Virginia has now passed the country’s second comprehensive consumer privacy law, so it’s time to pick up where we left off. In previous posts, we compared the then-merely-proposed Virginia Consumer Data Protection Act with the GDPR and CCPA. We compared the laws’ jargon, how they defined the all-important concept of “personal data,” and their overall scope. Today, we analyze how the now-passed CDPA treats a data controller’s privacy obligations and a data subject’s privacy rights when there is a contract between the controller and data subject. This is no mere academic question: it goes to the heart of whether privacy rights in Virginia will be one-size-fits-all, or whether companies and individuals can agree to define their own relationships when it comes to privacy rights.
Certain key consumer rights in the CDPA are “non-derogable.” That means that a consumer can’t waive privacy rights by contract: “Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to § 59.1-573 shall be deemed contrary to public policy and shall be void and unenforceable.” At first blush, this appears similar to the CCPA, which provides that “Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.” But these provisions differ in a key respect: The CCPA’s provision prevents parties from contracting around any aspect of the CCPA. In contrast, the Virginia CDPA only prevents companies and data subjects from contracting around the core data subject rights, like being able to ask what data about the consumer is being processed, to correct inaccuracies, to request deletion, or to opt-out of data sales, targeted advertising, or profiling. The CDPA seems to leave room for a data subject to waive other sorts of CDPA requirements, such as a data controller’s obligation to minimize data processing, limit processing to the purposes for which data was collected, or establish security procedures (to name just a few examples). Which means that the Virginia CDPA may give companies and data subjects much more leeway to arrive at their own agreements governing their respective rights and obligations. Put another way, the CCPA generally imposes hard-and-fast rules, whereas the CDPA sets default rules from which private parties can agree to depart, at least in certain respects.
In addition, the CDPA contains affirmative exceptions allowing data controllers to process data needed to perform a contract with a data subject. One provision states: “Nothing in this chapter shall be construed to restrict a controller's or processor's ability to: … Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract….” Another provision is similar: “The obligations imposed on controllers or processors under this chapter shall not restrict a controller's or processor's ability to collect, use, or retain data to: … Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.” The interpretation of these provisions—especially the syntactically complex and under-punctuated second provision—may be susceptible to debate. But they provide at least some additional leeway for companies and data subjects to define their respective rights and obligations by contract.
These “performance of contract” provisions can be surprisingly important if the European experience is any indication. Take, for example, a recent Austrian court decision concerning how contracts are treated under the GDPR. The GDPR requires you to have a “lawful basis” for processing personal data. One lawful-basis option is getting the data subject’s consent, but the GDPR’s consent concept is nuanced and tricky. Another lawful-basis option is performance of a contract: you can process personal data if it’s necessary to perform a contract with the data subject. The Austrian case was about the interplay of these two options: if you don’t have consent meeting the GDPR’s standards, but you do have a contract with the data subject that contemplates the processing, can you rely on the contract as your lawful basis? The Austrian court decided that you could. The contract doesn’t amount to consent, and it doesn’t directly override the GDPR’s consent requirement, but it does give data controller an alternative “lawful basis” for processing the data without consent. Of course, some European authorities have taken the contrary view.
Looking to the Virginia CDPA, it will be important to watch how the Virginia Attorney General and courts interpret the CDPA’s “performance of contract” provisions. If they adopt similar reasoning to that of the Austrian court, it will give data controllers and data subjects more freedom to enter into contracts customizing the parties' respective rights and obligations concerning personal data.
Next week, in the finale of this series, we’ll address perhaps the most important aspect of the CDPA: how does it define and treat “sales” of personal data?
In this series:
Part II: The Definition of Personal Data