Code Section Review

Translating Virginia’s New Data Protection Act

Published on by Jessica Greenberg

Below, I have gone through the new law which Virginia passed last year that is intended to protect our personal data and translated the sections that directly apply to consumer use or summarized those that do not, with references on where to find the rest of that information. This is because we never just write it in plain English, and accessibility for something like this is important. This is not legal advice, simply a plain English translation of the actual language, and I do not represent how the courts will actually interpret or apply this law.

There are serious limits to this protection, the biggest one being that you must opt in with every business/website/company that has your data, and it explicitly and clearly does NOT create the right to sue for violation – it lets the AG fine/penalize companies instead, but there is no civil suit created by this law. For this to apply to any particular company, the company must either process the data of more than 100,000 people, OR they must process data from more than 25,000 people AND 50% or more of their income has to come from the sale of personal data. There are several exemptions, including credit reporting agencies, health care, government and several others. If you’re not sure, check §59.1-576 for the rest.

To request that companies comply with this law, you will likely need to make requests in writing as the legislature left out any actual mention that they have to allow electronic communication, just that it should be based on security and how the company usually communicates with you – which probably was meant to let you do it by email, but all of these companies require you to communicate by mail to enforce various other rights, so assume they are going to require that.

Consumer is you, the person using the service

Controller is the company that is directly collecting the data from you

Processor is a third party handling the data for them, usually this is something like a payment processor, but it could also be part of whatever service they are providing that is provided by a third party handling the data directly.

§ 59.1-577. 

A. You may a request to a party that controls the data specifying which rights you wish to invoke (this would have to be done for every controller) and for now you should MAIL it as the code did not specify and most of these retailers require all similar requests to be submitted in writing. You may request:

  1. Do they even have your data?
  2. They must allow you to correct inaccuracies within limits (not clearly defined)
  3. To DELETE personal data obtained about you
  4. To obtain a copy of their data, where at all possible in a format that can easily be transmitted to someone else if you want to transfer the info to another institution
  5. To opt out of the processing of your data for the purposes of:
    • Targeted advertising
    • The sale of personal data
    • Profiling to produce legal or other significant effects on the consumer (I’m guessing this is meant to be predictive behavioral algorithms but that isn’t what it says so we shall see).

(The following is an aggregate interpretation of the general rules of the remaining subsections for ease of understanding – it is broken down by type for the purposes of enforcing the law.) They must respond within 45 days, and may extend that by an additional 45 with notice and a reason for doing so. The information must be provided free of charge up to 2 times a year – if the requests become significant burdens from a particular individual, they can charge a small, reasonable amount or decline to act on it (so don’t harass the companies or they can ignore you basically).

If they have something like a deletion request and get data about you from a third party, they must treat it the same, keeping just enough record basically to show your preference and that it was done.

 All Controllers must set up an appeals process, and it must be conspicuous and easy to use. They must respond within 60 days and if they deny, give you the info to complain to the Attorney General.

§ 59.1-578.

A. Data controllers are required to:

  1. Limit data collection to what is reasonably necessary in relation to the purposes it’s being processed for, in line with whatever they told you it was for.
  2. How exactly this will be applied is still undetermined.
  3. They must implement reasonable admin, tech and physical data security to protect the data appropriate to the volume and nature of that data.
  4. The companies may not discriminate against you for opting out (BUT they can offer basically any incentive they want for you opting in).
  5. They may not process sensitive data without explicit consent, or for a child under the Child’s Online Protection Privacy Act (15 U.S.C. § 6501 et seq.)

B. Any contract or agreement which waives the rights under this section is void as against public policy.

C. They must provide a clear and ACCESSIBLE privacy notice that includes:

  1. The categories of personal data they process.
  2. The reason they are processing that data.
  3. How to exercise your rights under 59.1-577 (choosing to opt out etc) and how to appeal their decisions.
  4. The categories of data they share with 3rd parties, if any.
  5. The categories of 3rd parties they share that data with.

D. If they sell data to 3rd parties or use it for targeted advertising, they must clearly and obviously post that, and how to exercise your right to opt out.

E. They must establish and post in their privacy notice one or more secure and reliable means for you to submit the request to exercise your rights, which must take into account the ways you normally interact with the controller, the need for secure and reliable communications, and their ability to authenticate your identity. They can’t force you to make a new account, but they can require you to use an existing one.

§ 59.1-579.

This section deals with the relationship between the Processor of the data and the Controller (the website or company) and doesn’t really deal with Consumer rights explicitly, merely the Processor’s obligation to comply with the Controller’s transmission of the requirements based on your requests to exercise your rights.

§ 59.1-580

A. The Controller must conduct and document a data protection assessment for each of the following processing acts which involve personal data

  1. How they process data for targeted ads;
  2. The sale of personal data;
  3. Processing of personal data for the purposes of profiling where that profiling presents a risk you can see coming of (i) unfair or deceptive treatment of consumers or which will have an unlawfully different impact on them, (ii) a foreseeable risk of financial, physical or reputation injury to consumers; (iii) a physical or other intrusion on the privacy or private affairs or concerns of the consumer where that intrusion would be offensive to the reasonable (average) person; or (iv) foreseeable risk of other substantial injury to consumers;
  4. The processing of sensitive data; and
  5. Any processing actions which involve personal data and present an increased risk of harm to consumers.

