• The Consumer Data Protection Act applies to Controllers and Processors. An entity is considered a Controller if it (1) conducts business in Virginia; (2) intentionally targets Virginia consumers and (3) either

o Processes the Personal Data of 100,000 or more Virginia consumers; or

o Processes the Personal Data of 25,000 or more Virginia consumers and derives over 50% of its gross revenue from selling Personal Data.

• The Consumer Data Protection Act does not apply to entities that would otherwise fall within the law’s scope if they are governed and regulated by:

o The GLBA;

o The COPPA;

o The HIPAA; or

o The FERPA.

• Additionally, the Consumer Data Protection Act does regulate the collection or use of certain types of information. For example, the Consumer Data Protection Act does not apply to:

o Protected Health Information;

o Patient Identifying Information;

o Data maintained for employment records purposes;

o Protected Health Information;

o Patient Identifying Information;

o Identifiable Private Information;

o Information and documents created by an entity that is covered by HIPAA;

o Information that is regulated by the FCRA; or

o Information governed by the Farm Credit Act.

• Finally, the Consumer Data Protection Act does not limit a Controller or Processors ability to

o Conduct internal research to improve, repair, or develop products, services, or technology;

o Conduct a product recall;

o Identify and repair errors in a product, service, or technology; or

o Perform other internal operations that are reasonably aligned with the reasonable expectations of the consumer based on the direct relationship.

• Under the Consumer Data Protection Act, “Personal Data” does not include Deidentified Data. Because the Consumer Data Protection Act only regulates the collection, use, retention, selling, and processing of Personal Data, Deidentified Data is not subject to the law.

• “Deidentified Data” includes any information that cannot be reasonably linked to, or be used to infer information about, a consumer or a specific device. A Controller that collects, retains, and/or processes Deidentified Data must:

o Take reasonable measures to maintain the information’s deidentified state (i.e., that it cannot be reasonably linked to a consumer);

o Publicly commits (i.e., places within the privacy policy) to maintain and use the information only in its deidentified state; and

o Enters into contracts with recipients of the Deidentified Data that requires such third parties to maintain its deidentified state.

• Additionally, the Consumer Data Protection Act exempts Pseudonymous Data from being subject to a consumer’s individual rights related to the law so long as the Controller can demonstrate that information needed to identify the consumer is separately kept and subject to effective technical and organizational controls preventing the Controller’s access to the identifying information. “Pseudonymous Data” includes any information that cannot be attributed to a specific person without the use of additional information so long as the identifying information is separately stored and subject to effective technical organizational measures to ensure the identifying information is not combined with the Pseudonymous Data.

• A Controller who discloses Deidentified Information or Pseudonymous Data must enter into a contract with the third party so the Controller can exercise reasonable oversight to ensure the information is kept in a deidentified or pseudonymous state.

• Under the Consumer Data Protection Act, a Controller must provide notice (likely in the form of a Privacy Policy) that is reasonably accessible, clear, and meaningful. Such notice must include the following information:

o Categories of Personal Data that is collected or processed;

o The purposes that the Personal Data is collected and processed for;

o How and where consumers may exercise their rights under the Consumer Data Protection Act, including contact information and information on how a consumer can appeal denials or such requests;

o Categories of Personal Data that is shared with third parties;

o Categories of third parties that Personal Data is shared with; and

o If selling or processing Personal Data for profiling or targeted advertising purposes, the Controller must clearly and conspicuously disclose such sale and processing, as well as the manner in which a consumer may opt out.

• The Consumer Data Protection Act provides the following individual rights to consumers:

o To opt out of the processing of Personal Data for the purposes of (i) targeted advertising; or (ii) profiling of the consumer in furtherance of decisions that produce legal, or similarly significant, effects on the consumer;

o To opt out of the sale of their Personal Data;

• Under an individual’s opt-out rights in relation to the sale of their Personal Data or target advertising, a Controller must provide a clear and conspicuous method for the individual to exercise that right. This means the right and method must be clearly and conspicuously posted in both the privacy policy and elsewhere (i.e., a dedicated, separate link). By 2024, Controller’s must implement a universal opt out option that allows an individual to exercise all of their opt out rights at the same time. However, regulations on such universal opt out are not promulgated yet.

• Once an individual has opted out, a Controller can obtain subsequent consent in order to override the opt out. That consent can be obtained through a web page, application, or other similar method so long as the individual is provided a clear and conspicuous notice that informs them of:

o The individual’s choices;

o The categories of Personal Data to be processed;

o The purposes for processing the Personal Data; and

o An explanation of how and where the consumer may withdraw consent in a way that is just as easy as it was to give consent (i.e., on the same web page).

