by Nathan D. Taylor and Robert N. Famigletti

As the Virginia Consumer Data Protection Act (H.B. 2307) heads to Governor Northam’s desk, it appears increasingly likely that Virginia will become the second state to enact a comprehensive consumer privacy law.

After overwhelmingly passing slightly different versions of the bill in late January and early February 2021, Virginia’s House of Delegates and Senate reconciled and passed a substitute, H.B. 2307, on February 19, 2021.  This comes just three months after California voters dramatically changed the California privacy law landscape by approving the California Privacy Rights Act (CPRA), a set of numerous amendments to the California Consumer Privacy Act (CCPA) that will become operative on January 1, 2023.  If enacted, H.B. 2307 will impose additional compliance obligations beyond the CCPA, even as amended by the CPRA.  Moreover, Virginia’s passage of comprehensive privacy legislation may encourage other state legislatures to follow suit—all likely renewing the call for a federal consumer privacy law.

This post provides an overview of the Virginia bill, with a focus on the areas in which it departs from the CCPA and/or CPRA.  Like the CPRA’s substantive obligations, H.B. 2307, if enacted, would become operative on January 1, 2023.

Scope

Covered Businesses.  H.B. 2307 would apply to any entity that conducts business in Virginia or produces products or services that are targeted to Virginia residents and that:

• During a calendar year, controls or processes “personal data” of at least 100,000 consumers; or
• Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of such data.

Unlike the CCPA and CPRA, H.B. 2307 does not include a standalone revenue threshold, whereby the law would apply to a business based solely on its annual revenue, regardless of the number of consumers whose PI it processes.

More importantly—and similar to, for example, the EU GDPR—H.B. 2307 would distinguish between controllers (i.e., businesses that determine the purpose and means of processing personal data) and processors (i.e., businesses that process personal data on behalf of a controller), imposing distinct obligations on each.  This is one area where the CCPA, even as amended by the CPRA, can be confusing and oddly structured.

Consumers.  H.B. 2307 would define a “consumer” as a Virginia resident, but only to the extent that the individual is acting in an “individual or household context,” as distinct from acting in a “commercial or employment context.”  This is a critical distinction because the definition of “consumer” functions as a complete exception for personal data collected in an employment or business-to-business context.  By contrast, the CCPA provides only partial and temporary exceptions for data obtained in an employment or business-to-business context, both of which, as amended by the CPRA, will expire on January 1, 2023.

Personal Data.  H.B. 2307 would define “personal data” simply as information linked or reasonably linkable to an identified or identifiable individual.  Unlike the CCPA and CPRA, the definition does not include a delineated list of categories of personal data, nor does it cover information that is linkable to a household or device.

Sensitive Data.  Similar to the CPRA, H.B. 2307 would define “sensitive data” to include, for example, personal data that reveal racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data used for unique identification purposes and precise geolocation data.  As discussed below, H.B. 2307 would impose distinct obligations on the processing of sensitive data, including, for example, requiring that a controller obtain consent.

Sale.  In a similar yet narrower fashion than the CCPA and CPRA, H.B. 2307 would define a “sale” as the disclosure of personal data for monetary consideration.  In particular, H.B. 2307 does not include the CCPA/CPRA concept of disclosures for valuable, but non-monetary, consideration in the definition of a “sale.”  In addition, H.B. 2307 would specifically clarify that certain disclosures of personal data are not “sales,” including the disclosure of personal data to processors and affiliates and the disclosure of personal data to third parties for purposes of providing a product or service that the consumer requested.

Individual Rights

Similar to the CCPA, as amended by the CPRA, H.B. 2307 would give a Virginia resident the right to request that a controller:

• Confirm whether it processes personal data relating to the individual and provide access to that personal data;
• Correct inaccuracies in the personal data;
• Delete personal data “provided by or obtained about” the consumer;[1] and
• Provide a copy of any personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format.[2]

In addition, H.B. 2307 would give a consumer the right to “opt out” not only from a controller’s “sale” of personal data, but also from the controller’s processing of personal data for targeted advertising or “profiling in furtherance of decisions that produce legal or similarly significant effects.”

Unlike the CCPA and CPRA, H.B. 2307 would provide Virginia residents with the right to appeal a controller’s denial of an individual rights request.  In this regard, the Act would impose a corresponding obligation on controllers to establish a process for such appeals and make the process conspicuously available to consumers.  In particular, a controller would be required to inform the individual in writing and within 60 days of receipt of an appeal of any action taken or not taken in response to the appeal.  Of note, a controller that denies a consumer’s appeal would be required to provide the individual with an online mechanism or other method by which to contact the Virginia attorney general (AG) to submit a complaint.

Controller Obligations

In addition to privacy notice obligations that are similar to the CCPA and CPRA,[3] H.B. 2307 would impose a number of obligations on controllers that reflect a hybrid GDPR/California approach.