B. The assessments conducted under subsection A must identify and weigh the benefits from processing to the controller, the consumer, some other party, and the public against the potential risks to the rights of the consumer that come from the processing, taking into account any safeguards which reduce the risk. They may use de-identified data and the reasonable expectations of consumers, the context of the processing, and the relationship between the consumer and the controller.

C. The Attorney General (“AG”) may request, pursuant to a civil investigation, that a controller disclose any data protection assessment relevant to the investigation they are conducting and that must be made available. The AG may evaluate the assessment to make sure they are following the requirements, but these assessments are confidential and exempt from public inspection and copying under the Virginia freedom of information act and turning it over to the AG does not waive any of its associated privileges which would keep you from getting your hands on it.

D. If the other processing actions they take are similar, they may opt to do just the one assessment.

E. If they do a data protection assessment for compliance under some other law or regulation that is reasonably comparable in scope, that is good enough.

F. These assessment requirements only apply to processing activities created or generated after Jan 1, 2023 and are not retroactive.

§ 59.1-581

This section deals with the various requirements for so called ‘de-identified’ data, the data that is not allegedly associated with your real identity in any way. The parts that are directly relevant to the average citizen are:

C. They are NOT required to comply with the rights in the first section of this translation/interpretation  if:

  1. They can’t reasonably associate the data with you, or it would be unreasonably burdensome for them to do so.
  2. They do not use the personal data to recognize or respond to a specific person whose data it is, or associate that data with other personal data about the same person.
  3. They don’t sell personal data to any third party or otherwise voluntarily disclose to any third party other than a Processor, except as permitted in this section.

D. Your rights can’t be exercised if they can prove that any information necessary to identify you is kept separately and is under effective tech and organizational barriers that prevent the Controller from actually accessing it.

E. If they disclose de-identified data or data with pseudonyms attached, they must exercise “reasonable” oversight to make sure that they are in compliance with any contractual commitments to which that data is subject (so if they made contract promises to you, they have to make sure they are enforced on this data as much as reasonably possible) and must take appropriate steps to deal with any violations of those contracts that do happen.

§ 59.1-582

A. This section is all the things the law DOES NOT restrict or prevent, including

  1. Compliance with all applicable laws.
  2. Complying with government investigations.
  3. Cooperating with law enforcement if they believe your activities violate the law.
  4. Their ability to investigate and handle legal claims.
  5. Provide a product or service you ask for, perform on a contract that you’re a party to.
  6. Take steps to protect an interest that is essential for the life or physical safety of you or another person, and where processing cannot be specifically based on another legal basis (this is the ripcord option, in an emergency involving the life or physical safety of a real person,  can respond as appropriately).
  7. Their ability to take security steps to prevent, detect or respond to security threats, identity theft, fraud, harassment, malicious or deceptive activities, or anything illegal; they may also act to preserve the integrity or security of their systems and to investigate, report or prosecute those responsible for any such attack.
  8. This part covers various types of scientific and statistical research and there are rules for this in here if this is applicable.
  9. Help another Controller, Processor or 3rd party with the obligations under this code section.

B. The obligations under this section do NOT restrict their ability to collect, use or retain data to:

  1. Conduct internal research to develop, improve or repair products, services or technology.
  2. To put out notice of a product recall.
  3. To identify and repair technical errors that are interfering with current or intended functionality.
  4. Perform internal operations reasonably in line with what their customers expect or reasonably anticipate based on their existing relationship with the Controller or are otherwise in line with processing data for the purpose of providing a product or service specifically requested by the  Consumer or following contracts to which the Consumer is a party.

C. Specifically exempts the Controllers from obligations that would violate an evidentiary privilege under the laws of Virginia. Nothing prevents them from providing personal data under those circumstances as part of a privileged communication.

D. This section basically says that as long as one of the parties (Controller or Processor) believed the other parties were acting correctly, so long as they did not have actual knowledge of the other party’s intent to violate or actually violating this law, they aren’t responsible. And the reverse is true for any company receiving that data.

E. This section doesn’t interfere with exercise of rights, or the processing of personal data by a person in the course of purely personal or household activities.

F. Personal data that is handled under this section may not be used for any other purpose but those explicitly listed unless explicitly allowed by some other section of the code. Personal data processed under this section may be processed only as far as is:

  1. Reasonably necessary and proportionate to the purposes of the section.
  2. Adequate, relevant, and limited to what is actually necessary to the purpose. Any data processed under section B shall be subject to related uses only and must be protected ‘reasonably.’

G. Any data processed under this section’s exemptions places a burden on the controller of demonstrating that the processing in fact qualifies and complies with the requirements in F.

H. If the only thing the entity does is process data for the purposes of subsection A (government), that doesn’t make them a Controller for the purposes of this law.

§ 59.1-583

If the AG has reasonable cause to believe any person or entity is violating this chapter, they are empowered to issue civil investigative demands.

§ 59.1-584

A. The AG has exclusive authority to enforce this law (meaning you can’t sue; you must go through the AG).

B. Before initiating action, the AG is to provide 30 days written notice which specifically points to the parts of the law the AG believes are being violated. If within that period, the Controller or Processor fixes the expressed problems and notifies the AG in writing that they have done so and that no further violations will occur, no further action is taken.

C. If they continue to violate after the 30 day period or if they violate that written statement, the AG may initiate action on behalf of Virginia, may seek an injunction to prevent further violation, and seek up to $7,500 for each violation.

D. The AG can request any reasonable expenses from the investigation, including attorney’s fees.

E. This part clearly tells you that there is no way to sue under this law, you must go through the AG.