Virginia Joins Growing List of Jurisdictions Regulating Data Privacy. What’s Next?
Jurisdictions are creating privacy laws with competing interests of protecting consumer data without unnecessarily impeding companies’ ability to do business with residents of the jurisdictions that have enacted these regulations. As the number of places regulating data privacy with a patchwork of laws continues to expand, companies will have to rethink their approach to assessing compliance. The first comprehensive data privacy regulation of its kind came into existence in Europe when the European Union implemented the General Data Protection Regulation, GDPR, in 2018 to protect the data and privacy in the European Union and the European Economic Area.
The State of California followed suit by enacting the California Consumer Privacy Act, CCPA, which became effective in 2020 and was subsequently amended in the CPRA ballot initiative in November 2020. Virginia became the latest U.S. jurisdiction to join the data privacy bandwagon when the Governor of Virginia passed the “Virginia Consumer Data Protection Act”, VCDPA. Virginia’s Act won’t go into effect until 2023. However, companies need to consider whether these laws apply to them, and if so, what actions to take to remain compliant.
Who is Regulated?
For a company to consider if this law applies, it must understand who these laws intend to regulate.
The CCPA, as amended by the CPRA, intends to regulate organizations for any for-profit entity doing business in California that meets one of the following requirements:
- Has annual gross revenue of over $25 million (calculated on total global revenue regardless of where the revenue is derived from);
- Buys, receives, sells or shares the personal information of 50,000 or more consumers (a “consumer” is defined as a California resident), households or devices for commercial purposes each year; or
- Derives 50% or more of its annual revenue from selling consumer personal information.
For financial institutions, the CCPA provides for an exception for personal information that is subject to the Gramm-Leach-Bliley Act, GLBA. The GLBA exception is not an entity-level exemption. It applies to a certain category of data, not to financial institutions as entities. This is in contrast to Nevada’s privacy regulation, which exempts an entire organization if it is subject to the GLBA.
The GDPR intends to regulate a much broader audience in its scope and territorial reach. The Act regulates any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers or businesses in the EU.
As for the new VCDPA, it regulates all entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and, during a calendar year, either:
- Control or process personal data of at least 100,000 Virginia residents, or
- Derive over 50% of gross revenue from the sale of personal data (though the statute is unclear as to whether the revenue threshold applies to Virginia residents only) and control or process personal data of at least 25,000 Virginia residents.
Unlike the CCPA, the VCDPA does not include a standalone revenue threshold for determining applicability separate from the above thresholds regarding contacts with Virginia. Therefore, even large businesses will not be subject to VCDPA unless they fall within one of the two categories above, which focus on the number of Virginia residents affected by the business’s processing of personal data.
However, similar to the entity-level approach taken by Nevada, Virginia’s CDPA exempts entities already covered by the GLBA, among other exemptions.
What Happens if the Company Doesn’t Comply?
As for the potential risk of non-compliance with data privacy regulations, every law has different types of penalties.
The CCPA uses fines as enforcement of its Act. The maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine. A consumer may bring a suit against the company.
The GDPR states that it evaluates each punishment on a case-by-case basis. That said, for especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros or up to 4% of global turnover of the preceding fiscal year, whichever is higher. The European Union publicizes a tracker of reported fines and penalties that data protection authorities within the EU have imposed so far.
Unlike the CCPA, the VCDPA does not include a private right of action for consumers. It allows the Attorney General to bring an action in the name of the Commonwealth, or on behalf of persons residing in the Commonwealth. As for the amount liable, a controller or data processor who violates the VCDPA is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation, per section 59.1-580 of the regulation.
Companies should continue to monitor data privacy laws since they change so rapidly. If you are concerned about being in violation, consider reaching out to an expert.
- The VCDPA is similar to the CCPA in scope. Still, instead of exempting specific personal data from the law, it exempts the businesses themselves – including, notably, financial services companies that must comply with the GLBA.
- The Virginia Attorney General will enforce the VCDPA. Unlike the CCPA, which provides for a private right of action for data security incidents, there is no private right of action in the VCDPA.
Guest blog post by E.J. Yerzak, CSS and Sofia Orrantia McPherson, Quinnipiac University School of Law
For more information on the VCDPA or to learn more about CSS’s Cybersecurity Services, email [email protected].