Virginia's new data protection law
Yes, Virginia, there is data privacy
“Virginia is for lovers” has been the state’s tourism and travel slogan since 1969, and as of late, that includes privacy lovers. On March 2, 2021, Governor Ralph Northam signed Virginia’s Consumer Data Protection Act (CDPA), the nation's second state-level privacy legislation. Move over CCPA, you’re not the only game in town anymore!
However, the news seemed to have landed with a thud. Absent were the ripples and fanfare we witnessed with the California Consumer Privacy Act. Perhaps your organization’s head of legal alerted you to the law, but otherwise no one seems to be paying much attention to the CDPA. That’s a problem, for many reasons.
Virginia is the country’s 12th most populous state, with an estimated population approaching 8.6 million people – on par with the populations of Israel, Papua New Guinea, Serbia, and Switzerland. Virginia’s GDP ranks 13th in the United States, and it contributes 2.6% to overall GDP. It’s home to many government organizations, including the Pentagon. And Amazon’s Elastic Compute Cloud (us-east-1) data center, which powers a significant portion of today’s internet, is also physically located in Virginia (a topic that would gain prominence if privacy legislation seeks to regulate where data is physically stored).
Virginia’s data privacy law will force companies that conduct business in Virginia to get residents’ permission before they can process their personal data and give residents more control over their data, including the ability to delete or correct personal information. There are many parallels to CCPA and Europe’s General Data Protection Regulation (GDPR), yet some have complained that it has no teeth or doesn’t go far enough to protect consumer data. The law will take effect on Jan. 1, 2023 – the same day that the California Privacy Rights Act (CPRA, or colloquially referred to as CCPA 2.0), which strengthens CCPA, goes into effect.
As exciting (?) and necessary as it is to give consumers more agency on what happens with the data that is collected on them by various digital (and traditional, offline) aggregators, we firmly believe that this type of state-level legislation isn’t the best way to move forward.
One of the key advantages of the US market is its size: It’s the world’s largest consumer market, with 328 million people, $20.8 trillion in GDP, and $225.79 billion in annual media spend. That heft played a pivotal role in the creation of our very strong internet-driven economy, but state-level privacy laws have the potential to carve our big, borderless, and cohesive market into 50 smaller markets that must then determine how to work with one another. As we know from nursery rhymes, putting Humpty Dumpty back together once he’s been broken is no small task.
(Humpty Dumpty, shown as a riddle with answer, in a 1902 Mother Goose story book by William Wallace Denslow)
Multiple state-level privacy laws may also increase the costs of compliance and open the door to nuisance suits. We could easily imagine a cottage industry of bad actors emerge to file lawsuits whose sole objective is to score quick settlements, like we’ve seen emerge with patent trolls.
A patchwork of privacy laws puts onus on enforcement. Yet leaving this function at individual state levels almost guarantees a lot of duplication and investment of resources that could be going to other needs. The other gating factor is talent: While experts may be easier to find in larger states, government salaries likely won’t hold much sway over professionals who command much higher compensation in the private sector; that challenge will certainly be amplified in smaller states where the talent pool might not be too deep to begin with. In contrast, the federal government has the Department of Justice, Federal Trade Commission and similar agencies where centralizing investment in expertise development can benefit multiple states and provide better resources for privacy regulation enforcement.
Operationally, the lack of a federal privacy law likely means that companies will roll out whichever state’s version is most restrictive across the board because it will be too cumbersome to comply with state-level differences. This will create a de facto national standard. In other words: Texas, welcome to California.
The law(s), in brief
As with most privacy regulation, CDPA was heavily inspired by its predecessors GDPR and CCPA. Some notable highlights of the new legislation are:
Covered businesses: Does your company control or process the personal data of more than 50,000 Virginia residents? If yes, Virginia’s CDPA applies to you. Same goes if your company controls or processes the personal data of 25,000 residents and half of your revenue comes from the sale of that personal data. CCPA, in comparison, has a revenue threshold that forces businesses with gross annual revenue of more than $25 million to comply; companies that buy, receive, or sell the personal information of 50,000 residents or more are covered (this increases to 100,000 residents under CPRA). So are companies that get more than half of their revenue from the sale of personal information (extended to the sharing of personal data under CPRA). GDPR requires any company that processes the personal data of citizens within EU countries to comply if it has more than 250 employees, regardless of EU presence. Smaller companies that process certain types of sensitive data or whose data processing affects the data rights of EU citizens must also follow the law.
