Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), i.e., the California Privacy Rights Act (“CPRA”)). While CDPA has fairly broad exemptions for entities regulated by other laws, such as HIPAA, there is also a new “opt-in” requirement for collecting “sensitive data.”

Our sister blog goes into a more detailed discussion of the requirements under Virginia’s law. Here, we cover highlights of the law relevant to companies operating in the healthcare space.

Requirements for Collecting “Sensitive Data”

The CDPA requires “freely given, specific, informed, and unambiguous” consent (i.e., an opt-in requirement) in order for any entity or person to collect or process “sensitive data.” Among other itemized examples, “sensitive data” includes information revealing a mental or physical health diagnosis, as well as genetic or biometric data processed for the purpose of uniquely identifying a natural person. The CDPA’s definition generally aligns with the definition of sensitive data in the CPRA, which will create an “opt-out” requirement for sensitive data uses when it comes into effect in 2023.

In addition, the CDPA calls for the documentation of data protection assessments, similar to the European Union’s General Data Protection Regulation (“GDPR”). Such requirements do not exist under CCPA. Assessments are required in a number of situations, including where sensitive data is processed. These assessments should identify and weigh the benefits from the data processing to the company, the consumer, other stakeholders, and the public against the potential risks to the consumer, as mitigated by safeguards to reduce such risks. The assessments are to apply to processing activities created or generated after January 1, 2023, and are not retroactive. Assessments would be required to be made available to the Attorney General upon request, pursuant to an investigative civil demand.

Exemptions

While both the CDPA and the CCPA include multiple exemptions,  the CDPA’s exemptions are broader than those in the CCPA. The CCPA largely exempts types of information governed by other regulated laws, but not the entities subject to those other laws altogether. In contrast, the CDPA’s exemptions cover all types of information held by enumerated categories of exempt entities including “covered entities” and “business associates” subject to HIPAA, as well as nonprofit entities.

In addition to exemptions at the entity level, CDPA also provides several exemptions for types of information. Relevant to organizations in the healthcare space, CDPA also exempts:

  • identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46;
  • identifiable private information that is otherwise collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;
  • the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in CDPA, or other research conducted in accordance with applicable law; and
  • information derived from any of the health care-related information listed that is de-identified in accordance with HIPAA’s requirements for de-identification.

Enforcement and Penalties

Virginia’s law has no private right of action. The Attorney General has exclusive enforcement authority over CDPA. Moreover, the AG is required to provide a 30-day written notice to companies it believes are in violation of the law and an opportunity to cure prior to initiating any action. If after time the violation remains, the AG may initiate an action and seek up to $7,500 in damages for each violation.

Practical Considerations

Entities subject to HIPAA may breathe a sigh of relief based on CDPA’s broader exemptions. However, entities not regulated by HIPAA but nonetheless collecting “sensitive data” such as mental or physical health diagnosis information should begin to evaluate what steps should be taken to comply with new requirements introduced by Virginia’s law. Namely, the requirement to obtain opt-in consent for collecting “sensitive data” and the need to conduct a data protection assessment.