Virginia CDPA: Stepchild of GDPR, Cousin of WPA, Second Cousin of CCPA
Less than two months into 2020, Virginia is poised to become the third state to enact a comprehensive consumer privacy bill, following California (twice) and Nevada. As of this writing, identical versions of the bill have been passed by the House and Senate, setting the Consumer Data Protection Act (CDPA) (SB 1392, HB 2307) up for a trip to Gov. Northam’s desk. The Virginia trial bar is engaged in a last-ditch effort to have the bill sent back to the legislature to add a private right of action, so stay tuned. If enacted, the CDPA has an effective date of January 2023, which is surely familiar to privacy pros, because it’s the same date as the California’s substantially revised California Privacy Rights Act (CPRA).
However, Virginia’s bill is not a California Consumer Privacy Act (CCPA) clone. In fact, as discussed below, it takes more inspiration from the European Union’s General Data Protection Regulation (GDPR) and its cousin legislation, the much debated but not yet passed Washington Privacy Act (WPA), than it does from the CCPA or the CPRA. The CDPA adopts the GDPR definitions of controller and processor and third party, but it also has a definition of “affiliate” that mirrors the CCPA definition of a business.
There are already several detailed summaries of the CDPA, such as this good piece by BakerHostetler, and a blog post by the Future of Privacy Forum. After this bill is enacted by the Governor, the NAI will provide a more detailed analysis and hold discussions with members about implementation. But for now, it’s useful to take stock of some key elements and takeaways regarding how it compares to these other models, and what its expected enactment may mean for future bills.
Creating a set of consumer “rights,” or increasing consumers’ control over their data, is table stakes for any new privacy legislation, state or federal, but no two are alike. One of the primary unanimous elements of privacy discussions globally is the need for a clear set of rights that establish a baseline for transparency and control around consumer data. At the core of the CDPA are a set of rights that look very familiar—though not identical—to the CCPA, including access, correction, deletion, copying and portability, and of course opt-out requirements. In addition to taking a different approach on the opt-out requirement, the CDPA differs in a couple key ways (discussed below). Another significant difference with the CDPA is that the right to deletion is a bit broader, applying to data “provided by or obtained about” the consumer, rather than the CCPA’s more narrow focus on data which is directly provided by the consumer.
The CDPA reflects the evolution of consumer opt-out rights beyond “sales” of their data, with a specific emphasis on advertising and profiling. It was widely recognized, though not uniformly, that providing for an opt-out of “sales” is not an effective model for consumer privacy legislation. Hence the evolution we’ve seen in the years since the passage of the CCPA; both the CPRA and WPA have expanded to focus on targeted advertising and profiling. This is an area where these models all differ quite a bit. The CDPA maintains the ill-conceived over-reliance on data transfers, but it goes further than the CCPA. The CDPA mirrors its other cousin, the WPA, expanding consumer opt-out to “targeted advertising,” and profiling or automated decision-making. So, while the definition of sale is a bit narrower than the CCPA, applying to exchange of personal data for “monetary consideration,” it addresses ad-tech in substantially more detail. The CDPA provides a meaningful opt out for consumers, without breaking the internet and pretending—like the CCPA—that transfers of IP addresses or other pseudonymous identifiers for purposes of ad measurement is a meaningful choice and that limiting such transfers is in the best interest of consumers. The CDPA specifically exempts from consumer choice the “processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency,” so that’s a benefit not only for digital advertising, but ultimately for consumers, who prefer ad-supported content. Meanwhile, the CPRA remains by far the least practical model.
The CDPA provides practical incentives for companies to rely on pseudonymous data with adequate controls, an improvement upon other models. The meaningful distinction for pseudonymous data is another key difference, and a reason for the digital ads industry, and pragmatic privacy proponents, to appreciate the CDPA. While the CDPA was crafted carefully so as to not carve pseudonymous data out from the definition of personal information, which would widely be seen as a step too far, it does exempt pseudonymous data from rights of access, correction, deletion and copies/portability, assuming protections are in place around that data. This is another practical element of the CDPA, one that the NAI has promoted consistently to policymakers because it incentivizes businesses to make meaningful protections for consumer data. Specifically, the CDPA only applies this exception to businesses when they are “able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.”
