This is the second installment of our summary of the Virginia Consumer Data Protection Act (“VCDPA”). In our first post, we covered the goals of the law as well as its applicability and thresholds, what qualifies as personal data, the consumer rights created by the VCDPA, and introduced the concepts of controllers and processors. In this post, we address some of the specific requirements for controllers and processors, as well as de-identification and pseudonymization of personal data, and enforcement of the VCDPA.
As discussed in Part I, controllers under the VCDPA are a business that alone or jointly with others determines the purposes and means of processing personal data. Controllers are required to post accessible, clear, and meaningful privacy notices. The notices must include (i) the categories of personal data processed by the controller; (ii) the purposes for processing personal data; (iii) instructions about how consumers can exercise their rights under the VCDPA, including how to appeal a controller’s decisions; (iv) the categories of personal data that the controller shares with third parties; and (v) the categories of third parties the controller shares personal data with.
A processor is an entity that processes personal data on behalf of a controller. Controllers must have a contract with each processor that includes instructions for processing data, and specifies the nature and purpose of processing, the type of data subject to processing, and the duration of processing. Additionally, the contract must (i) require that each person processing personal data is subject to a duty of confidentiality; (ii) require the processor to delete or return all personal data as requested at the end of the provision of services, unless retention of the personal data is required by law (iii) make available to the controller information necessary to demonstrate the processor’s compliance with the VCDPA; and (iv) cooperate with reasonable assessments by the controller, or provide a report from a qualified, independent assessor of assessment of the processor’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure; and (v) require that any subcontractor be engaged pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Additionally, processors must adhere to the instructions of a controller, and assist the controller in fulfilling consumer rights requests, conducting data protection assessments and meeting the controller’s data security and data breach notification requirements.
Data protection assessments are used to evaluate the risks and benefits to certain processing that is considered higher risk under the VCPDA. A data protection assessment must identify and weigh the direct and indirect benefits gained from the applicable processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, can also be factored into a data protection assessment.
A controller is required to perform and document a data protection assessment if (i) it utilizes targeted advertising; (ii) it is party to the sale of personal data, or (iii) the processing of personal data is for purposes of profiling presents a reasonably foreseeable risk of (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (b) financial, physical, or reputational injury to consumers, (c) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person, or (d) other substantial injury to consumers; (iv) it is processing sensitive data; and (v) the processing activities involve personal data that presents a heightened risk of harm to consumers.
De-identified data is not subject to consumer rights requests. Additionally, personal data is not subject to consumer rights requests if the controller (i) is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; (ii) does not use the personal data to (a) recognize or respond to the specific consumer who is the subject of the personal data, or (b) associate the personal data with other personal data about the same specific consumer; and (iii) does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except for the disclosures described below.
Pseudonymous data means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. The consumer rights in the VCDPA do not apply to pseudonymous data as long as the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.
A controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.
The VCDPA does not have a private right of action. Rather, the Virginia attorney general is tasked with enforcement. However, before filing suit, the attorney general must notify a controller or processor that it has violated the VCDPA. The controller or processor then has 30 days to notify the attorney general that the violation has been cured. If the violation is not cured within the cure period, the attorney general can initiate an action in court against the controller or processor and seek fines of up to $7,500 per violation. Additionally, controllers and processors may be required to reimburse the state for reasonable expenses in investigating and preparing the case, including attorneys’ fees. The fines levied under the VCDPA and the reimbursed costs are paid into a dedicated fund that will be used in the enforcement of the VCDPA. If VCDPA violations become a source of funding for the enforcement of the VCDPA, there is reason to be believe the Virginia attorney general will be highly incentivized to aggressively enforce the statute. Controllers and processors subject to the VCDPA would do well to take note and be prepared for the January 1, 2023 effective date.