• Opt In Consent

o Under the Consumer Data Protection Act, Controllers are prohibited from processing Sensitive Data without first obtaining the consumer’s consent.

• “Sensitive Data” includes:

o Personal data that reveals racial or ethnic origin, religion, mental or physical health, sex/sexual orientation, or citizenship status;

o Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;

o Personal data from a known child; and

o A consumer’s precise geolocation.

• Under the Consumer Data Protection Act, consumers have the right to opt out of both targeted advertising and profiling that results in decisions that produce legal, or similarly significant, effects on the consumer.

• “Targeted Advertising” includes any advertisement that is based on Personal Data obtained or inferred from the consumer activities across non-affiliated third party websites (i.e., not the Controller’s own website) or online services that predict consumer preferences. Target advertising does not include the following:

o Advertising based on consumer requests or feedback;

o Advertising based on activities within a Controller’s own website;

o Advertising based on the context of a consumer’s search inquiry, visit to a website or online application; or

o Processing of Personal Data solely to measure or report analytics.

• It is important to note here that cookies are likely Personal Data under the Consumer Data Protection Act. Personal Data includes information that may be reasonably linked or linkable to an individual. Because cookies related to an individual’s online behavior and activity (even in an aggregated state), cookies are reasonably linked or linkable to an individual.

• “Decisions that produce legal, or similarly significant, effects” includes any decision resulting in the denial or provision of financial services, housing, insurance, educational opportunity, criminal justice, employment, health care services, or access to essential goods and services. Practically, this means that a Controller who is processing Personal Data in any way related to providing or denying someone the items or services listed, will need to provide consumers the ability to opt out of such processing.

• As described above, a Controller must post in the privacy policy or notice details and sufficient information to allow a consumer to exercise their rights by submitting a request(s). The method provided must take into account (1) the ways in which a consumer normally interacts with the Controller, (2) the need for secure and reliable communication relating to the request, and (3) the ability of the Controller to authenticate the identity of the consumer making the request.

o The Controller is prohibited from requiring a consumer to create a new account in order to exercise a right under the Consumer Data Protection Act.

• The Consumer Data Protection Act provides the following individual rights to consumers:

o To opt out of the processing of Personal Data for the purposes of (i) targeted advertising; or (ii) profiling of the consumer in furtherance of decisions that produce legal, or similarly significant, effects on the consumer;

o To opt out of the sale of their Personal Data;

o To access Personal Data collected about them;

o To correct inaccurate Personal Data collected about them;

o To delete Personal Data collected about them; and

o To data portability.

• Right to Correction

o An individual’s right to request a correction is limited to inaccuracies, taking into account the nature of the data and the purposes of the processing of the individual’s Personal Data.

• Right to Data Portability

o In connection with access, individuals have the right to obtain their data in a portable (and to the extent technically feasible) readily usable format to allow the individual the ability to transmit the data to another entity. The right to data portability is limited in that individuals can only make such a request a maximum of two times per calendar year and such requests cannot include any data regarded as a trade secret.

• Controller Responses

o Under the Consumer Data Protection Act, a Controller must respond, with some action being taken, to an individual request (i.e., for access) no later than with 45 days of receiving the request. That timeline can be reasonably extended another 45 days if the request is numerous and complex; so long as the individual is informed of such extension. Controllers are prohibited from charging an individual for their first request. However, Controllers can charge a reasonable fee for a duplicate request that is within the same calendar year as the first request.

o Controller’s do not have to respond to individual requests if they are unable to authenticate the request after using commercially reasonable efforts to do so. Specifically, a Controller can request that the individual provide additional information that is reasonably needed to authenticate the request.

o Finally, Controllers must provide internal procedures and mechanisms allowing an individual to appeal a refusal to act within a reasonable period. The appeal procedures must be conspicuously available and as easy to use as the process for submitting requests in the first place. Such procedures must include an explanation of the individual’s right to contact the Colorado Attorney General if they have concerns.

• A Controller must conduct and document Data Protection Assessment if they are conducting certain (or having a Processor conduct them on their behalf). A Controller must comply with the Data Protection Assessment obligations if they are:

o Processing Personal Data for targeted advertising;

o Selling Personal Data

o Processing Personal Data for profiling that presents a reasonably foreseeable risk of:

 Financial harm,

 Unfair or deceptive treatment,

 Intrusion on the solitude or seclusion of private affairs (reasonable person standard), or

 Other substantial injury to the consumer;

o Processing Sensitive Data

o Any other processing involving Personal Data that presents heightened risk of harm to the consumer.

