Consumer Rights: Virginia Consumer Data Protection Act Series (Part Two)

Download PDF 

As we noted in Part One of this Series, which provides an introduction and overview of the Virginia Consumer Data Protection Act, most privacy laws – including those adopted in the United States – are built on the Fair Information Practice Principles (FIPPs). In part, the FIPPs establish a framework for allowing consumers to have more say over how their information is collected and used. To this end, the Individual Participation Principle states that an individual should have the right to access to, correct, and delete their personal information.

Building on the Individual Participation Principle, the passage of the California Consumer Privacy Act of 2018 (CCPA) made California the first state to provide consumers with individual rights designed to give more control over the personal information that businesses collect about them. Less than two years later, the California Privacy Rights Act of 2020 (CPRA) amended the CCPA by, among other things, modifying the rights afforded to consumers. Most recently, on March 2, 2021, Virginia became the first state to follow in California’s footsteps with the passage of the Consumer Data Protection Act (CDPA). While similar to California in affording consumers certain rights over their personal information, the rights created by Virginia are different in several key respects. The below chart previews how the two states differ with respect to this issue. We then discuss each right in turn.

Right to Access

The CCPA grants a consumer the right to obtain from a business[1]: (1) the categories of personal information[2] it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling the personal information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information collected about that consumer. The CCPA imposes a 12-month lookback from the time of the request.

The CPRA will extend that 12-month window indefinitely (beginning January 1, 2022) [3], requiring that businesses provide access to all categories of personal information collected “unless doing so proves impossible or would involve a disproportionate effort.” Neither “impossible” nor “disproportionate effort” are defined by the CPRA.

Virginia’s access right does not include disclosure of any categories of information or the business or commercial purposes for collecting or selling the personal information. Instead, Virginia consumers have the right to (1) confirm whether or not a controller is processing the consumer’s personal data and (2) access such data (likely similar to the CCPA’s requirement that businesses disclose “the specific pieces of personal information collected”). Unlike the CCPA, there is no look-back period limiting the data that must be disclosed.

Right to Delete

Under the CCPA, California residents have the right to request that a business delete any personal information about the consumer which the business collected from the consumer. Upon receipt of a request to delete, businesses are required to delete the consumer’s personal information from its records (subject to certain exemption) and direct its service providers[4] to do the same.

Though leaving the basic framework established by the CCPA intact, the CPRA expands the consumer’s “right to delete” in several key respects. In addition to directing service providers to delete consumer’s personal information from their records upon receiving a verifiable consumer request, the CPRA also requires businesses to notify “contractors” to delete the personal information, “and notify all third parties to whom the business has sold or shared such personal information, to delete the consumer’s personal information, unless this proves impossible or involves disproportionate effort.” The CPRA does not, however, define what qualifies as “disproportionate effort.” Finally, the CPRA places direct obligations on service providers and contractors that have been notified of a deletion request by the business to in turn notify any service providers, contractors or third parties who may have accessed such personal information from or through the service provider or contractor.

The CDPA affords Virginia consumers a more expansive right to delete by mandating that, upon receipt of an authenticated consumer request, a controller delete personal data provided by or obtained about the consumer, rather than just data collected “from the consumer,” as is the case with the CCPA. And while there is no express requirement that a controller instruct third parties with whom the consumer’s personal data was sold or shared to delete that data, the CDPA does require that processors assist controllers in fulfilling the controller’s obligation to respond to a consumer rights request, including a deletion request, “taking into account the nature of the processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable.” The phrase “reasonably practicable” is not defined.

Right to Correct Inaccuracies

The right to correct refers to the ability of a person to request that a business rectify any inaccuracies in the personal information that it holds about them. While the California Online Privacy Protection Act (CalOPPA) encourages businesses to consider offering customers the opportunity to review and correct their personal information, the California legislature did not include this right within the CCPA. Unlike the CCPA, however, CPRA does contain a right to correct inaccurate information. Specifically, the CPRA provides consumers with the right to “request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information ….” Further, if such a request is received, a business is required to “use commercially reasonable efforts to correct the inaccurate information.”

Similarly, Virginia’s CDPA provides that a consumer has the right “[t]o correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.” The types of processing that may not warrant correcting consumers’ personal data is not defined by the CDPA. One potential example, however, may be data that is used to detect security incidents or fraud. Another example could be where the business has a legal obligation to preserve the data, such as when there is a lawsuit that concerns the data that a consumer has requested be corrected.

Right to Opt-Out of Sale or Other Transfers

The CCPA gives consumers the right to direct a business not to sell their personal information to a third-party. “Sell” is expansively defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The CCPA clarifies, however, that the following activities do not qualify as “sales”: (i) disclosing data at the direction of the consumer; (ii) using and identifier to alert third parties that a consumer has opted-out; (iii) sharing information with service providers so long as the service provider does not use or sell the personal information for their own purposes; and (iv) disclosing personal information as an asset in a merger, acquisition or similar transaction.

