This blogpost will try to provide a comparison guide concerning the EU General Data Protection Regulation and the Virginia Consumer Data Protection Act.
On the 2nd of March, 2021, the Virginia Governor signed the Consumer Data Protection Act (CDPA) into law. The CDPA takes effect on the 1st of January, 2023, and it includes some of the provisions laid out in the EU’s General Data Protection Regulation (GDPR) by creating a number of privacy obligations for businesses and by giving to Virginia consumers more control over their personal data.
The Virginia CDPA provides that companies must conduct business in Virginia or produce products or services that target Virginia consumers, in order to fall within its scope. However, not all these businesses are subject to the law. Specifically, the CDPA applies to businesses who control or process personal data of at least 100,000 consumers during a calendar year, or control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. In this way, Virginia diverges from GDPR, which applies across the board to any business, whether large or small, for-profit or non-profit, that collects or processes EU data subjects’ personal information.
The GDPR is not applicable in the law enforcement and national security areas, while it covers all categories of personal data which may be processed and can be used to identify an individual. On the other hand, the CDPA establishes new definitions for precise geolocation data, profiling, targeted advertising and the sale of personal data, while at the same time, it includes exceptions which are divided into two main categories: the entity-level exceptions and the data-level exceptions.
Specifically, the CDPA exempts the following entities: Virginia public entities, GLBA-covered entities, HIPAA-covered entities, non-profit organizations, and higher education institutions. Moreover, it exempts 14 categories of data, including employer data, and data maintained in the course of an individual being employed by a business, protected health information under the HIPAA, data regulated under the federal Family Educational Rights and Privacy Act, and other health-related data under various regulatory frameworks.
Additionally, the CDPA excludes any deidentified data or publicly available information by defining the term “publicly available information” as “Information that is lawfully made available through federal, state, or local government records”. However, it also includes in its definition of “publicly available” any “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience”. Using this phrasing, the CDPA gives to businesses the opportunity to have a more subjective approach on the term “publicly available information”.
The CDPA uses the same concepts of controller and processor of consumer data, as these are already depicted in the GDPR. A “controller” is the business that determines the purpose and means of processing personal data, while a “processor” is an entity that processes personal data on behalf of the controller. The bill outlines responsibilities and privacy protection standards for both data controllers and processors.
Both the regulations provide for the implementation of appropriate technical and organizational measures, including a Data Protection Impact Assessment. Specifically, under the CDPA, businesses must conduct data protection assessments to evaluate the risks associated with specific data processing activities, such as the sale of personal data, the processing of sensitive personal data, the processing of personal data for targeted marketing purposes, and the processing of personal data for profiling purposes.
In addition, both the GDPR and the CDPA set out numerous obligations for businesses processing personal data. These obligations include data minimization, purpose limitations and security controls to be implemented.
The CDPA, similarly to the GDPR, also requires businesses to execute written agreements with third-party vendors to outline the scope of data processing. These agreements are generally called data processing agreements and can be either standalone agreements or addenda to existing agreements.
Both the GDPR and the CDPA include specific rights for the “data subjects” and the “consumers”, such as the right to access, the right to rectification, the right to request the deletion of their personal information, the right to data portability, and the right to object to data processing. The CDPA also establishes the right to be free from discrimination. However, the Virginia bill provides that in certain situations (i.e., if the data requested is not of a nature that is subject to the statute, like employment data) the business may decline to take the action requested by the consumer. In that case, a reason for declining the request must be provided to the consumer, as well as instructions on ways to appeal that decision. Businesses have 45 days to respond to consumer requests and can extend this period for one additional 45-day period when reasonably necessary.
The GDPR provides that administrative fines can be directly issued by a data protection authority. Penalties for severe violations can be up to €20 million or up to 4% of the organization’s worldwide annual revenue, whichever is higher. Under the CDPA, consumers cannot take legal action against a business if they believe their privacy rights have been violated as the new law contains no private right of action. Nonetheless, the CDPA designates the Virginia attorney general (Virginia AG) as the chief enforcer of the act and grants the Virginia AG the authority to bring civil actions against businesses for violations of the CDPA. However, prior to initiating any actions, businesses in violation of the CDPA have a 30-day period to ensure that the violation is cured. In a scenario where it is certified that an alleged violation has been cured, the Virginia AG will not bring an action for statutory damages. Violations of the CDPA can result in fines as high as $7,500 per violation.
While similarities exist between the GDPR and the CDPA, the laws are different enough so that compliance with the one does not provide compliance with the other. With the effective date of the CDPA two years away, businesses which fall under its scope should start developing a compliance program. However, businesses which are already in compliance with the GDPR – or other USA state laws – should be able to expand the scope of their compliance efforts to include the CDPA.
Until next time.