Consent: CDPA is an opt-in law, which means consumers are automatically opted out, forcing companies to get explicit consumer consent before they can process residents’ personal data. GDPR is also opt-in, while CCPA is opt-out, so companies can automatically collect personal information in the Golden State but must first provide notice to consumers. Under CCPA, California residents have the right to request that companies stop selling their personal data, which they must honor with some exceptions. CPRA extends residents’ opt-out rights to personal information used in cross-context behavioral advertising.
Who is protected: CDPA narrowly defines a consumer as a resident that acts in an individual or household context, not a business or commercial context, so the law doesn’t cover employee data or business contacts. Under CPRA, California's employee and B2B exemptions will be terminated permanently when the law goes into effect on Jan. 1, 2023. GDPR protects data subjects, which are defined as identified or identifiable individuals; employee and client data is protected under the law.
Consumer rights: CDPA gives consumers core rights that are similar to GDPR, while CPRA significantly expands CCPA’s consumer rights. Specifically, Virginia residents will gain the right to: access their personal information that is being processed; correct inaccuracies; delete personal data; personal data portability; opt of data processing for the purposes of targeted advertising or the sale of their data; and appeal a company's denial to act within 45 days. Under CCPA and CPRA, consumer rights include: knowing what personal data is collected; deleting and correcting personal data; opting out of third parties selling or sharing their data; limiting the use of their sensitive personal information; and opting out of automated decision-making. GDPR gives European residents the right to be informed of the personal data that is collected about them; correct inaccurate data; delete personal data; restrict the processing of their personal data; data portability; and to opt out of automated decision-making.
Enforcement: Virginia’s state attorney general will have discretion over enforcement of CDPA, which limits Virginia residents’ right to sue companies that violate the law. A Consumer Privacy Fund will allocate funding for enforcement, and companies get a 30-day cure period to correct violations without incurring penalties, including fines of up to $7,500 per violation. Under CCPA, residents can only sue companies under the law if there is a data breach in limited circumstances. Only California’s AG can file lawsuits against businesses under CCPA, but CPRA establishes the California Privacy Protection Agency and gives it investigative, enforcement and rulemaking powers. CPRA also tripled the maximum fine to $7,500 for violations related to minors and removed the CCPA’s 30-day cure period. In Europe, the EU’s Information Commissioner’s Office (ICO) enforces GDPR; fines may total 4% of a company’s annual turnover or 20 million euros (~$24 million), whichever is greater, per violation. Individuals are given a private right of action, so they can sue violators for damages.
The varying nuances underscore the need for a federal privacy framework that would eliminate confusion and uncertainty for businesses and consumers alike. Virginia clearly borrowed many concepts from GDPR and CCPA, but was the use case in Virginia so different from California that the state had to create an entirely new law? Another gripe: We have CCPA, CPRA, and now CDPA. Why couldn’t Virginia name the law in such a way that its acronym would begin with a letter other than C? This acronym salad presents a glimpse into the fast-approaching reality of having to keep track of and somehow understand 50 state-specific four-4 letter combinations. And who is the Virginia law really protecting? Consumers seem to be largely unaware of most privacy regulations, which typically place greater burdens on small businesses due to the costs of compliance. Privacy laws are theoretically aimed at reining in the largest data aggregators (aka Big Tech), but those companies are best equipped to handle compliance costs and complexity. As a result, in the near term and contrary to their authors’ intent, privacy laws end up giving the tech giants yet another advantage.
One question
Between CDPA in Virginia and CCPA in California, some 48 million Americans now have some type of privacy and data protection. What about the roughly 280 million rest of us?
Dig deeper
Thanks for reading,
Ana & Maja
Enjoyed this piece? Share it, like it, and send us comments (you can reply to this email).
Who we are: Sparrow Advisers
We’re a results oriented management consultancy bringing deep operational expertise to solve strategic and tactical objectives of companies in and around the ad tech and mar tech space.
Our unique perspective rooted deeply in AdTech, MarTech, SaaS, media, entertainment, commerce, software, technology, and services allows us to accelerate your business from strategy to day-to-day execution.
Founded in 2015 by Ana and Maja Milicevic, principals & industry veterans who combined their product, strategy, sales, marketing, and company scaling chops and built the type of consultancy they wish existed when they were in operational roles at industry-leading adtech, martech, and software companies. Now a global team, Sparrow Advisers help solve the most pressing commercial challenges and connect all the necessary dots across people, process, and technology to simplify paths to revenue from strategic vision down to execution. We believe that expertise with fast-changing, emerging technologies at the crossroads of media, technology, creativity, innovation, and commerce are a differentiator and that every company should have access to wise Sherpas who’ve solved complex cross-sectional problems before. Contact us here.