The CPRA expands the CCPA’s opt-out right in several respects:

• to allow a consumer to opt-out of the “sharing” of personal information, which is defined as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”;

• to allow a consumer to limit the use and disclosure of “sensitive information” to that “which is necessary to perform the services or provide the goods reasonable expected by an average consumer who requests such goods and services,” subject to certain exemptions; and

• to request information about the logic behind, a description of the likely outcome of and to opt-out of the use of automated decision-making technology in connection with decisions about the consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

By contrast, Virginia’s CDPA gives consumers the right to “opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”

Importantly, a “sale” of personal data is more narrowly defined than it is in the CCPA or CPRA. Indeed, Virginia limited its definition of “sale” to “the exchange of personal data for monetary consideration by the controller to a third party,” and therefore did not incorporate the controversial “other valuable consideration” language found in the CCPA. Critics of the CCPA often note that the phrase “other valuable consideration” is so broad that any exchange of personal information could arguably meet the CCPA’s definition of “selling.” By not including this language in its own definition, Virginia has simplified what qualifies as “sale” to only those instances where personal data is exchanged for money.[5]

Virginia’s CDPA also excludes from the definition of “sale” the disclosure of personal data: (i) to a processor; (ii) to an affiliate; (iii) that the consumer “intentionally made available to the general public via a channel of mass media” and “did not restrict to a specific audience”; or (iv) is disclosed as an asset in a merger, acquisition or similar transaction.

Right to Data Portability

The CCPA gives consumers the right to obtain a copy of their personal information “in a readily useable format that allows the consumer to transmit [the] information from one entity to another entity without hindrance.” In effect, this requirement gives consumers a data portability right, since they can migrate their personal information from one business to another offering similar services. This right was modified by the CPRA to require businesses provide copies of the personal information obtained from the consumer “in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer’s request without hindrance.”

The CDPA provides a more limited right to data portability. First, the CDPA only requires that the controller provide a portable copy of the personal data “that the consumer previously provided to the controller,” not all of the data that was collected concerning the consumer. Second, the requirement that, to the extent technically feasible, the data be provided in a readily useable format that allows the consumer to transmit the data to another controller without hindrance is limited by the provision that such format is only required “where the processing is carried out by automated means.” The phrase “where the processing is carried out by automated means” is also not defined or further explained. The CDPA, however, defines processing as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage disclosure, analysis, deletion or modification of personal data.” By adding the plain meaning of automated (not requiring human intervention), the phrase may limit a consumer’s right to receive a portable and readily usable copy of the data solely to data that is processed without human intervention.

Right to be Free from Discrimination

The CCPA prohibits businesses from “discriminating” against consumers who exercise the rights granted to them by the CCPA but does not define this central term. Instead, the CCPA provides a non-exclusive list of practices that may qualify as discriminatory, such as:

• Denying goods or services to the consumer;
• Charging different prices or rates for goods or services;
• Providing a different quality of goods or services; and
• Suggesting that the consumer may receive a different price, rate, level or quality of goods or services.

The CCPA further states, however, that a business may charge a consumer a different price or rate or provide a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data and that a business may offer financial incentives as compensation for the collection, sale, or deletion of the consumer’s personal information. The CPRA further clarifies that the anti-discrimination provision “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs.”

Like the CCPA, Virginia’s CDPA also does not clearly define what constitutes discrimination. Instead the CDPA proscribes “processing personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.” It further prohibits a controller from discriminating against a consumer for exercising their CDPA rights, including by “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.” The CDPA clarifies however that a controller is permitted to offer “a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee” if the consumer has exercised the right to opt out or “the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.”

Right to an Appeal

While not necessarily a separate consumer right, the CDPA provides to consumers the right to appeal a data controller’s refusal to take action on a consumer’s request to exercise their other rights. The CDPA mandates that a “controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable time after the consumer’s receipt of the decision.” The right to appeal must be “conspicuously available” and similar to the process for submitting a consumer request to exercise the other personal information rights. Further, if the appeal is denied, the controller is required to provide the consumers with a method through which the consumer may contact the Virginia Attorney General to submit a complaint. Neither the CCPA, nor the CPRA, contain a comparable obligation.

[1] The CCPA and CDPA utilize the defined term “business” to refer to an entity that alone, or jointly with others, determines the purposes and means of processing of personal information. The CDPA refers to this entity as a “controller.”

[2] The CCPA and CPRA use the term “personal information” which is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CDPA uses the term “personal data” which is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” We use the term “personal information” when discussing the CCPA and CPRA and the term “personal data” when discussing the CDPA.

[3] The CPRA only applies to personal information collected by a business on or after January 1, 2022. Otherwise, the provisions of the CCPA apply.

[4] The CCPA and CDPA refer to the entity that processes personal information on behalf of a business as a “service provider.” The CDPA refers to that entity as a “processor.”

[5] Virginia’s approach to the Right to Opt Out is similar to the approach taken by Nevada. For further information on Nevada’s law, see our article in Law360, Key Differences in Nev. And Calif. Data Privacy Laws.