Virginia is for lovers – and privacy lawyers.
Although California has attracted most of the attention as the first US state to pass and enact comprehensive data privacy legislation, other states, including Virginia, have been swiftly following suit with regulations of their own.
The Virginia Consumer Data Protection Act (VCDPA) went into effect on Jan. 1 of this year, the same day as the California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA).
(Up next: Colorado and Connecticut have privacy laws going into effect on July 1, 2023, and Utah’s privacy law hits on Dec. 31.)
With so much legislative activity happening at once, there’s a tendency for nuance to get lost in the sauce. But despite many similarities between these laws, they aren’t carbon copies of each other – and the differences matter.
“Every law needs to be examined,” said Jason Bier, general counsel and chief privacy officer at identity graph provider Adstra. “That’s a nontrivial exercise, especially if we end up having 50 different state laws in effect.”
VCDPA basics
VCDPA is a hybrid of sorts between California’s privacy laws and Europe GDPR, and it borrows concepts from both.
“In terms of toughness, one way to think about Virginia is as a ‘Goldilocks’ law of sorts,” said Fiona Campbell-Webster, chief privacy officer at MediaMath. “It’s not too hot, but it’s also not too cold – maybe somewhere in the middle.”
Virginia’s law applies to any business that controls or processes the personal data of 100,000 or more Virginia residents annually. That threshold drops to 25,000 individuals if a business makes 50% or more of its gross revenue from the sale of personal data.
Under VCDPA, personal data is defined as any information that is or can be reasonably linked to an individual person, such as name, email, phone number or IP address. The law doesn’t cover publicly available information or data that’s been anonymized.
Broadly speaking, VCDPA is an opt-out law. Virginia citizens have the right to opt out of having their personal data processed for targeted advertising or profiling purposes.
But it’s a different story for sensitive personal data.
Like under GDPR (and unlike in California), Virginia’s law requires an opt-in before processing any sensitive personal information, including biometric data, data related to race, health or religious beliefs and data collected from children under 13. (To be fair, GDPR requires that all consent be opt-in.)
Also similar to GDPR, businesses covered by VCDPA need to run data protection impact assessments – basically, an internal audit – for any “high-risk” data processing, including sensitive data and data used for targeted advertising.
Defining targeted advertising
One of the many challenges in complying with multiple state privacy laws is that the terminology used may be similar, but the definitions can differ.
People have the right under CPRA to opt out of having their data sold or shared.
For example, CPRA uses the term “cross-context behavioral advertising (CCBA),” which is defined as retargeting someone based on personal information that has been collected across sites. The law also introduces the concept of “sharing,” which means disclosing data to a third party for cross-context behavioral advertising, regardless of whether money changes hands.
Virginia’s law, by contrast, uses the term “targeted advertising,” which it similarly defines as showing ads to people based on personal data obtained from their activities over time across nonaffiliated sites and/or apps.
But VCDPA doesn’t specifically introduce data sharing as a separate concept. And, unlike CPRA, a data “sale” only happens when money is exchanged.
It’s enough to make your head spin.
“If you’re not taking essentially a global approach to compliance, then compliance gets very complicated very quickly,” said Julie Rooney, deputy general counsel and head of US privacy at OpenX.
The compliance multiverse
Taking “essentially a global approach” might be the only way to stay sane and still make at least a good faith effort at compliance.
To help advertisers, publishers and ad tech companies comply with VCDPA and other state-based cousins, the IAB created a contractual framework called the Multi-State Privacy Agreement (MSPA).
Companies that sign on to the MSPA can use it to convey opt-out signals to their partners in the supply chain while still (hopefully) complying with all the various state privacy laws.
The MSPA is “an admirable effort” to create legal and technical standards for compliance, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals.
But whether the MSPA will pass muster with regulators is an open question. We’ll have to wait for judicial decisions to come before there’s legal clarity, even on some of the basics, like how to interpret certain terms in these laws, Zweifel-Keegan said.
And it’s possible clarity won’t come for some time.
Cases brought by the attorney general are sometimes settled without going to court, so the results aren’t made public.
“These laws might remain vague for decades,” said Adstra’s Bier, “and that’s onerous for businesses that are trying to comply and use their resources as wisely as possible.”
Lights, camera, (no private right of) action
In the meantime, advertisers, ad tech companies and publishers that have already made a good-faith effort to comply with GDPR, CCPA and CPRA “are actually in pretty good shape,” said Dominique Shelton Leipzig, a partner at Mayer Brown and a member of the firm’s cybersecurity and data privacy practice.
And it might be a while until we see VCDPA enforced. There haven’t been any complaints yet, at least not anything public.
Unlike in California, VCDPA does not have a private right of action for security breaches, which means Virginia’s attorney general is the only authority that can enforce the law.
VCDPA also doesn’t have its own privacy-focused data protection agency, as was established in California under CCPA. Therefore, the Virginia AG will have to do all the legwork on cases, and AG offices have lots of other priorities.
Still, it’s better not to run afoul.
Civil penalties under VCDPA can be as high as $7,500 per violation under VCDPA – and it’s worth noting that Virginia is just across the Potomac from Washington, DC. Lots of lawmakers reside in Virginia while Congress is in session, as do their aides and other government employees … and they all use the internet.
Getting on a lawmaker’s radar (and their bad side) by violating their rights under VCDPA could have hairier-than-normal consequences.
Regulators, like attorneys general, have limited time and resources, so they tend to choose cases that are likely to have an outsized impact, Zweifel-Keegan said. Like, for example, a complaint brought by a high-profile person in the government.
“What makes something rise to the level of being worth an attorney general’s time?” he said. “It’s hard to know exactly, but it might just be the fact that someone in power brought it to their attention.”