Growing Trend of State-level Privacy Laws
The VCDPA is now the first broad state-level privacy law enacted since California’s CCPA. However, it is just the latest in the ongoing push among states to pass their own privacy legislation, spurred by the absence of any federal privacy legislation on par with the EU’s GDPR. It remains to be seen whether the resulting patchwork of state laws can effectively substitute the need for a comprehensive federal privacy law. As a sign that it may not, the VCDPA’s enforcement mechanisms invite concern that the law may not be tough enough to meaningfully change company behavior.
Numerous CCPA & GDPR Similarities, Some New Features
The VCPDA borrows many of the same key principles as California’s CCPA and the European Union’s GDPR. For example, it relies on a similarly expansive definition of personal data that includes any data or information that can be linked to an “identified or identifiable natural person” and carves out sanitized de-identified data. It also contains a similar bill of individual rights that includes the right to:
- know what personal data is being processed;
- correct or delete that data;
- obtain a portable copy of personal data;
- opt-out from having your personal data sold.
The VCDPA is applicable to any company that does business in Virginia or serves Virginia consumers (defined as natural persons residing in Virginia and acting in a non-commercial and non-employment capacity) and processes over 100,000 consumers’ data. This figure decreases to 25,000 consumers if a company earns over 50% of its gross revenue from selling personal data. This is similar to the CCPA’s standard of 50,000 consumers or 50% of revenue from selling personal data. However, while the CCPA has a monetary trigger that brings any company with gross revenue of at least $25 million under its purview, the VCPDA has no monetary trigger, which will allow some companies earning over $25m to avoid compliance.
The VCPDA also requires a person’s affirmative consent (known as an “opt-in”) before a company can process sensitive data. Under the VCPDA, sensitive data is defined as data showing racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, immigration status, genetic or biometric data, data collected from minors, and precise geolocation data. In contrast to the CCPA, a person’s opt-in under the VCPDA is required regardless of whether personal data is being sold.
A novel feature under the VCPDA is the requirement that controllers conduct a precautionary data protection assessment of any IT systems processing personal data for targeted advertising, sale of personal data, consumer profiling, or systems containing sensitive personal data or data that might cause a heightened risk of harm to the consumer. These checks will add another layer of defenses to help protect against the ever-intensifying efforts of cybercriminals.
Light-Touch Enforcement & Penalties for Opt-Outs
The VCPDA departs significantly from the CCPA’s formula for privacy regulation by not including any private right of action. Under the VCPDA, individual consumers who have been harmed by non-compliance will not be able to personally sue for civil damages. Instead, the law will be enforced exclusively by the Virginia attorney general’s office, which will have the power to levy fines of up to $7,500 per violation. But like the CCPA, offenders can cure any violations during a 30-day period to avoid paying a fine.
Also, under the CCPA, lawyers can band together hundreds or thousands of CCPA-affected Californians to form class action lawsuits against an offending company, and collectively seek millions of dollars in damages. This serves as a major deterrent against non-compliance. In contrast, under the VCDPA, the class action lawsuit threat is not present. Further still, crafting a lawsuit requires a significant amount of time and expense to organize, but a curative action undertaken within thirty days can completely negate the lawsuit and make it disappear. This would tend to strongly disincentivize lawsuits and blunt the VCDPA’s enforcement heft.
Another key difference between the CCPA and VCDPA is while both laws prohibit overt discrimination against consumers who exercise their opt-out rights (a company cannot change the rates, prices, or quality of goods and services that are offered to a consumer), it explicitly allows this kind of discrimination when the consumer’s choice prevents them from getting targeted advertising or from enrolling in a voluntary loyalty program. In other words, if processing or selling a consumer’s personal data is a prerequisite to participating in a company’s loyalty rewards program or targeted marketing, an opt-out can potentially leave consumers out in the cold on special prices or promotional offers that their less privacy-conscious peers may enjoy.
Taken as a whole, the VCDPA reveals a markedly different and more permissive enforcement landscape for companies when compared to the CCPA. The VCDPA is set to go into effect on January 1, 2023.
Once two states have taken the plunge by enacting big-ticket privacy laws, expect that others will surely follow. Presently, more than a dozen states continue to work on their own privacy laws. As more states pass privacy laws with their own eccentricities, the growing complexity caused by an overlapping patchwork of state requirements may increase pressure on Congress to set a baseline to which all personal data processors must adhere. With single-party control of the White House and both houses of Congress, the likelihood of passing comprehensive federal privacy legislation now may be greater than ever.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Frank Fazzio, IGP, CRM
Analyst / Licensed Attorney