Both coasts of the United States now have jurisdictions with privacy laws. Virginia has joined California in protecting the privacy of its citizens by passing its own comprehensive privacy law. The Virginia Consumer Data Protection Act (“CDPA”) was signed into law by Virginia’s governor on March 2, 2021.
The CDPA is similar to California’s privacy laws but does contain some notable differences. Under CDPA, entities may be covered by the law if they conduct business in Virginia or target Virginia residents with products or services. Like California, the CDPA has thresholds for when businesses are covered. The entity must either control or process the personal data of at least 100,000 consumers during a calendar year, or control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from personal data sale. However, unlike California’s privacy laws, the CDPA does not include a revenue threshold requirement. This allows larger organizations to be exempt from the CDPA if it does not fall under one of the two thresholds described.
Also diverging from California, Virginia more narrowly defines consumer as “a natural person who is a resident of the Commonwealth acting only in an individual or household context." It explicitly excludes a person who is "acting in a commercial or employment context." Based on this definition and exclusion, the Virginia CDPA excludes employee data from coverage. CDPA also applies only to the exchange of personal for monetary consideration, differing from California’s inclusion of “other valuable consideration.” The CDPA also excludes certain transfers of data from its definition of sale and also exempts five categories of entities. There are also fourteen categories of exempted datasets, notably including information regulated by the Fair Credit Reporting Act, information covered by the Drivers Privacy Protection Act, and specific employee and job applicant data. Like its California counterpart, the CDPA includes various rights enjoyed by Virginia residents as well as obligations for covered entities. Keep in mind that this blog post touches briefly on the CDPA and that its intricacies should be reviewed more closely to determine how it applies to your organization.
Even if your company is not now impacted by the Virginia CDPA or the California privacy laws, it may be in the future as additional states consider privacy legislation. California and Virginia are likely not the only states who will enact laws protecting the privacy of their residents, and we may even see a broad federal privacy law in the coming years. If you would like AccuSource to provide a complimentary review of your current background screening compliance program, please contact us at email@example.com.