The CDPA reflects ongoing discussions around special treatment of sensitive data, and it looks to become the first opt-in legal requirement for processing sensitive consumer data. The CDPA, like the WPA and the CPRA, defines sensitive data and creates an affirmative opt-in requirement that is “freely given, specific, informed, and unambiguous” pertaining to the collection or processing of this information. The definition is quite similar, though not identical, to the definitions adopted in the CPRA and the WPA, as well as the GDPR’s sensitive category data. Specifically, it is defined as: “(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; and (4) precise geolocation data.” “Child” means a person younger than 13.
The CDPA will be the first opt-in for this data in the U.S., with the CPRA requiring an opt-out, and the WPA not yet enacted. This is a tricky issue for tailored advertising. On one hand, it is consistent with long held NAI standards to require opt-in for sensitive data, including mental health and sexual orientation, but it also contains a couple elements which haven’t been deemed sensitive in the advertising context, particularly racial or ethnic data. Multiple other proposed state bills are grappling with how to define and handle sensitive data, and these three bills reflect some emerging consensus around roughly what types of data can be sensitive. The NAI is contemplating more creative approaches with respect to this issue to better balance privacy protection with beneficial and harmless uses of this data, particularly around race and ethnicity.
CDPA reflects increasing support for risk assessments, and these would be required for all advertising. The CDPA would create a new requirement that controllers conduct “data protection assessments” if engaged in a wide range of activities, some of which are not clearly defined, but which do explicitly apply to targeted advertising, personal data sales, processing of sensitive data, profiling based on a set of circumstances and other factors. This is one of several requirements that is similar to the GDPR and also included in WPA. While risk assessments are already a prudent practice, what makes the CDPA provision concerning for companies is the requirement that the regulator may demand access to the assessment when conducting investigations. This of course opens the potential for a state regulator to engage in fishing expeditions, an activity that has precedent in state political environments.
The CDPA reflects support for practical enforcement, an approach that creates a big target for privacy advocates. The CDPA would be enforced by the attorney general, includes a 30-day cure period, and provides for civil fines up to $7,500, which would go to a Consumer Privacy Fund to provide for enforcement funding. Despite all the failures of the CCPA, it landed—mainly—in a good place on enforcement: It relies on the attorney general and provides a 30-day cure period. Of course, the limited private right of action and open-ended rulemaking have proven to be as il-advised as expected. The CDPA takes the positive elements from the CCPA, without any private right of action nor a mandate for extensive rulemaking. The CPRA compounded enforcement problems in CA and eliminated the cure period. AG enforcement and a cure period have been at the core of WPA drafts, but they’re also actively under debate and will likely be the crucial issues that determine whether it crosses the finish line. This remains a topic where industry and the trial bar are diametrically opposed, so it is good that the CDPA took a practical approach.
CDPA reflects further policymaker support for “nondiscrimination” requirements, and it provides for a more practical set of requirements on businesses that reflects American free markets and differential pricing. All of the models we’ve been discussing contain non-discrimination requirements on businesses tied to the choices that consumers exercise about their data. While the CDPA borrows heavily from the language of the CCPA, it makes several key changes that allows companies to offer different prices or service levels to consumers who choose to participate in a “bona fide loyalty, rewards, premium features, discounts, or club card program.” The CDPA also does not contain the same CCPA-style requirements for companies to perform valuations of consumer data. This approach is more practical from a market perspective than the WPA, which could ultimately save Virginia legal costs having to defend such limits on American businesses.
Assuming the CDPA is enacted as the next patch in the American privacy quilt, it’s likely to be a mixed bag for digital advertising—and for consumer privacy. It’s far from perfect from either perspective, but it raises the bar on privacy and amounts to the most pragmatic and evolved bill we’ve seen among the states over the last several years. Regardless, it will pose compliance challenges based on many of the key elements discussed above, and hopefully it will serve as further incentive for Congress to enact a national framework.