The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)

March 5, 2021 · by Eric Goldman · in Privacy/Security

Virginia has officially become the second state in the country to enact what many have called a “comprehensive” privacy law, the Consumer Data Protection Act (“CDPA”), with Governor Northam’s signature on March 2, 2021. For many of us, this is the anticipated (and slightly pandemic-delayed) beginning of a process we predicted back in 2018, when California enacted the California Consumer Privacy Act (“CCPA”). Specifically, most of us knew that we would be faced with a years- or decades-long evolution of privacy law here in the US, with each state passing a law with some overlapping and some differing provisions that create an operational nightmare for organizations attempting to comply. That is precisely how this is playing out, and the chances of a federal law preempting these divergent state laws is very close to zero, at least in the near- and medium- term future.

This is not without precedent, and it is at least partially to blame for the US not being deemed “adequate” by the EU for privacy purposes despite literally dozens if not hundreds of sectoral and state-based privacy and data security laws on the books. These include the Gramm-Leach-Bliley Act, the Health Insurance Portability & Accountability Act, the Children’s Online Privacy Protection Act, the California Online Privacy Protection Act (“CalOPPA”), the California Shine the Light Law, the Illinois Biometric Information Privacy Act, the Massachusetts data security regulations in 201 CMR 17.00 et seq., and data breach notification laws in all 50 states, just to name a few.

The history has already been painfully long for those of us practicing in privacy and data security law. I am based in California, where we passed the first data breach notification law in 2002 and CalOPPA (the law that first required businesses to publish online privacy policies) in 2003. My first kid was born in 2003. He is about to graduate from high school. What does that mean? Despite years of trying to educate organizations on how to protect consumer data consistent with these long-existing requirements, the US is still treated as if it is starting at square one. And organizations have struggled – for good reason – to comply with the differing requirements even in the aftermath of a data breach.

And now, we have what – another 15-20 years? – to look forward to the parade of 48 more states passing “comprehensive” privacy laws that will have different terminology and requirements. Needless to say, this is NOT good for protecting consumers. States, and the federal government, should be interested in providing organizations with clear and consistent standards for compliance requirements, not this ridiculous patchwork.

I am going to spend the rest of this post identifying a few key differences between California and Virginia law. In California, that’s the CCPA and the California Privacy Rights Act (“CPRA”), which is the CCPA’s successor due to Alastair Mactaggart’s 2020 ballot initiative, Prop 24, that was voted into law in November, and that will effectively amend and restate it as of January 1, 2023. In Virginia, that’s the CDPA, which will also take effect on January 1, 2023. And I will briefly mention some additional state stuff on the horizon. It’s not pretty.

I will preface all of this with the point that the majority of organizations do NOT collect mailing address such that they know someone’s legal residence is California, Virginia, or anywhere else. For those organizations, there isn’t any good choice for picking and choosing which law to follow. The approach most likely to mitigate risk is to apply the most stringent/consumer-protective provision, not the law of the state where you reside or where you think you have the most consumers. Unless you are a truly regional organization, the emergence of more “business-friendly” laws in certain states does not present any practical benefit in terms of efficiency or cost-effectiveness in compliance.

VA v. CA – Some Sample Distinctions

I have publicly stated that I wish the folks involved in drafting the Virginia privacy law had been involved in California, because the terminology used in the CDPA itself is more familiar to the privacy legal world and more consistent with existing privacy frameworks. As perhaps the most dramatic example, the CDPA uses the “controller” and “processor” terminology that has long existed under European privacy law, not just under the EU General Data Protection Regulation (“GDPR”) but also under the predecessor EU Data Protection Directive and the EU member country laws going back to the 1990s. Controllers are the organizations that determine the means and the purposes of the processing. Processors process data on behalf of and solely at the instruction of the controllers. Makes sense, right?

But California said “nah, not for us.” Instead, the CCPA has a “business”, “service provider”, “third party” structure, and the CPRA adds a FOURTH role, “contractor,” which requires completely different contractual structures.

So companies that did Article 28 contracts for GDPR have been required to revise their agreements to meet CCPA requirements and will have to revise again to meet CPRA requirements. And the fact that VA uses a GDPR model does not change any obligations in that regard unless you know you are only dealing with Virginia residents.

On the flip side, CCPA has no recognition of sensitive personal information, CPRA introduces an opt-out right for processing of sensitive personal information, and CDPA requires opt-in for sensitive personal information. Sensitive personal information includes not only things like political affiliation and health data, it also includes precise geolocation data (which is NOT based on mailing address, needless to say, it is based on GPS and other online technologies). So companies will need to prepare to provide an opt-in for processing of that kind of information beginning in 2023, and readiness for CPRA will not get you to compliance for Virginia purposes.

Other Stuff on the Horizon

There are many other states with bills under active consideration. The one that causing me to lose the most sleep right now is New York. New York is looking at a number of bills, but one of them is in Governor Cuomo’s budget, which must be voted up or down on or before April 1 (less than a month from now). It includes the Data Accountability and Trust Act, which would provide a very broad based consumer privacy bill of rights that allows a consumer to object to the collection or processing of any personal information for any purpose. Anything at all. That goes way beyond CA and VA.

We are also seeing action in Washington, Minnesota, Oklahoma, Kentucky, and elsewhere. I will continue to provide the most practical guidance I can as these new and varying schemes become reality, and I recommend (not legal advice, of course) that organizations start planning now. Some of these new laws, if passed, may take effect even before 2023, and 2023 itself is not so far away from a budgetary and other resource point of view, especially during an ongoing pandemic.

Prior CCPA/CPRA Posts

The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)

Comments and Pings