Virginia is to be commended for encapsulating a comprehensive privacy regime in just eight pages. Its Consumer Data Protection Act (VCDPA), which goes into effect Jan. 1, 2023, offers a tailored approach to consumer privacy that contrasts sharply with the sweeping California Consumer Privacy Act (CCPA), its accompanying regulations, and the forthcoming changes wrought by the California Privacy Rights Act (CPRA). Still, Virginia’s law could use a little clarification on five key points.
Kudos to Kristen Mathews, a partner with Morrison & Foerster, and Courtney Barton, Vice President and Senior Counsel at Marriott International, who brought these conundrums to light in a recent presentation at the Privacy + Security Forum’s Virtual Spring Academy.
Since the VCDPA does not specifically mandate the adoption of regulations, any clarification of these issues will likely start with a statutorily created working group—the Consumer Data Protection Work Group—which is charged with reviewing the provisions of the act as well as any issues related to its implementation.
The work group comprises several ex officio members of the Commonwealth—namely, the secretary of Commerce and Trade, the secretary of Administration, the attorney general, and the chairman of the Senate Committee on Transportation—along with consumer rights advocates and representatives of businesses who control or process the personal data of at least 100,000 persons. At the time of this writing, those additional members have not yet been identified.
The group’s “findings, best practices, and recommendations” are due Nov. 1, which is less than five months away. Here’s hoping the group will address the following questions raised by Mathews and Barton (who was speaking on her own behalf and not on behalf of Marriott).
The VCDPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Virginia. Va. Code § 59.1-572.A. The statute, however, does not define what “targeted” means.
Would targeting be akin to “offering … goods or services” as in Article 3 of the EU’s General Data Protection Regulation (GDPR)? Or would it require some sort of purposeful conduct directed at Virginia, not unlike what’s required in cases addressing personal jurisdiction? See, for example, ALS Scan, Inc. v. Digital Serv. Consultants, Inc., 293 F.3d 707 (4th Cir. 2002).
Moreover, the VCDPA supplements both prongs—i.e., “conducting business” or “targeting residents”— with an additional qualifier: the person must either (i) control or process the personal data of at least 100,000 residents, or (ii) control or process the personal data of at least 25,000 residents and derive over 50% of gross revenue from the sale of personal data.
If a processor happens to meet the 100K threshold without specifically “targeting” Virginia residents—think, for example, of a website aimed at alumni of a state university located outside of Virginia—would satisfaction of the 100K threshold alone be sufficient to satisfy the “conducting business” prong?
2. Right to Delete
The VCDPA permits consumers to request the deletion of personal data, but it fails to set forth any specific exceptions to the right to delete. Va. Code § 59.1-573.A.3.
The CCPA/CPRA, by contrast, permits a business to refuse to comply with a deletion request where, for example, the personal information is needed to complete a transaction or to fulfill the terms of a warranty. Cal. Civ. Code § 1798.105.
The GDPR similarly provides exceptions to the so-called “right to erasure.” It permits controllers to retain personal data in order to comply with a legal obligation or when needed to defend legal claims, for example. See GDPR Art. 17.
While the VCDPA does set forth generic exceptions in subdivision A of Va. Code § 59.1-578—some of which mirror the exceptions mentioned in the California and EU laws above—the only exceptions that apply to “obligations imposed on controllers” and, more specifically, to the retention of personal data, are listed under subdivision B. Those exemptions are restricted to the performance of internal operations and other technical uses of data.
Arguably, the only recognized exceptions to a request to delete would fall under subdivision B, since deletion is an “obligation” imposed on controllers and any denial of a deletion request would amount to the “retention” of personal data. Therefore, it would be helpful to know if a controller denying a deletion request may also rely on any of the broader exceptions listed under subdivision A.
3. Access and Data Portability
The VCDPA grants consumers a right to obtain a copy of their personal data, and it specifically indicates that the copy be provided “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance ….” Va. Code § 59.1-573.A.4. But that provision also includes a modifier: “where the processing is carried out by automated means.”
Mathews questions whether “automated means” modifies the requirement to make the personal data portable or the overarching consumer right to access personal data. I question whether it modifies the processing by the original controller or the one to whom the data is being transferred.
The “automated means” language is lifted directly from the text of GDPR Art. 20. Perhaps significantly, the GDPR contains another clause that is not reproduced in the VCDPA: Personal data deemed “portable” must also have been processed on the basis of consent or contract. The GDPR provision thus refers to the processing of the original controller.
But since the VCDPA does not condition processing on a legal basis, its use of the “automated means” language is less clear.
Moreover, while both the GDPR and the VCDPA apply to automated and manual processing of personal data, the GDPR restricts the scope of manual processing to situations where personal data is contained or is intended to be contained in a “filing system,” GDPR Art. 2. The VCDPA contains no similar limitation.
Given the VCDPA’s omission of the GDPR’s contextual limitations, the work group should offer much-needed clarification.
4. Targeted Advertising
The VCDPA defines “personal data” as any information that is “linked or reasonably linkable to an identified or identifiable natural person.” Significantly, it does not include information that could be linked to a consumer’s device.
Since most trackers used in the adtech ecosystem identify devices, not individuals, the scope of the consumer’s right to opt out of the processing of personal data for purposes of targeted advertising, found in Va. Code § 59.1-573.A.5, would be profoundly ineffectual.
5. Children’s Data
While the VCDPA extends to both online and offline data collection practices, it specifies that if a consumer is a child, the controller must comply with the federal Children’s Online Privacy Protection Act (COPPA). But COPPA applies only to personal information collected from children online. Does that leave controllers off the hook if they collect personal data from children offline?
Most likely not, but clarification is certainly needed.
Moreover, the VCDPA classifies personal data collected from a child as “sensitive data,” and the statute prohibits the processing of sensitive data without consent. It’s in that context that the VCDPA refers to COPPA. Va. Code § 59.1-574.
Does that mean that COPPA is applicable only insofar as it provides requirements (in the corresponding federal regulations) for securing parental consent? Or, do other COPPA provisions apply, such as instances where parental consent is not necessary?
Indeed, given the heightened sensitivity of children’s personal data, the work group should offer guidance on these matters.
The website of the Consumer Data Protection Work Group does not yet offer a way to submit comments, but it does allow members of the public to subscribe to its page. I have received notice of a meeting to be held June 14 at 2pm ET. An agenda will purportedly be posted soon.
Will any of the above questions be addressed? Stay tuned!
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT in order to access the hyperlinked content or click here to view the web version of this article.