Virginia adopts Consumer Data Protection Act

Virginia Gov. Ralph Northam signed the Consumer Data Protection Act, which provides consumers specific rights regarding the use of their personal data. The bill, SB 1392, was introduced by Sen. Dave Marsden, D-Burke.

Under the new law, “a consumer may invoke the consumer rights authorized pursuant to [the bill’s provisions] at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child’s parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the known child.”

The bill defines a controller as “the natural or legal person that, along or jointly with others, determines the purposes and means of processing personal data.” Controllers will have to comply with an authenticated consumer request to exercise the right:

• To confirm whether a controller is processing the consumer’s personal data and to access that personal data.
• To correct inaccuracies in the consumer’s personal data.
• To delete personal data provided by or obtained about the consumer.
• To obtain a copy of the consumer’s personal data.
• To opt out of the processing of the personal data for the purpose of targeted advertising, the same of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

  Controllers will have to respond to a consumer within 45 days of receiving a request to exercise consumer rights. That period could be extended once by 45 days when reasonably necessary. If a controller declines to take action, they must inform the consumer within 45 days of their justification for declining to take action and instructions for how to appeal the decision.

  Information provided in response to a consumer request will have to be provided by a controller free of charge, up to twice annually per consumer. If the requests are unfounded, excessive or repetitive, the controller will be able to charge the consumer a reasonable fee to cover the costs of complying with the request or decline to act on the request.

  If a controller is unable to authenticate the request using commercially reasonable efforts, the controller will not be required to comply with a request and may ask that the consumer provide additional information to authenticate the consumer and his or her request.

  “A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision pursuant to Subdivision B 2,” the bill states. “The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to Subsection A. Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reason for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.”

  Controllers may:

• Limit the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
• Not process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which the data is processed.
• Establish reasonable administrative, technical and physical data security practices “to protect the confidentiality, integrity and accessibility of personal data.
• Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
• Not process sensitive data concerning a consumer without obtaining the consumer’s consent.

  Controllers will also have to provide consumers with “a reasonably accessible, clear, and meaningful” privacy notice that includes:

• The categories of personal data processed by the controller.
• The purpose for processing personal data.
• How consumers may exercise their consumer rights pursuant to Section 59.1-573.
• The categories of personal data that the controller shares with third parties, if any.

  The bill defines processor as “a natural or legal entity that processes personal data on behalf of a controller.” A contract between a controller and a processor will govern the processor’s data processing procedures with respect to processing performed on the controller’s behalf. The contract must include requirements that the process will:

• Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
• At the controller’s direction, delete or return all personal data to the controller as requested.
• Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with its obligations.
• Allow reasonable assessments by the controller or a qualified independent assessor to assess the processor’s policies and technical and organizational measures in support of its obligations.
• Engage any subcontractor pursuant to a written contract in accordance with [the bill’s provisions] that require the subcontractor to meet the obligations of the processor with respect to the personal data.

  Controllers will have to conduct and document a data protection assessment of each of the following processing activities:

• The processing of personal data for purposes of targeted advertising.
• The sale of personal data.
• The processing of personal data for purposes of profiling, where the profiling presents a risk of unfair or deceptive treatment of consumers; financial, physical or reputational injury to consumers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers; or other substantial injury to consumers.
• The processing of sensitive data.
• Any processing activities involving personal data that present a heightened risk of harm to consumers.

  These data protection assessments must “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the risk. The use of de-identified data and the reasonable relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.”

  The attorney general will be able to request a controller disclose any data protection assessment relevant to an investigation conducted by the attorney general. The attorney general may evaluate the data protection assessment for compliance with state law.

  The bill will apply to those “that conduct business in the commonwealth, or produce products or services that are targeted to residents of the commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” It will not apply to an entity of the commonwealth; financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act; covered entities and business associates governed by the privacy, security and breach notification rules issued by the U.S. Department of Health and Human Services pursuant to the federal Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act; nonprofit organizations; or institutions for higher education.”

  Nothing in the bill will be construed to restrict a controller’s or processor’s ability to:

• Comply with federal, state or local laws, rules or regulations.
• Comply with a civil, criminal or regulatory inquiry, investigation subpoena, or summons by federal, state, local or other governmental authorities.
• Cooperate with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or local laws, rules or regulations.
• Investigate, establish, exercise, prepare for, or defend legal claims.
• Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract.
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis.
• Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board, or similar independent oversight entities that determine: if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; the expected benefits of the research outweigh the privacy risks; and if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
• Assist another controller, processor or third party with any of the obligations under [the bill].”

The Virginia attorney general will have the authority to investigate a violation of the law. He or she will have exclusive authority to enforce the new statute. Before initiating an action under the statute, the attorney general will have to provide the controller or processor 30 days’ written notice identifying the specific provisions of the bill he or she alleges has been violated. If the controller or processor cures the violation within the 30-day period, no action will be initiated against the controller or processor. If the controller or processor continues to violate the statute or breaches an express written statement provided to the attorney general, the attorney general may initiate an action and seek an injunction to restrain any violations of the law and civil penalties of up to $7,500 for each violation.

“The chairman of the Joint Commission on Technology and Science shall create a work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons and consumer rights advocates,” the bill states. “The work group shall review the provisions of this act and issues related to its implementation. The chairman of the Joint Commission on Technology and Science shall submit the work group’s findings, best practices and recommendations regarding the implementation of this act to the chairmen of the Senate Committee n General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than Nov. 1, 2021.”

The bill will go into effect Jan. 1, 2023.