California Proposition 24

• Read the Virginia House bill here.
• Read the Virginia Senate bill here.
• Watch FPF ‘s educational briefing before the Virginia Data Protection & Privacy Advisory Committee on existing and emerging US privacy laws (November 24, 2020).

• Stacey Gray, Pollyanna Sanderson & Samuel Adams In the absence of federal privacy legislation, U.S. states are weighing in.
• In Virginia, the Consumer Data Protection Act (CDPA) (HB 2307 / SB 1392) could be signed into law within weeks, and if passed, would take effect on Jan. 1, 2023.
• If the law passes, it would become the second comprehensive (non-sectoral) data protection law in the United States, making it a potential model for other states and federal legislation.
• At present, the Virginia CDPA is about 50% of the way through Virginias bicameral, citizen legislature.
• Either bill must now pass in the other chamber, a process that will likely involve additional hearings and opportunity for debate.
• In light of the rapid speed and near-unanimous legislative support, businesses, law firms, and privacy advocates alike are beginning to pay close attention.

1. Scope of Covered Entities & Covered Data 

• In addition, a number of exemptions are currently drafted in the bill, including for:
  • government entities;
  • non-profits;
  • data collected in the employment context;
  • covered entities in regulated sectors, including: data and covered entities governed by Health Insurance Portability and Accountability Act (HIPAA), and financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA);
  • information governed under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA), and the Children’s Online Privacy Protection Act (COPPA); and 
  • identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law.
  • The CDPA has a broad definition of personal data: any information that is linked or reasonably linkable to an identified or identifiable natural person.
  • As a result, the Virginia bills jurisdictional scope of covered entities and personal data is both similar and in some ways narrower than other US laws and the GDPR.
  • It would apply to a broad definition of personal information, which is similar to leading US and EU law, but apply to a narrower scope of covered entities.
  • For example, while the WPA and CCPA contain similar exemptions (for data governed by the Fair Credit Reporting Act), they do not totally exclude entities governed by HIPAA or GLBA.

2. Consumer Rights & Pseudonymised Data

• The CDPA provides a narrow limitation for pseudonymous data, for which companies would be required to comply with the bulk of the bills requirements including opt-out rights but not access, correction, deletion, or portability.
• Pseudonymous data is defined as data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
• Providing flexibility for pseudonymous data is a shared feature of the CDPA and the WPA.
• The approach recognizes challenges involving authentication and verification of consumer requests involving pseudonymous data, and creates an incentive for covered entities to maintain personal information in less readily identifiable formats.
• When combined with the opt-in requirement for sensitive data (discussed below), this approach goes further than the California Consumer Privacy Act, which currently only requires that consumers be able to opt out of sale.

3. Sensitive Personal Data & Risk Assessments

• In addition, the CDPA (like the WPA) would create a new requirement that controllers conduct data protection assessments if engaged in any of the following:
  • processing of sensitive data;
  • targeted advertising; 
  • sale of personal data; 
  • “profiling” that creates a “reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers”; or
  • any other processing activities involving personal data that present a “heightened risk of harm” to consumers. 
  • The CDPA would require freely given, specific, informed, and unambiguous consent (a standard discussed below) for controllers to collect or process sensitive data, defined as: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; and (4) precise geolocation data.
  • The CDPAs definition also roughly aligns with the definition of sensitive data in the California Privacy Rights Act (CPRA), which will create an opt-out for sensitive data uses when it comes into effect in 2023.
  • These data protection assessments would be required to be made available to the Attorney General upon request, pursuant to an investigative civil demand.

4. Consent Standard & Use Limitations 

• The CDPA would define consent as freely given, specific, informed, and unambiguous, a strong opt-in standard that aligns with the GDPR and WPA.
• The CDPA does lack the dark patterns language found in the current WPA, which would specifically outlaw controllers and processors from providing deceptive user interfaces to obtain consent from individuals.
• The CDPA would require controllers to obtain opt in consent to process personal data for incompatible secondary uses, as disclosed to the consumer.
• In comparison, the GDPRs principle of purpose limitation requires all data collection to be only for a specified, explicit, and legitimate purpose, which includes compatible purposes.

5. Non-Discrimination

• However, similar to California law, it provides a broad exception for voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
• In contrast, the current WPA contains a narrower exemption for such programs that would require additional disclosures and limits the sale and secondary uses of personal information.
• In addition, the CDPA would prohibit controllers from processing personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.

6. Controllers, Processors & Third Parties 

• The CDPA follows the GDPR and WPA structure of dividing responsibilities between “controllers” and “processors,” rather than using the CCPA/CPRA terminology of “businesses” and “service providers”:
  • “Controller” is defined as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.” Controllers would be required to comply with transparency obligations, consumer requests, data protection assessments, and data security practices.
  • “Processor” is defined as “a natural or legal entity that processes personal data on behalf of a controller.” Processors would be responsible for adhering to the instructions of the controller, and assisting the controller to meet its obligations under the Act involving responding to consumer requests to exercise their rights, fulfilling security obligations, and providing the information necessary to enable the controller to conduct and document data protection assessments. Processors would be subject to a duty of confidentiality, and would themselves be required to contractually obligate subcontractors to adhere to the same obligations.
  • Third party is defined as a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
  • Controllers would be required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data that the controller shares with third parties, if any; the categories of third parties, if any, with whom the controller shares personal data; and if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller would be required to clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
  • Of note, if a third party recipient processes data in violation of the Act, controllers and processors would not be liable to the extent that they did not have actual knowledge that the recipient intended to commit a violation.

7. Limitations and Commercial Research 

• The CDPA would not limit a controller or processors ability to provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party; comply with existing laws; cooperate with civil, criminal, or regulatory investigations; cooperate with law enforcement agencies; defend legal claims; to protect an interest that is essential to the life or physical safety of the consumer or another natural person; or protect against fraud, theft, or harassment.
• In addition, the CDPA would not restrict the ability of controllers and processors to engage in public or peer-reviewed scientific or statistical research in the public interest that is approved, monitored, and governed by an institutional review board (IRB) or a similar independent oversight entity.
• This aligns provides greater flexibility for commercial research than the CCPA, and aligns with broader trends in U.S. privacy legislation, including the WPA, Sen. Cantwells (D-WA) COPRA, and Sen. Wickers (R-MS) SAFE DATA Act.
• The requirements of the CDPA would also not limit the ability of controllers and processors to collect, use, or retain data to: 1) conduct internal research to develop, improve, or repair products, services, or technology; 2) effectuate product recalls, identify and repair technical errors; or 3) to perform internal operations that are reasonably aligned with the reasonable expectations of the consumer or reasonably anticipated based on the consumers existing relationship with the controller.

8. Enforcement 

• The CDPA, which contains a 30-day cure period, would be enforced by the Attorney General, with civil fines capped at $7,500.
• The legislation would establish a Consumer Privacy Fund within the Office of the Attorney General in order to establish funding in future years.
• In Virginia, several stakeholders have testified that the cure period would promote faster and less costly results for consumers, and may be useful as businesses adapt to compliance.
• Others, such as Consumer Reports, have advocated for it to be removed as unduly limiting on enforcement.

Recognizing the Broader Landscape of Emerging State Laws