February 17, 2021
Virginia businesses that maintain and use customers’ data should be aware of what is on the horizon. The Virginia Legislature is poised to finalize and pass data privacy legislation that will impose new obligations on these businesses. Companies should begin to prepare themselves for the new statutory requirements by familiarizing themselves with the legislation.
The Virginia Legislature has acted very quickly to move this bill through the process. As of this writing, the Consumer Data Protection Act has passed in both the House and Senate, and Gov. Ralph Northam is ready to sign it into law. It is not a question of whether this bill will be passed and signed into law but when. Virginia will be the second state after California to have this type of legislation, and it will be far from the last. Privacy protection advocates have the upper hand in the national debate after several high-profile examples of breaches and misuse of customer data.
As a result, most businesses should start to engage now with a data privacy attorney to learn what requirements may be on the horizon. State data privacy laws are a relatively new thing, so companies will need to be forward-looking and proactive if they intend to collect data in Virginia.
The first question that companies will have is whether they are covered by the terms of the law. The law will define “covered companies” as any of the following:
What this boils down to is that if you are a large data broker or have a big online presence in Virginia, no matter where you are based, you will need to follow the CDPA and should consult a Virginia data privacy attorney.
The next question is who is entitled to protection under the new law. The statute defines “consumer” as someone acting only in an individual or household context. The law does not cover people acting in an employment or business context. This means that the law protects consumers who are using their own personal internet for their own personal purposes.
The law both gives consumers rights and places some restrictions on how those that control data collect it. First, consumers are allowed to know if their controllers have their data and what data they have. Second, once they see the data that the controller has, consumers have the right to correct any errors. Third, customers can demand that controllers delete any data that they obtained. Fourth, they can opt-out of having their data used in targeted advertising or being sold to a third party.
The last requirement requires customers to execute an affirmative opt-out to take advantage of this protection. Without that, companies can continue to use data in advertising and sell the data as they otherwise would.
In addition, controllers are now restricted from collecting more information than is “adequate, relevant, and reasonably necessary” for their purpose. As a business, you can see how that could lead to differences in interpretation between consumers and companies. Companies that use data for targeted advertising or for sale must also conduct assessments of whether this practice benefits all stakeholders, including consumers.
While this law will have definite impacts on companies, one important piece of information is that your company cannot face a private lawsuit from a consumer who claims that their rights were violated. Only the Virginia Attorney General has the ability to enforce the Act, and they can issue a civil fine. Nonetheless, companies should take these requirements seriously. The law allows for a fine of up to $7,500 for each violation of the Act. As of now, it is not known how a violation will be defined, meaning that this could lead to a major penalty if each customer is treated as one separate violation.
As a business owner or employee, you will likely have a number of questions about this law and how it will affect you. If you do large-scale business online in Virginia, the chances are that it probably will.
One concern that business should have is the speed at which the Virginia Legislature passed the law. The bill made its way through both Houses in several weeks. Bills that are passed quickly may have some gaps and ambiguities. In addition, there may be continued pressure from consumers’ rights advocates to make amendments to the law to strengthen it. This could be just the beginning of Virginia’s legislation in this area. As other states pass their own privacy laws, there is a chance that the Virginia Legislature could borrow some of the tougher provisions elsewhere and implement them here.
If you own a company doing business in Virginia, the first thing that you should do is determine if the law applies to you. Your business may not possess data from enough consumers to fall under the law. Alternatively, the type of data that you have may fall under one of a number of exemptions to the law, which include exemptions for institutions and companies with HIPAA-covered data. If you are covered by the law, you should prepare yourself to comply by its effective date by working with a data privacy lawyer.
To learn more about how this law applies to you and what your company can do to prepare itself, call the Virginia law firm of McClanahan Powers at 703-520-1326 or contact us online. You may not have much time to prepare for a law that could change the way that you do business in the Commonwealth, so request a consultation today.