Virginia is For Privacy, Part 2

On March 2, 2021, Governor Ralph Northam of Virginia signed the Consumer Data Protection Act (CDPA) into law. As covered in Part 1 in this series, the CDPA will become effective on January 1, 2023 and require covered controllers to provide six new rights to Virginia consumers, including the right to confirm whether or not a controller is processing the consumer’s personal data and to access such data. Part 2 of this series investigates another new requirement under the CDPA.

In A Scandal in Bohemia, Sherlock Holmes noted that “[i]t is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” A controller subject to the CDPA will commit a “capital mistake” if it engages in certain data processing activities before completing a data protection assessment (DPA). In A Case of Identity, Sherlock Holmes cautioned to “[n]ever trust to general impressions …, but concentrate yourself upon details.” This blog posting will focus on the specific facts and details of when controllers must complete DPAs under the CDPA and clear up any theories or mysteries about these new requirements.

What is a data protection assessment?

A DPA or data protection impact assessment (DPIA), the term used under the European Union’s General Data Protection Regulation (GDPR), is simply a process to help your company, as a controller, identify and minimize the data protection risks of a specific project. The CDPA notes that DPAs:

… identify and weigh the benefits that may flow, directly and indirectly, to all parties, including the controller, consumer, other stakeholders, and the public, from the processing of personal data against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.

A DPA documents this balancing exercise by outlining how a controller identified and weighed the potential risks of processing personal data against the potential benefits of such processing. A single DPA may address a comparable set of processing operations that include similar activities. The CDPA specifically provides that a DPA that was conducted by a controller to comply with other laws or regulations, including GDPR, may be used if the DPA is reasonably comparable in scope and effect to those required under the CDPA.

What events trigger the requirement to complete a data protection assessment?

The CDPA requires controllers to conduct and document a DPA when engaged in the following processing activities involving personal data (collectively, Trigger Events):

1. The processing of personal data for purposes of targeted advertising;
2. The sale of personal data;
3. The processing of personal data for purposes of profiling if such profiling presents a reasonably foreseeable risk of the following: (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (b) financial, physical, or reputational injury to consumers; (c) a physical or other intrusion upon the solitude, seclusion, or private affairs or concerns of consumers where such intrusion would be offensive to a reasonable person; or (d) other substantial injury to consumers;
4. The processing of sensitive data; and
5. Any processing activities involving personal data that present a heightened risk of harm to consumers.

In A Case of Identity, Sherlock Holmes noted that “the little things are infinitely the most important.” This advice holds true when analyzing these new requirements. It is elementary for controllers to understand the following three key terms as they are used above: “targeted advertising,” “profiling,” and “sensitive data.”

As noted above, controllers will be required to complete a DPA if they plan to process personal data for purposes of targeted advertising. The term “targeted advertising” is defined under the CDPA as the display of any advertisement to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. “Targeted advertising” does not include the following:

1. Advertisements based on activities within a controller’s own websites or online applications;
2. Advertisements based on the context of a consumer’s current search query, visit to a website, or online application;
3. Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or
4. Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

Controllers may also be required to complete a DPA if they intend to process personal data for purposes of profiling. The CDPA defines “profiling” as any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to the economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of any identified or identifiable natural person.

Sherlock Holmes was an outstanding criminal profiler, but he practiced his craft in the late 19th and early 20th centuries and without the help of today’s sophisticated technologies. Today, controllers may use profiling to, among other things, collect and analyze personal data on a large-scale using algorithms, AI, or machine-learning, identify associations to build linkages between different behaviors and attributes, create profiles for specific consumers, or predict a consumer’s behavior based on their assigned profiles.

Although these profiling practices can provide unique insight to controllers and tailored benefits to consumers, there are potential risks with these practices. Profiling is often invisible to consumers. As a result, consumers may not understand that their personal data may be used in this way, how the profiling process works, or that the process can adversely impact them. Since profiling can only make assumptions about a consumer’s behavior or other characteristics, there will always be a margin of error built into these processes.

Also, as noted above, controllers will need to complete DPAs when processing any sensitive personal data. The CDPA defines “sensitive data" as a category of personal data that includes the following:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
3. The personal data collected from a known child; or
4. Precise geolocation data.

Each of the Trigger Events present certain risks to consumers. The completion of a DPA helps controllers to identify, assess, and solve for these risks. Sherlock Holmes chastised Watson in A Scandal in Bohemia by noting that “[y]ou see, but you do not observe.” The DPA requirements force controllers to also take their investigations of their privacy practices to the next level and “do more than look at what’s in front of them - they must deduce.”

What else does a controller need to know about data protection assessments under the CDPA?

The CDPA does not require controllers to periodically provide a copy of any DPA to the Virginia Attorney General. However, the Attorney General may request, pursuant to a civil investigative demand, that a controller disclose any DPA that is relevant to an investigation being conducted by the Attorney General. The controller must, upon such request, make the DPA available to the Attorney General. The Attorney General may evaluate the DPA for compliance with the requirements prescribed under the CDPA.

Any DPA provided to the Attorney General pursuant to a civil investigative demand will be confidential and exempt from public inspection and copying under the Virginia Freedom of Information Act. The disclosure by a controller to the Attorney General will not constitute a waiver of attorney-client privilege or work product protection with respect to the DPA and any information contained in the DPA.

The DPA requirements under the CDPA will apply to processing activities created or generated after January 1, 2023. The requirements will not apply retroactively.

What should a controller do now to prepare for these new requirements?

In The Hound of the Baskervilles, Sherlock Holmes said that “[t]he past and the present are within my field of inquiry, but what a man may do in the future is a hard question to answer.” If your company will be subject to the CDPA in 2023, you may want to disprove the naysayers like Sherlock Holmes and begin developing your company’s CDPA compliance plan. Your company’s plan should solve for the new DPA requirements. The scene is easy to stage. Start with the cause, one of the Trigger Events, and then address the effect of such an event, the completion of a DPA. If your company has never completed a DPA, it may be time to pull out a microscope, do some sleuthing, and explore this process in more detail.