• Data Minimization. A controller would be required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which it is processed and as disclosed to the consumer.
• Purpose Limitation. A controller generally would be prohibited from processing personal data for purposes that are not reasonably necessary to, or compatible with, the purposes disclosed by the controller, unless the consumer’s consent is obtained.
• Data Security. A controller would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Non-discrimination. A controller would be prohibited from processing personal data in violation of state and federal discrimination laws or discriminating against a consumer for exercising the individual’s rights under the Act.
• Consent for Sensitive Personal Data. A controller would be prohibited from processing sensitive data without a consumer’s consent.
• Consent Relating to Minors. A controller would also be prohibited from processing sensitive data relating to a “known child” under the age of 13 unless such processing is “in accordance with” the federal Children’s Online Privacy Protection Act (COPPA).
• Data Protection Assessments. A controller would be required to conduct and document a data protection assessment for certain high-risk processing activities (g., the processing of personal data for targeted advertising, sale, or profiling or processing that presents a reasonably foreseeable risk of financial, physical, or reputational injury to consumers).  This assessment would be required to weigh the benefits and potential risks of such processing, as mitigated by safeguards that may reduce such risks.  A controller would be required to make its assessment available to the AG upon request.

Processors

Like the CCPA and CPRA, H.B. 2307 would require that a processor assist a controller in meeting its obligations under the Act.  In this regard, H.B. 2307 would require that there be a written contract between a controller and processor that governs the processing of personal data.  In this regard, H.B. 2307 would require that such contracts include instructions for processing, the nature and purpose of processing, the type of data to be processed, and the duration of processing, as wells as requirements that a processor:

• Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• At the controller’s direction, delete or return all personal data to the controller as requested when the relevant services end;
• Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with H.B. 2307;
• Allow and cooperate with reasonable assessments by the controller, or arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures and provide a report to the controller; and
• Only engage a subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations of the processor with respect to the personal data.

Exceptions

General Exemptions.  H.B. 2307 would exempt non-profit organizations and institutions of higher education (a sticking point that contributed to the failure of the Washington Privacy Act in 2020), as well as financial institutions “subject to” Title V of the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates “governed by” HIPAA.

H.B. 2307 also broadly exempts personal data created or maintained for purposes of certain federal laws, including HIPAA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the Driver’s Privacy Protection Act, among others.

Permitted Processing.  H.B. 2307 would also clarify that it does not restrict a controller or processor’s ability to, among other things:

• Comply with federal, state, or local laws, rules, or regulations;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product or service specifically requested by a consumer or perform a contract to which the consumer is a party;
• Take immediate steps to protect the life or physical safety of the consumer or another individual;
• Prevent, detect, protect against, or respond to security incidents;
• Effectuate a product recall; or
• Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller.

Enforcement

H.B. 2307 would provide the Virginia AG with exclusive authority to enforce the bill.  This is similar to the enforcement structure for the CCPA and CPRA privacy provisions.  Nonetheless, H.B. 2307 would not provide a private right of action for its data security obligations, whereas the CCPA and CPRA permit California residents to sue following certain data security incidents.

H.B. 2307 would provide businesses with a 30-day period by which to cure alleged violations, upon receipt of notice of such violations from the AG.  The CPRA, by contrast, will remove the CCPA’s 30-day cure period for AG actions. Ultimately, the AG would be authorized to seek civil penalties of up to $7,500 for each violation and injunctive relief to enforce the Act.

Next Steps

Governor Northam will have 30 days from the date that the Virginia legislature’s special session adjourns to sign or veto H.B. 2307.[4]  If the governor takes no action, H.B. 2307 will become law without his signature.

We anticipate that H.B. 2307 will ultimately be enacted and become Virginia law.  Moreover, upward of a dozen of other states, including, of note, New York and Washington, are actively considering privacy bills.  Although it remains to be seen how much traction the issue of privacy will have in the states in 2021, it seems likely that other states will follow California’s (and likely Virginia’s) lead.  This would amplify the call for a federal privacy law that creates a national standard for privacy and avoids the development of a multistate patchwork of business obligations and consumer rights.

Nathan D. Taylor is a partner, and Robert N. Famigletti is a privacy analyst, at Morrison & Foerster LLP. 

Footnotes

[1] H.B. 2307’s deletion right is broader than the corresponding right under the CCPA/CPRA in that it is not limited to personal data collected “from” the consumer and because the Act does not include exceptions to the deletion right specifically.

[2] Unlike the deletion right, H.B. 2307’s “access” right is narrower than the corresponding right under the CCPA/CPRA in that it is limited to personal data previously “provided” by the consumer, as opposed to personal data relating to the consumer.

[3] Unlike the CCPA and CPRA, however, H.B. 2307 does not require that a controller provide a notice at or before collecting personal data from a consumer.

[4] As a theoretical matter, in Virginia, the governor may also recommend one or more specific and severable amendments to a bill by returning it with his recommendation to the house in which it originated during the legislature’s “reconvened session,” scheduled to begin on March 17, 2021.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.