By Guy Cohen, Head of Policy at Privitar
On March 2nd the Governor of Virginia signed into law Virginia’s own Consumer Data Protection Act (CDPA). Nearly three years since California passed the CCPA, Virginia is now the second state to pass a comprehensive privacy bill. Virginia’s rapid passage highlights that privacy is a pressing issue nationwide.
At the start of the year it was Washington, on its third attempt, not Virginia, that was the frontrunner for being the next state law to pass. Virginia’s law is similar to Washington’s in many ways, but has perhaps learned from the challenges Washington faced. Whereas the failed 2020 Washington bill included a private right of action, Virginia’s law does not. Virginia’s law also has a reduced scope, excluding employee data, small businesses, and companies that don’t process a large amount of personal data, making the law less burdensome on businesses.
Many of the bills that followed the passage of the CCPA in 2019 used the CCPA as their model. Since then many, including the Washington bills and the California Privacy Rights Act that amended the CCPA last year, have built upon the CCPA, adding elements of the GDPR. The Virginia bill should be seen in this context. It’s similar, although not an exact match, in scope, potential fines, and the core rights and obligations it lays out to these other laws. The CDPA provides the right for consumers to opt out of the sale of their data, the right to be informed about how data about them is being processed, the right to access data about them, the right to correct inaccurate information about them, the right to have data about them transferred from one organization to another, and the right to have data about them deleted.
As much as the CDPA takes from existing laws, it also includes some novel ideas that appear to be aimed at reducing the burden on businesses where the risk is low. One example of this is the CDPA’s legal carve out for pseudonymous data.
Pseudonymous data is data that is about people, but where they cannot be identified without the use of additional information. Data can be made pseudonymous by replacing all direct identifiers, such as name, or social security number, with pseudonyms, or tokens, and then keeping the mapping between the original value and the token separately from the pseudonymous data. Importantly pseudonymous data, because it is still possible to re-identify those in the dataset, is still personal data, unlike anonymous or de-identified data which is not personal data and is therefore out of scope of the law.
Pseudonymization strikes a balance between protecting privacy and enabling data use. It reduces, but does not eliminate privacy risk, but retains analytical value, meaning pseudonymous data can still be used for secondary purposes such as analytics and machine learning, where the purpose is to learn about group behaviour and detect patterns rather than act on a specific individual.
The CDPA is not the first law to promote pseudonymization. The GDPR encourages organizations to pseudonymize data whenever possible. The CCPA incentivizes it as the private right of action does not apply to appropriately pseudonymized data that also doesn’t contain certain kinds of data, such as health data.
The CDPA makes a different significant carve out for pseudonymization, as the rights of the data subjects of access, deletion, correction, and portability do not apply to pseudonymous data. While the benefits for the organization are different (for the CCPA pseudonymization mitigates the risk of a private right of action and for the the CDPA it removes data from the scope of data subject rights and the compliance cost associated with them) both laws treat pseudonymization as the key safeguard when processing personal information.
The CDPA highlights the sustained and growing demand for privacy law across the US, and not just in California, New York, and Washington. Bills are also being reviewed in Florida, Oklahoma, Nebraska, Connecticut and other states too. We should expect to see more state laws pass. As they do, the case for a federal law with common national standards will build.
For those looking at evolving state laws and wondering where they may end up, the Virginia law continues the trend of laws starting with the CCPA, but moves closer to the GDPR. While states are not going to copy the GDPR entirely, aspects of it, such as the principles of data minimization and purpose limitation, and obligations on businesses, such as carrying out risk assessments, should be expected in future US laws too.
And finally, the Virginia law is notable for its elevation of pseudonymization. The Virginia law follows in the footsteps of the CCPA in treating pseudonymization as the key control to protect data subjects and minimize privacy risk, and reflects this in the reduced obligations for pseudonymous data. For organizations thinking about what controls to prioritize, pseudonymization is a good place to start.