The Virginia legislature has introduced several bills that would amend Virginia’s Consumer Data Protection Act (“CDPA”) that was enacted last year. These bills are largely in response to the November 1, 2021 Virginia Consumer Data Protection Act Work Group report (the “Report”), which outlined 17 “points of emphasis” related to the CDPA. The Report includes recommendations regarding administrative items, permitting the Attorney General to seek actual damages based on consumer harm, implementing a right (that would sunset) to cure violations of the CDPA, amending the right to delete, amending the definition of sensitive data, implementing global privacy control, and providing resources to consumers and small business, among other topics.

The following is a high-level summary of the relationship between the introduced bills and the Report:

I.     HB 381 and SB 393

In the Report, the work group specifically called for the “right to delete” provision in the CDPA to be a “right to opt out of sale” as well. This change is meant to address the scenario where the benefit of deleting data may be undone if there is indirect collection at a later date. These bills would permit a business to satisfy a consumer’s request to delete by opting the consumer out of processing of their data for targeting advertising, sale, or profiling. Note that the opt out in HB 381 is more broad and would opt the consumer out of processing for any purpose (with certain exceptions).

II.     HB 714 and SB 534

The work group also outlined that there is a need to employ an “ability to cure” option for violations, should a potential cure exist, as well as permitting the Office of the Attorney General to pursue actual damages based on consumer harm.

Accordingly, these bills add a 30-day cure period that would only apply to violations that the Attorney General deems curable. Additionally, these bills would allow the Attorney General to seek actual damages in addition to existing remedies (injunctive relief and statutory damages of $7,500.00 per violation).

III.     HB 1259

The Report also mentioned the need to consider whether the definition of “sensitive data” should exclude general demographic data used to promote diversity and outreach to underserved populations.

This bill proposes to address this by removing consent requirements for processing sensitive data when such processing involves “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status” if the data is used solely for marketing, advertising, fundraising, or similar outreach, communications or information sharing that does not result in decisions that could produce legal or similarly significant effects concerning the consumer.

Virginia is not the only state working to change its existing privacy framework. Colorado’s Office of the Attorney General will begin rulemaking activities shortly and the California Privacy Protection Agency recently held a public meeting to discuss updates to its rulemaking process. More details available on CPW’s blog covering these announcements.

CPW’s Glenn Brown has a comprehensive analysis of consumers’ opt-out rights under the Virginia Consumer Data Protection Act (“CDPA”), which is available at OneTrust.  As he explains, among other consumer privacy rights, the CDPA provides Virginia residents with the right to ‘opt out’ of the processing of personal data for the following three purposes: (i) targeted advertising; (i) selling personal data; and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  He provides a detailed breakdown of what this means at OneTrust.  As he concludes, “[d]ue to the differences between the opt-out rights provided by the CDPA and those provided under existing privacy laws, businesses will need to consider carefully the specific obligations under the CDPA, considering the nature of their business and the types of personal data they process.”  Be sure to check it out.

 

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

As readers of CPW already know, this year Virginia passed comprehensive privacy legislation, the Virginia Consumer Data Protection Act (the “CDPA”).  In an article available at OneTrust, CPW’s Kyle Dull breaks down the consumer and business concerns presented by the statute.  Be sure to check it out here, as it is must read for anyone wanting to monitor this development and ensure their organization is appropriately prepared.

And for more in this area, stay tuned.  CPW will be there to keep you in the loop!

CPW has been tracking since last year the Capital One data breach multidistrict litigation (remember that privilege ruling?).  Well, today the federal judge overseeing the litigation granted Capital One’s motion to certify to the Virginia Supreme Court a question of whether there exists under Virginia state law a duty to use reasonable care to protect consumers’ personal information from disclosure.  Read on to learn more.

Recall that Capital One is a litigation involving consolidated cases transferred by the Judicial Panel on Multidistrict Litigation (“JPML”).  In all of the pending matters, Plaintiffs’ claims arise out of a cyber-attack that purportedly resulted in the theft of Plaintiffs’ personally identifiable information (“PII”) being held by Capital One (over 106 million individuals were impacted by the data event).

As relevant for purposes of the development today, Plaintiff’s claims include the assertion that Capital One was negligent with respect to the security measures it employed to protect Plaintiffs’ PII.  As a result, Plaintiffs assert they suffered certain economic harms, including the time and money spent to address actual fraud and to mitigate the risk of future fraud.  However (as with other data breach litigations), they do not allege that they suffered any physical harms or damages to their person or property.

