More than two years after California passed the California Consumer Privacy Act (CCPA), Virginia joins it as the second state with a “comprehensive” privacy law with the passage of the Consumer Data Protection Act.
There’s a lot to digest here; but below is an overview of the issues we are most paying attention to, especially as other states and Congress consider moving forward on privacy legislation.
The path of the law through the General Assembly. This law moved quickly through the General Assembly, without the delays and impediments that have confronted many of the other efforts. It also passed with broad-based bipartisan support within the Assembly.
The breadth of the exceptions. The law includes an extraordinary number of exemptions. It exempts not only data subject to most existing U.S. privacy laws, but as written even exempts any entities that are subject to those laws, even if the activity isn’t regulated. That means a bank or a hospital—or even a data analytics firm working for a hospital as a business associate—may have no obligations under this law.
The idea of “consent” for “all” processing of sensitive data. The law defines sensitive data as including a range of data elements, including personal data revealing sensitive facts (such as ethnic origin, sexual orientation, or mental or physical health); genetic and biometric data; precise geolocation information; and any personal data collected from a child. This list is largely borrowed from the General Data Protection Regulation’s “special categories of personal data.”
By tracking GDPR, this law also includes many data elements not often viewed as sensitive, (or used extensively) under U.S. law. In addition, by requiring “consent” for “any” processing of this data, it likely creates an untenable situation, where consent will either be obtained through traditional “notice and choice” principles, or data processing will proceed in entirely different ways.
An emphasis on data protection assessments. Also like the GDPR, Virginia’s CDPA requires businesses to conduct data protection assessments for certain processing activities, such as the processing of sensitive data and targeted advertising. This has been somewhat of a trend in privacy legislation, with the California Privacy Rights Act (CPRA) also adopting this principle.
The lack of an approach for regulations. There is a lot of confusing language in this law but, unlike the CCPA, there is no clear authorization for any regulations to clarify these issues. There may be amendment possibilities before the law’s effective date.
The role of consumer groups. Some of the relevant privacy advocacy groups intervened late in this debate to encourage more consumer-protective provisions, focusing on a private right of action (among other items). This was an interesting gamble as it could have resulted in no law at all. Will these groups get involved and have more impact in other states—and will their efforts present an impediment to prompt action in other states?
No private right of action. The Virginia law does not include any private right of action. That was an important point of controversy for privacy advocates, and a clear win for companies. But it may backfire in the national debate, where a private cause of action is a key element of the discussion.
Will this law motivate other states and will it provide a model? Will this law motivate other states to act? While the CCPA generated enormous attention around the country, actual state legislation has been slower than many expected. This law may provide some encouragement—by giving states some confidence of a path forward. We are keeping an eye out for legislation in the state of Washington (the CDPA was modeled after the Washington Privacy Act), as well as New York, Florida, and Oklahoma.
The CDPA may also provide an alternative legislative model to the CCPA, as the CCPA has meaningful drafting problems independent of the substance. There are some notable differences between the two laws that may play out in other states considering privacy legislation, such as the CDPA’s lack of a private right of action and how broad the CDPA’s exemptions are compared to those in the CCPA.
What impact will this have on the federal debate? Will this law push the federal debate forward? Probably, but not much on its own. Our prediction is that once three to five states act beyond the CDPA, then there will be real pressure—mainly from corporate America—for Congress to pass a national privacy law. And the baseline for a federal law grows with each state law. Virginia becomes the second of these three to five states.
What’s going to happen before the law takes effect? The law is scheduled to go into effect on Jan. 1, 2023. The CCPA had a shorter compliance lead and had several legislative amendments, along with regulations that made important clarifications to the law. The updated version of the CDPA creates a working group that is responsible for reviewing issues related to the law’s implementation. The question is: How much will this law change before companies have to comply?
This column does not necessarily reflect the opinion of The Bureau of National Affairs,Inc. or its owners.
Kirk J. Nahra is a partner with WilmerHale in Washington, D.C., where he is the co-chair of the firm’s global Cybersecurity and Privacy Practice. He teaches privacy issues at several law schools, serves as a fellow with the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis, and as a fellow with the Institute for Critical Infrastructure Technology.
Ali A. Jessani is an associate in the Cybersecurity and Privacy Group at WilmerHale and is based in Washington, D.C. He counsels clients on the privacy, cybersecurity, and regulatory risks presented by new and proposed uses of technology and consumer information.