Virginia’s recently enacted consumer privacy law means businesses need to kickstart compliance preparation now to avoid regulatory scrutiny once the law takes effect in January 2023.
Companies should craft data processing agreements and hammer out an appeals process for consumer information requests since those are likely to be time-consuming. But they should also evaluate how new California Privacy Rights Act compliance requirements can be rolled in alongside Virginia preparation to minimize time and resource use, attorneys say.
The Virginia Consumer Data Protection Act was signed in March by Gov. Ralph Northam (D). It’s the second state-level comprehensive consumer privacy law to be passed in the U.S., after California.
Most provisions of the updated California Privacy Rights Act take effect Jan. 1, 2023, the same date the Virginia law will take effect.
The Virginia law gives consumers the right to access their data and request that it be deleted by businesses. It also requires companies to conduct data protection assessments related to their processing of personal data for targeted advertising and sales purposes, requirements that will require coordinated effort from compliance, business, and legal teams.
“Companies may not always appreciate all the ways in which personal information about consumers is being collected and used,” said Montserrat Miller, the Atlanta-based co-chair of Arnall Golden Gregory LLP’s privacy and consumer regulatory practice. “Businesses need to really get their arms around the data they have.”
One of the first steps to a company becoming compliant is understanding whether it falls under the scope of the Virginia Consumer Data Protection Act, said Michelle Reed, co-head of the cybersecurity, privacy, and data protection practice at Akin Gump Strauss Hauer & Feld LLP in Dallas.
“We have some clients who are already compliant with GDPR, and some clients already compliant with the CCPA,” Reed said, referring to the European Union’s General Data Protection Regulation and the 2018 California privacy law. “We have others that don’t operate in California and have no presence in Europe and therefore have nothing.”
Data mapping—making sure companies know where data is coming in and out and how it’s being shared—is a good starting point for any business that falls under the scope of the law, said Jerel Pacis Agatep, a privacy attorney at Baker & Hostetler LLP in San Francisco.
One positive of the Virginia law is it doesn’t explicitly call for the attorney general to adopt regulations, said Alexander Southwell, co-chair of the privacy, cybersecurity, and data innovation practice group at Gibson, Dunn & Crutcher LLP in New York. There’s some indication there will be regulatory clarifications before the law takes effect, but not as much rulemaking uncertainty as is the case in California, he said.
Still, companies—especially smaller, less sophisticated ones that didn’t do as much legwork with other privacy laws—will have to grapple with difficult compliance hurdles such as access rights and data portability.
“Companies weren’t thinking about setting up their infrastructure in such a way,” Southwell said. “Some will have to essentially rework how their data infrastructure works to accommodate data access requests.”
Being Proactive Pays Off
The Virginia law calls for data protection assessments, a concept borrowed from the GDPR that help companies identify and minimize risks associated with data processing activities, including targeted advertising.
Those assessments are likely a new requirement for U.S. companies that don’t operate overseas, so they may take some time to craft, said Kristen Mathews, a privacy and data security partner at Morrison & Foerster LLP in New York.
“Create a template for those data protection assessments and embed those templates into internal processes,” Mathews said. “It helps to systemize those now, so you’re ready when the law takes effect.”
A second major compliance hurdle, data processing agreements, will take time because companies may work with hundreds of vendors, said Matt Diaz, a cybersecurity and data privacy attorney at Dinsmore & Shohl LLP in Columbus, Ohio.
Those agreements—contracts between a company and its vendors—spell out acceptable practices, including how long data will be retained. Even a company with an existing vendor contract will have to update it or change some provisions during renewal, and that takes time, Diaz said.
“For me, this is a high priority, and when you’re onboarding new vendors, you need to make sure these are part of the package of documents that vendors must execute on,” Diaz said.
Businesses are also tasked with limiting the collection of personal information to that which is adequate, relevant, and “reasonably necessary,” according to the text of the statute.
That concept—data minimization—may be a daunting task for companies, some of which have been collecting data without a clear plan for shedding it or decreasing future collection.
“Data minimization will likely require a lot of work,” Reed said. “On the flip side, privacy policies will have to be modified but can probably be tweaked closer to the implementation date.”
Despite compliance challenges the new Virginia law may bring, it lacks a private right of action: Consumers won’t be able to sue, and enforcement will instead be left to the attorney general.
“Our clients can breathe a little because of that,” Agatep said.
But even if a company falls outside the scope of new privacy legislation, that doesn’t mean it should sit still, Diaz said.
As more states consider and build momentum for consumer privacy laws, companies need to start assessing their data collection procedures and better understand what could come down the pike, he said.
“Even if the CCPA and Virginia’s law aren’t applicable today, they may be down the road,” Diaz said. “It’s best practice to start considering these requirements even when they’re not applicable to you.”
Companies can and should tag-team compliance preparations for the new California and Virginia laws, Mathews said. Many of the requirements are similar, and companies who worked on the CCPA when that law took effect can build on their foundations.
But compliance doesn’t just mean ticking boxes, and what works in one jurisdiction doesn’t necessarily work in another due to competing definitions or requirements, Mathews said.
“Each law has different standards and definitions,” she said. “The exceptions are also different, so businesses need to take a hard look.”