Consumer Privacy Act (“CCPA”), Virginia is the first to cross the finish line.  On March 2, 2021, Virginia Governor Northam signed into law H.B. 2307, the Virginia Consumer Data Protection Act (“VCDPA”), a comprehensive, generally applicable privacy law.  This is a significant development.  Since the CCPA was initially enacted in 2018, a burning question has been whether other states will follow California’s lead.  That question has been answered, at least initially, and now the question becomes whether Virginia will provide momentum for other states.  Despite its unquestioned significance, the VCDPA includes a broad Gramm-Leach-Bliley Act (“GLBA”) exemption, and the Act will not apply to financial institutions.

Effective January 1, 2023, the VCDPA will apply to companies that do business in Virginia or that target their products or services to Virginia residents and that, among other things, control or process “personal data” relating to at least 100,000 Virginia residents during a calendar year.  Moreover, the VCDPA will apply with respect to personal data that relates to individuals who are residents of Virginia to the extent that those individuals are acting in “an individual or household context,” but not to the extent that the individuals are acting in “a commercial or employment context.”

Similar to the CCPA, the VCDPA will create a number of privacy rights for Virginia residents (and corresponding obligations on businesses).  For example, the VCDPA will allow a Virginia resident to request that a covered entity that acts as a “controller”:  (1) confirm whether the entity is processing personal data about the individual; (2) provide the individual with access to such data; (3) correct inaccuracies in such data; (4) delete data “provided by or obtained about” the individual; (5) obtain a copy of the data that the individual “provided to” the entity; and (6) opt the individual out of the “sale” of personal data, the processing of personal data for “targeted advertising” or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”  Unlike the CCPA, the VCDPA will require that a controller create a process for a Virginia resident to appeal the controller’s refusal to take action on such a request.

The VCDPA includes other noteworthy differences from the CCPA.  For example, the VCDPA more clearly articulates the distinction between a “controller” and a “processor” and, in turn, imposes distinct obligations on controllers and processors.  In addition, the VCDPA will require that controllers conduct and document “data protection assessments” regarding certain activities (e.g., the processing of sensitive data).

Nonetheless, the VCDPA will not apply to financial institutions.  Specifically, the VCDPA provides that it “shall not apply to any . . . financial institutions or data subject to Title V of the federal” GLBA.  In this regard, the VCDPA’s GLBA exception is far broader than the CCPA’s GLBA exception, which is limited only to information subject to the GLBA.  That is, unlike the CCPA, the VCDPA provides not only a GLBA “information” exception, but also a GLBA “entity” exception.

In this regard, the GLBA applies to any “financial institution.”  For purposes of the GLBA, a “financial institution” is an institution the business of which is engaging in financial activities described in Section 4(k) of the Bank Holding Company Act.  This includes, among many others, banks, credit unions, insurance companies and investment companies and advisers.  See 15 U.S.C. § 6809(3)(A).  In particular, all entities that are considered financial institutions are “subject to” the GLBA.  Because all “financial institutions” are “subject to” the GLBA, any entity that would be considered a “financial institution” for purposes of the GLBA will not be subject to the VCDPA.

While the VCDPA’s enactment is a significant privacy development, for financial institutions, equally significant is the Act’s broad GLBA exemption and the fact that financial institutions will be exempt.