• The Consumer Data Protection Act also sets forth what such Data Protection Assessments must consist of. The Data Protection Assessments must identify and weigh the benefits of the processing against the potential risks that exist to the individual rights over the Personal Data. The Assessment should also factor in the existence or possibility of safeguards that mitigate the risks. Finally, the Assessment must factor in the possibility (or impracticality) of using de-identified data and what the individual’s reasonable expectations are based on the direct relationship with the Controller.

• The Data Protection Assessment must be made available to the Virginia Attorney General as so requested. Separate Assessments covering individual processing activities are not necessary. A single Assessment can be used to cover multiple, similar processing activities.

• Data mapping is the process by which Controllers connect the data of one model, server, or silo, with the information in another or multiple models, servers, or silos. There is no specific requirement for a Controller to conduct data mapping.

• However, practically, Controllers within the scope of the Colorado Privacy Act will need to conduct some form of data mapping in order to comply with various requirements under the law. For example, if a consumer requests the specific Personal Data that is collected about them and exercises their rights to access and data portability, a Controller will need to know exactly what they have collected about that consumer and where that information is. A Controller will not practically be able to do that without data mapping.

• Another example of where data mapping is practically required is if a Controller conducts Data Protection Assessment. To properly weigh the benefits and risks of information collection and processing, a Controller must know exactly how much information they are collecting and exactly where that information is stored and/or processed. Without data mapping, that task becomes extremely difficult.

• Under the Consumer Data Protection Act, Controllers can only retain Personal Data if such data is adequate, relevant, and limited to only what is necessary for the purposes specified to the individual in the privacy policy.

• Closely related to a Controller’s data minimization obligation, a Controller is prohibited from processing Personal Data for purposes outside of what is reasonably necessary for the purposes specified to the individual in the privacy policy. Processing and use of Personal Data outside of those within a privacy policy is only allowed if the Controller obtains consent from all affected individuals.

• In sum, if a Controller’s use of the Personal Data is not compatible with the expressed purposes and descriptions in the privacy policy, that Controller is in violation of the Consumer Data Protection Act.

• Under the Consumer Data Protection Act, Controller’s and Processor’s must enter into and adhere to specific written contracts in order to comply with the law. Specifically, the contract between the two parties must contemplate and provide that:

o Each person involved in processing is subject to a duty of confidentiality with respect to the Personal Data;

o At the Controller’s direction and option, for the Processor to delete or return Personal Data to the Controller at the end of services or contract term, unless retention of the Personal Data is required by law;

o Audit and review obligations that allow the Controller (or a qualified independent third party) to ensure the Processor’s compliance with the Consumer Data Protection Act and the contract, and that requires the Processor to contribute to such audits or reviews; and

o Only engage subcontractors pursuant to written contracts that set forth the same or heightened obligations on the subcontractor.

• Under the Consumer Data Protection Act, individuals have the right to opt out of the sale of their Personal Data. An action or disclosure is considered a “sale” if the Controller is exchanging Personal Data for monetary or other valuable consideration.

• An action or disclosure is not considered a “sale” if the Controller is disclosing Personal Data to:

o A Processor that processes the Personal Data on behalf of the Controller;

o A third party for purposes of providing a product or service request by the individual;

o To the Controller’s affiliate(s); or

o To a third party as an asset that is part of a merger, acquisition, etc.

• Under the Consumer Data Protection Act, a Processor includes any entity that processes Personal Data on behalf of a Controller. A Processor’s main obligation under the Consumer Data Protection Act is to reasonably assist the Controller comply with their obligations and to adhere to the Controller’s instructions. Specifically, a Processor must:

o Adopt “appropriate technical and organizational measures” to help the Controller respond to individual requests;

o Provide the Controller assistance with data breach notifications; and

o Assist and enable the Controller to conduct and document any Data Protection Assessments that might be required.

• Under the Consumer Data Protection Act, a Controller must take reasonable measures to secure Personal Data, during both storage and use, from unauthorized acquisition. Such security measures must be appropriate to the nature of the business, volume, scope, and nature of the Personal Data that is processed.

• There is no privacy right of action under the Consumer Data Protection Act. Under the Consumer Data Protection Act, the Virginia Attorney General has exclusive authority.

• If an entity can possibly cure their violation of the Consumer Data Protection Act, the Attorney General must issue a notice providing such entity 30 days to cure the violation. If the violation is not cured within 30 days, legal action can be taken. The Virginia Attorney General can seek injunctive relief and impose $7,500 penalties for each violation.