In the Capital One litigation, the Court and parties agreed that Plaintiffs’ negligence claims are governed by Virginia law.  As such, as summarized by the Court, “[t]he viability of Plaintiffs’ negligence claim therefore depends on whether under the circumstances alleged Virginia law imposes an extra-contractual, tort duty to use reasonable care to protect consumers’ personal information from disclosure, either as an independent duty imposed by law or as one voluntarily assumed.”  However, the Court found that on this issue Virginia law is unsettled as “[t]here are no Supreme Court of Virginia or the Court of Appeals of Virginia decisions which have considered whether a tort duty of care exists with respect to the accumulation of PH under the circumstances of this case.”

Accordingly, the Court granted Capital One’s Motion to certify the following two questions of law to the Virginia Supreme Court:

  1. Whether the economic loss rule precludes Plaintiffs’ negligence claims under the facts and circumstances alleged?
  2. If not barred by the economic loss rule, does there exist under the circumstances alleged, a cause of action for negligence against Capital One based on either an extra-contractual, independent tort duty to use reasonable care to protect consumers’ personal information from disclosure or the voluntary assumption of such a duty?

Negligence claims are frequently litigated in data breach cases, making this an important issue to watch going forward.  Not to worry, CPW will be there!  Stay tuned.

In a must-read, CPW’s Glenn Brown provides a detailed breakdown of the Virginia Consumer Data Protection Act (the “CDPA”) and how it stacks up relative to the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), which amends and will essentially replace the CCPA on 1 January 2023, and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).  Check out his article available at One Trust’s Data Guidance.

Glenn Brown reports that  today Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law, though the Act will not go into effect until January 1, 2023.  With this groundbreaking development, Virginia becomes the second state in the United States to enact a data privacy law that purports to regulate the collection, use, and disclosure of the personal data of its residents generally.  For a comprehensive overview of the Act, check out Glenn‘s fantastic, comprehensive analysis here.

The Act provides rights to natural persons who are Virginia residents and generally imposes obligations on any natural or legal person that:

  • Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and
  • In a calendar year, either:
    • Controls or processes the personal data of at least 100,000 Virginia residents; or
    • Controls or processes the personal data of at least 25,000 Virginia residents and derives at least 50% of its gross revenue from the sale of personal data

NewspaperAs expected, today Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law, though the Act will not go into effect until January 1, 2023.  As a result, Virginia becomes the second state in the United States to enact a data privacy law that purports to regulate the collection, use, and disclosure of the personal data of its residents generally. See our previous post for a summary and analysis of the Act’s key provisions and a discussion of how the Act differs from similar laws, such as the California Consumer Privacy Act and California Privacy Rights Act.

CPW’s Glenn Brown and Lydia de la Torre were recently interviewed by Vixio regarding the Virginia Consumer Data Protection Act (“VCDPA”), which establishes a series of consumer privacy rights, including the right to access the data businesses collect, request deletion of that information, and correct inaccuracies.  As Glenn explains, “[t]he drafting of the Virginia bill was certainly informed by businesses’ experience with the CCPA and the challenges with it.”  This is because, he notes, the CCPA’s definition of “sale,” described as an exchange of personal information for monetary or “other valuable consideration,” raised many questions on how it affects online targeted advertising or digital advertising.  By contrast,  Virginia makes compliance easier by providing a clearer definition when describing “sale” as the exchange of personal data for monetary consideration only.  For an overview of key issues anticipated with the VCDPA, be sure to check out Glenn’s and Lydia’s great insights.

 

As readers of CPW know, the Virginia Consumer Data Protection Act (the “Act”) is expected to be signed into law shortly by Governor Ralph Northam.   If enacted, the Act will become effective on January 1, 2023, and make Virginia only the second state in the US to enact a comprehensive data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

The Act provides rights to natural persons who are Virginia residents and generally imposes obligations on any natural or legal person that:

  • Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and
  • In a calendar year, either:
    • Controls or processes the personal data of at least 100,000 Virginia residents; or
    • Controls or processes the personal data of at least 25,000 Virginia residents and derives at least 50% of its gross revenue from the sale of personal data.

There are certain exceptions, as set forth in the Act.  The Act provides Virginia residents with various rights, including the right to delete and the right to opt-out.  It also imposes significant obligations on controllers and processors of data (data minimization, reasonable security, etc.).

CPW’s Glenn Brown has a fantastic analysis exploring these requirements and others in detail.  It is a must-read for any entity wondering what its legal obligations are under the Act.  Check it out here.